linux: set various common hardening config #300815
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
amarshall
force-pushed
the
linux-common-hardening
branch
from
af66700
to
cb22259
Compare
amarshall
force-pushed
the
linux-common-hardening
branch
from
cb22259
to
a667b05
Compare
amarshall
force-pushed
the
linux-common-hardening
branch
from
a667b05
to
0b58c34
Compare
|
Rebased against latest staging, retested (against nixos-unstable to avoid big builds) all configs build and |
These are set in common-config.
The comments from the blocks above apply only to a single line, but that is not necessarily clear. Add blank lines to more clearly narrow the scope of them.
Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel Self Protection Project][4]. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L914-917 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L11-12 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_7449 [4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
Enabled in [Arch][1], [Fedora][2]; not in Debian. Recommended by [Kernel Self Protection Project][3]. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L1117 [2]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_6577 [3]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
Enabled in [Arch][1], [Debian][2]; not in Fedora. Recommended by [Kernel Self Protection Project][3]. This can still be disabled with `init_on_alloc=0` boot arg. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L10859 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L7718 [3]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel Self Protection Project][4]. As it is now in common-config, remove from hardened’s extra config. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L280 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L6399 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_799 [4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
Enabled in [Debian][1], [Fedora][2]; not in Arch. Recommended by [Kernel Self Protection Project][3]. [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/config#L7719 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_789 [4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
Enabled in [Arch][1], [Debian (for x86)][2], [Fedora (x86)][3], [Fedora (aarch64)][4]. Recommended by [Kernel Self Protection Project][5]. [1]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/6392fb2bed1453e2f02e21e0bf3d07dfc713e79f/config#L1153 [2]: https://salsa.debian.org/kernel-team/linux/-/blob/5f6aa5cb48d261cef1f31ec18f969c986fd3bd77/debian/config/kernelarch-x86/config#L2076 [3]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-x86_64-fedora.config#_1461 [4]: https://src.fedoraproject.org/rpms/kernel/blob/e8025dc0fba7e18c74f529a93d653c71d16e5a56/f/kernel-aarch64-fedora.config#_1799 [5]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
amarshall
force-pushed
the
linux-common-hardening
branch
from
0b58c34
to
aa55ab5
Compare
K900
approved these changes
Jun 11, 2024
ofborg
bot
added
10.rebuild-linux: 5001+
and removed
10.rebuild-linux: 2501-5000
labels
|
That could have gone into master, but whatever. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes
See commits.
Things done
I have been running with these changes on several x86_64 machines with different platforms since ~2 weeks prior to opening this PR.
Tested building all configs; plus (based off nixos-unstable) tests for default, oldest, and newest Kernels.
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.