From e1b0649603d44683e4f1162b1dcc7074a1c1f748 Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 1 Apr 2024 19:13:35 -0400 Subject: [PATCH 1/9] nixos/tests/kernel-generic: add passthru for configfiles See comment. --- nixos/tests/kernel-generic.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index 6a8633808702f..e22c7d735a238 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -47,6 +47,9 @@ in mapAttrs (_: lP: testsForLinuxPackages lP) kernels // { passthru = { inherit testsForLinuxPackages; + # Useful for development testing of all Kernel configs without building full Kernel + configfiles = mapAttrs (_: lP: lP.kernel.configfile) kernels; + testsForKernel = kernel: testsForLinuxPackages (pkgs.linuxPackagesFor kernel); }; } From 79c15abc7d141591515d7c7db2b76de07b8ced9a Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 1 Apr 2024 12:15:11 -0400 Subject: [PATCH 2/9] linux/hardened: remove redundant config These are set in common-config. --- pkgs/os-specific/linux/kernel/hardened/config.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index d687366dbe2f8..77cf87001c6b3 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -55,7 +55,6 @@ assert (versionAtLeast version "4.9"); SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; # Wipe higher-level memory allocations on free() with page_poison=1 - PAGE_POISONING = yes; PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes; PAGE_POISONING_ZERO = whenOlder "5.11" yes; @@ -113,9 +112,6 @@ assert (versionAtLeast version "4.9"); CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no); CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes; - # Detect out-of-bound reads/writes and use-after-free - KFENCE = whenAtLeast "5.12" yes; - # CONFIG_DEVMEM=n causes these to not exist anymore. STRICT_DEVMEM = option no; IO_STRICT_DEVMEM = option no; @@ -126,8 +122,4 @@ assert (versionAtLeast version "4.9"); # not needed for less than a decade old glibc versions LEGACY_VSYSCALL_NONE = yes; - - # Straight-Line-Speculation - # https://lwn.net/Articles/877845/ - SLS = option yes; } From ff5cd230678058a13ce5f780c95081a9bba19371 Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 1 Apr 2024 12:13:57 -0400 Subject: [PATCH 3/9] linux: add space to avoid attributing comments too widely The comments from the blocks above apply only to a single line, but that is not necessarily clear. Add blank lines to more clearly narrow the scope of them. --- pkgs/os-specific/linux/kernel/common-config.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index c9bf296160629..831f55d5982fc 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -671,16 +671,19 @@ let # https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html DEBUG_LIST = yes; + HARDENED_USERCOPY = yes; RANDOMIZE_BASE = option yes; STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem IO_STRICT_DEVMEM = mkDefault yes; SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default + # Prevent processes from ptracing non-children processes SECURITY_YAMA = option yes; # The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. # This does not have any effect if a program does not support it SECURITY_LANDLOCK = whenAtLeast "5.13" yes; + DEVKMEM = whenOlder "5.13" no; # Disable /dev/kmem USER_NS = yes; # Support for user namespaces From dd666b86ad8921528d8dbb05ea2cae20d2b04bfb Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 1 Apr 2024 11:37:34 -0400 Subject: [PATCH 4/9] linux: enable STRICT_KERNEL_RWX & STRICT_MODULE_RWX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel Self Protection Project][4]. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L914-917 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L11-12 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_7449 [4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078 --- pkgs/os-specific/linux/kernel/common-config.nix | 2 ++ pkgs/os-specific/linux/kernel/hardened/config.nix | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 831f55d5982fc..80bbdc2a23b17 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -674,6 +674,8 @@ let HARDENED_USERCOPY = yes; RANDOMIZE_BASE = option yes; + STRICT_KERNEL_RWX = yes; + STRICT_MODULE_RWX = yes; STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem IO_STRICT_DEVMEM = mkDefault yes; SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index 77cf87001c6b3..08bfd74c61a1b 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -31,8 +31,6 @@ assert (versionAtLeast version "4.9"); SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE SECURITY_WRITABLE_HOOKS = option no; - STRICT_KERNEL_RWX = yes; - # Perform additional validation of commonly targeted structures. DEBUG_CREDENTIALS = whenOlder "6.6" yes; DEBUG_NOTIFIERS = yes; From b23e741b70551c29507ec28881bcfbc57117a3b7 Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 1 Apr 2024 11:37:34 -0400 Subject: [PATCH 5/9] linux: enable SHUFFLE_PAGE_ALLOCATOR MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enabled in [Arch][1], [Fedora][2]; not in Debian. Recommended by [Kernel Self Protection Project][3]. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L1117 [2]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_6577 [3]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078 --- pkgs/os-specific/linux/kernel/common-config.nix | 2 ++ pkgs/os-specific/linux/kernel/hardened/config.nix | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 80bbdc2a23b17..93042548071b5 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -720,6 +720,8 @@ let # Enable support for page poisoning. Still needs to be enabled on the command line to actually work. PAGE_POISONING = yes; + # Randomize page allocator when page_alloc.shuffle=1 + SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; # Enable stack smashing protections in schedule() # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index 08bfd74c61a1b..d1fab48c98368 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -49,9 +49,6 @@ assert (versionAtLeast version "4.9"); # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE CONFIG_LDISC_AUTOLOAD = option no; - # Randomize page allocator when page_alloc.shuffle=1 - SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; - # Wipe higher-level memory allocations on free() with page_poison=1 PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes; PAGE_POISONING_ZERO = whenOlder "5.11" yes; From b6c752bddb8c9efee682a8ad7bab2838b6c5456d Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 1 Apr 2024 11:37:34 -0400 Subject: [PATCH 6/9] linux: enable INIT_ON_ALLOC_DEFAULT_ON MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enabled in [Arch][1], [Debian][2]; not in Fedora. Recommended by [Kernel Self Protection Project][3]. This can still be disabled with `init_on_alloc=0` boot arg. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L10859 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L7718 [3]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078 --- pkgs/os-specific/linux/kernel/common-config.nix | 2 ++ pkgs/os-specific/linux/kernel/hardened/config.nix | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 93042548071b5..4bec4f522cdff 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -723,6 +723,8 @@ let # Randomize page allocator when page_alloc.shuffle=1 SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; + INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes; + # Enable stack smashing protections in schedule() # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f SCHED_STACK_END_CHECK = yes; diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index d1fab48c98368..e92c0041cc31d 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -53,8 +53,7 @@ assert (versionAtLeast version "4.9"); PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes; PAGE_POISONING_ZERO = whenOlder "5.11" yes; - # Enable init_on_alloc and init_on_free by default - INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes; + # Enable init_on_free by default INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes; # Wipe all caller-used registers on exit from a function From 55d9c320ad23dd18a9f5f759706079b39d5e7305 Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 1 Apr 2024 11:37:34 -0400 Subject: [PATCH 7/9] linux: enable BUG MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel Self Protection Project][4]. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L280 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L6399 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_799 [4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078 --- pkgs/os-specific/linux/kernel/common-config.nix | 3 +++ pkgs/os-specific/linux/kernel/hardened/config.nix | 3 --- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 4bec4f522cdff..fd6313c522978 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -667,6 +667,9 @@ let }; security = { + # Report BUG() conditions and kill the offending process. + BUG = yes; + FORTIFY_SOURCE = option yes; # https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index e92c0041cc31d..0ab89d23952db 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -17,9 +17,6 @@ with (lib.kernel.whenHelpers version); assert (versionAtLeast version "4.9"); { - # Report BUG() conditions and kill the offending process. - BUG = yes; - # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter # implicitly marks LSM hooks read-only after init. From f2f6a3228a02b31b3ca554e3ffcbd106c03f4eae Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 1 Apr 2024 11:37:34 -0400 Subject: [PATCH 8/9] linux: enable BUG_ON_DATA_CORRUPTION Enabled in [Debian][1], [Fedora][2]; not in Arch. Recommended by [Kernel Self Protection Project][3]. [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L7719 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_789 [4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078 --- pkgs/os-specific/linux/kernel/common-config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index fd6313c522978..9f87ba187f735 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -669,6 +669,7 @@ let security = { # Report BUG() conditions and kill the offending process. BUG = yes; + BUG_ON_DATA_CORRUPTION = yes; FORTIFY_SOURCE = option yes; From aa55ab5010b34d4007c23054c8780a11afddeafd Mon Sep 17 00:00:00 2001 From: Andrew Marshall Date: Mon, 1 Apr 2024 11:37:34 -0400 Subject: [PATCH 9/9] linux: set higher DEFAULT_MMAP_MIN_ADDR for x86_64 & aarch64 Enabled in [Arch][1], [Debian (for x86)][2], [Fedora (x86)][3], [Fedora (aarch64)][4]. Recommended by [Kernel Self Protection Project][5]. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L1153 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/kernelarch-x86/config#L2076 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_1461 [4]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-aarch64-fedora.config#_1799 [5]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078 --- pkgs/os-specific/linux/kernel/common-config.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 9f87ba187f735..8b316a8c758e9 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -752,6 +752,10 @@ let # Mitigate straight line speculation at the cost of some file size SLS = whenBetween "5.17" "6.9" yes; MITIGATION_SLS = whenAtLeast "6.9" yes; + + DEFAULT_MMAP_MIN_ADDR = freeform "65536"; + } // optionalAttrs stdenv.hostPlatform.isAarch64 { + DEFAULT_MMAP_MIN_ADDR = freeform "32768"; }; microcode = {