pyrox.dev / nixpkgs
lol
fork atom

nixos/hardened: update hardened profile to new recommendations

Borrowing from here to match hardened profile with more recent kernels:
* https://madaidans-insecurities.github.io/guides/linux-hardening.html?#boot-parameters
* https://github.com/a13xp0p0v/kernel-hardening-checker/

Removed "slub_debug" as that option disables kernel memory address
hashing. You also see a big warning about this in the dmesg:
"This system shows unhashed kernel memory addresses via the console, logs, and other interfaces."

"init_on_alloc=1" and "init_on_free=1" zeroes all SLAB and SLUB allocations. Introduced in 6471384af2a6530696fc0203bafe4de41a23c9ef. Also the default for the Android Google kernel btw. It is on by default through the KConfig.

"slab_nomerge" prevents the merging of slab/slub caches. These are
effectively slab/slub pools.

"LEGACY_VSYSCALL_NONE" disables the older vsyscall mechanic that relies on
static address. It got superseeded by vdsos a decade ago. Read some
LWN.net to learn more ;)

"debugfs=off" I'm sure there are some few userspace programs that rely on
debugfs, but they shouldn't.

Most other things mentioned on the blog where already the default on a
running machine or may not be applicable.

Most other Kconfigs changes come from the kernel hardening checker and
were added, when they were not applied to the kernel already.

Unsure about CONFIG_STATIC_USERMODEHELPER. Would need testing.

Tamara Schmitz b80c3284 30b34ac0

options
unified split
Changed files
+42 -6
nixos
modules
profiles
hardened.nix
pkgs
os-specific
linux
kernel
hardened
config.nix
+6 -3
nixos/modules/profiles/hardened.nix 
···

       
39

       
39

       
 

       
  security.apparmor.killUnconfinedConfinables = mkDefault true;


     

       
40

       
40

       
 

       



     

       
41

       
41

       
 

       
  boot.kernelParams = [


     

       
42

       

       
-

       
    # Slab/slub sanity checks, redzoning, and poisoning


     

       
43

       

       
-

       
    "slub_debug=FZP"


     

       

       
42

       
+

       
    # Don't merge slabs


     

       

       
43

       
+

       
    "slab_nomerge"


     

       
44

       
44

       
 

       



     

       
45

       

       
-

       
    # Overwrite free'd memory


     

       

       
45

       
+

       
    # Overwrite free'd pages


     

       
46

       
46

       
 

       
    "page_poison=1"


     

       
47

       
47

       
 

       



     

       
48

       
48

       
 

       
    # Enable page allocator randomization


     

       
49

       
49

       
 

       
    "page_alloc.shuffle=1"


     

       

       
50

       
+

       



     

       

       
51

       
+

       
    # Disable debugfs


     

       

       
52

       
+

       
    "debugfs=off"


     

       
50

       
53

       
 

       
  ];


     

       
51

       
54

       
 

       



     

       
52

       
55

       
 

       
  boot.blacklistedKernelModules = [
+36 -3
pkgs/os-specific/linux/kernel/hardened/config.nix 
···

       
39

       
39

       
 

       
  DEBUG_PI_LIST         = whenOlder "5.2" yes; # doesn't BUG()


     

       
40

       
40

       
 

       
  DEBUG_PLIST           = whenAtLeast "5.2" yes;


     

       
41

       
41

       
 

       
  DEBUG_SG              = yes;


     

       

       
42

       
+

       
  DEBUG_VIRTUAL         = yes;


     

       
42

       
43

       
 

       
  SCHED_STACK_END_CHECK = yes;


     

       
43

       
44

       
 

       



     

       
44

       
45

       
 

       
  REFCOUNT_FULL = whenOlder "5.4.208" yes;


     

       
45

       
46

       
 

       



     

       

       
47

       
+

       
  # tell EFI to wipe memory during reset


     

       

       
48

       
+

       
  # https://lwn.net/Articles/730006/


     

       

       
49

       
+

       
  RESET_ATTACK_MITIGATION = yes;


     

       

       
50

       
+

       



     

       

       
51

       
+

       
  # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE


     

       

       
52

       
+

       
  CONFIG_LDISC_AUTOLOAD = option no;


     

       

       
53

       
+

       



     

       
46

       
54

       
 

       
  # Randomize page allocator when page_alloc.shuffle=1


     

       
47

       
55

       
 

       
  SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;


     

       
48

       
56

       
 

       



     

       
49

       

       
-

       
  # Allow enabling slub/slab free poisoning with slub_debug=P


     

       
50

       

       
-

       
  SLUB_DEBUG = yes;


     

       
51

       

       
-

       



     

       
52

       
57

       
 

       
  # Wipe higher-level memory allocations on free() with page_poison=1


     

       
53

       
58

       
 

       
  PAGE_POISONING           = yes;


     

       
54

       
59

       
 

       
  PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;


     

       
55

       
60

       
 

       
  PAGE_POISONING_ZERO      = whenOlder "5.11" yes;


     

       

       
61

       
+

       



     

       

       
62

       
+

       
  # Enable init_on_alloc and init_on_free by default


     

       

       
63

       
+

       
  INIT_ON_ALLOC_DEFAULT_ON = yes;


     

       

       
64

       
+

       
  INIT_ON_FREE_DEFAULT_ON  = yes;


     

       

       
65

       
+

       



     

       

       
66

       
+

       
  # Wipe all caller-used registers on exit from a function


     

       

       
67

       
+

       
  ZERO_CALL_USED_REGS = yes;


     

       
56

       
68

       
 

       



     

       
57

       
69

       
 

       
  # Enable the SafeSetId LSM


     

       
58

       
70

       
 

       
  SECURITY_SAFESETID = whenAtLeast "5.1" yes;


     
···

       
70

       
82

       
 

       
  GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin


     

       
71

       
83

       
 

       
  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes;


     

       
72

       
84

       
 

       



     

       

       
85

       
+

       
  # Runtime undefined behaviour checks


     

       

       
86

       
+

       
  # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html


     

       

       
87

       
+

       
  # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan


     

       

       
88

       
+

       
  UBSAN      = yes;


     

       

       
89

       
+

       
  UBSAN_TRAP = yes;


     

       

       
90

       
+

       
  UBSAN_BOUNDS = yes;


     

       

       
91

       
+

       
  UBSAN_SANITIZE_ALL = yes;


     

       

       
92

       
+

       
  UBSAN_LOCAL_BOUNDS = option yes; # clang only


     

       

       
93

       
+

       
  CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1


     

       

       
94

       
+

       



     

       
73

       
95

       
 

       
  # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19.


     

       
74

       
96

       
 

       
  RANDSTRUCT = whenAtLeast "5.19" yes;


     

       
75

       
97

       
 

       
  RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;


     
···

       
97

       
119

       
 

       
  # CONFIG_DEVMEM=n causes these to not exist anymore.


     

       
98

       
120

       
 

       
  STRICT_DEVMEM    = option no;


     

       
99

       
121

       
 

       
  IO_STRICT_DEVMEM = option no;


     

       

       
122

       
+

       



     

       

       
123

       
+

       
  # stricter IOMMU TLB invalidation


     

       

       
124

       
+

       
  IOMMU_DEFAULT_DMA_STRICT = option yes;


     

       

       
125

       
+

       
  IOMMU_DEFAULT_DMA_LAZY = option no;


     

       

       
126

       
+

       



     

       

       
127

       
+

       
  # not needed for less than a decade old glibc versions


     

       

       
128

       
+

       
  LEGACY_VSYSCALL_NONE = yes;


     

       

       
129

       
+

       



     

       

       
130

       
+

       
  # Straight-Line-Speculation


     

       

       
131

       
+

       
  # https://lwn.net/Articles/877845/


     

       

       
132

       
+

       
  SLS = option yes;


     

       
100

       
133

       
 

       
}