-
-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
linux: set various common hardening config #300815
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
amarshall
force-pushed
the
linux-common-hardening
branch
from
April 12, 2024 23:06
af66700
to
cb22259
Compare
amarshall
force-pushed
the
linux-common-hardening
branch
from
April 12, 2024 23:07
cb22259
to
a667b05
Compare
amarshall
force-pushed
the
linux-common-hardening
branch
from
June 11, 2024 13:08
a667b05
to
0b58c34
Compare
Rebased against latest staging, retested (against nixos-unstable to avoid big builds) all configs build and |
These are set in common-config.
The comments from the blocks above apply only to a single line, but that is not necessarily clear. Add blank lines to more clearly narrow the scope of them.
Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel Self Protection Project][4]. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L914-917 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L11-12 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_7449 [4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
Enabled in [Arch][1], [Fedora][2]; not in Debian. Recommended by [Kernel Self Protection Project][3]. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L1117 [2]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_6577 [3]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
Enabled in [Arch][1], [Debian][2]; not in Fedora. Recommended by [Kernel Self Protection Project][3]. This can still be disabled with `init_on_alloc=0` boot arg. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L10859 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L7718 [3]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel Self Protection Project][4]. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L280 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L6399 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_799 [4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
Enabled in [Debian][1], [Fedora][2]; not in Arch. Recommended by [Kernel Self Protection Project][3]. [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L7719 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_789 [4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
Enabled in [Arch][1], [Debian (for x86)][2], [Fedora (x86)][3], [Fedora (aarch64)][4]. Recommended by [Kernel Self Protection Project][5]. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L1153 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/kernelarch-x86/config#L2076 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_1461 [4]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-aarch64-fedora.config#_1799 [5]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
amarshall
force-pushed
the
linux-common-hardening
branch
from
June 11, 2024 13:11
0b58c34
to
aa55ab5
Compare
K900
approved these changes
Jun 11, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall diff LGTM, but we should merge this with the next kernel update cycle.
ofborg
bot
added
10.rebuild-linux: 5001+
and removed
10.rebuild-linux: 2501-5000
labels
Jun 11, 2024
That could have gone into master, but whatever. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes
See commits.
Things done
I have been running with these changes on several x86_64 machines with different platforms since ~2 weeks prior to opening this PR.
Tested building all configs; plus (based off nixos-unstable) tests for default, oldest, and newest Kernels.
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.