Merge pull request #275579 from tamara-schmitz/master
update hardened profile to new recommendations
This commit is contained in:
commit
6dd56e1483
|
@ -39,14 +39,17 @@ with lib;
|
||||||
security.apparmor.killUnconfinedConfinables = mkDefault true;
|
security.apparmor.killUnconfinedConfinables = mkDefault true;
|
||||||
|
|
||||||
boot.kernelParams = [
|
boot.kernelParams = [
|
||||||
# Slab/slub sanity checks, redzoning, and poisoning
|
# Don't merge slabs
|
||||||
"slub_debug=FZP"
|
"slab_nomerge"
|
||||||
|
|
||||||
# Overwrite free'd memory
|
# Overwrite free'd pages
|
||||||
"page_poison=1"
|
"page_poison=1"
|
||||||
|
|
||||||
# Enable page allocator randomization
|
# Enable page allocator randomization
|
||||||
"page_alloc.shuffle=1"
|
"page_alloc.shuffle=1"
|
||||||
|
|
||||||
|
# Disable debugfs
|
||||||
|
"debugfs=off"
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.blacklistedKernelModules = [
|
boot.blacklistedKernelModules = [
|
||||||
|
|
|
@ -39,21 +39,33 @@ assert (versionAtLeast version "4.9");
|
||||||
DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG()
|
DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG()
|
||||||
DEBUG_PLIST = whenAtLeast "5.2" yes;
|
DEBUG_PLIST = whenAtLeast "5.2" yes;
|
||||||
DEBUG_SG = yes;
|
DEBUG_SG = yes;
|
||||||
|
DEBUG_VIRTUAL = yes;
|
||||||
SCHED_STACK_END_CHECK = yes;
|
SCHED_STACK_END_CHECK = yes;
|
||||||
|
|
||||||
REFCOUNT_FULL = whenOlder "5.4.208" yes;
|
REFCOUNT_FULL = whenOlder "5.4.208" yes;
|
||||||
|
|
||||||
|
# tell EFI to wipe memory during reset
|
||||||
|
# https://lwn.net/Articles/730006/
|
||||||
|
RESET_ATTACK_MITIGATION = yes;
|
||||||
|
|
||||||
|
# restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
|
||||||
|
CONFIG_LDISC_AUTOLOAD = option no;
|
||||||
|
|
||||||
# Randomize page allocator when page_alloc.shuffle=1
|
# Randomize page allocator when page_alloc.shuffle=1
|
||||||
SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
|
SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
|
||||||
|
|
||||||
# Allow enabling slub/slab free poisoning with slub_debug=P
|
|
||||||
SLUB_DEBUG = yes;
|
|
||||||
|
|
||||||
# Wipe higher-level memory allocations on free() with page_poison=1
|
# Wipe higher-level memory allocations on free() with page_poison=1
|
||||||
PAGE_POISONING = yes;
|
PAGE_POISONING = yes;
|
||||||
PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
|
PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
|
||||||
PAGE_POISONING_ZERO = whenOlder "5.11" yes;
|
PAGE_POISONING_ZERO = whenOlder "5.11" yes;
|
||||||
|
|
||||||
|
# Enable init_on_alloc and init_on_free by default
|
||||||
|
INIT_ON_ALLOC_DEFAULT_ON = yes;
|
||||||
|
INIT_ON_FREE_DEFAULT_ON = yes;
|
||||||
|
|
||||||
|
# Wipe all caller-used registers on exit from a function
|
||||||
|
ZERO_CALL_USED_REGS = yes;
|
||||||
|
|
||||||
# Enable the SafeSetId LSM
|
# Enable the SafeSetId LSM
|
||||||
SECURITY_SAFESETID = whenAtLeast "5.1" yes;
|
SECURITY_SAFESETID = whenAtLeast "5.1" yes;
|
||||||
|
|
||||||
|
@ -70,6 +82,16 @@ assert (versionAtLeast version "4.9");
|
||||||
GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin
|
GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin
|
||||||
GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes;
|
GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes;
|
||||||
|
|
||||||
|
# Runtime undefined behaviour checks
|
||||||
|
# https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html
|
||||||
|
# https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan
|
||||||
|
UBSAN = yes;
|
||||||
|
UBSAN_TRAP = yes;
|
||||||
|
UBSAN_BOUNDS = yes;
|
||||||
|
UBSAN_SANITIZE_ALL = yes;
|
||||||
|
UBSAN_LOCAL_BOUNDS = option yes; # clang only
|
||||||
|
CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1
|
||||||
|
|
||||||
# Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19.
|
# Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19.
|
||||||
RANDSTRUCT = whenAtLeast "5.19" yes;
|
RANDSTRUCT = whenAtLeast "5.19" yes;
|
||||||
RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;
|
RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;
|
||||||
|
@ -97,4 +119,15 @@ assert (versionAtLeast version "4.9");
|
||||||
# CONFIG_DEVMEM=n causes these to not exist anymore.
|
# CONFIG_DEVMEM=n causes these to not exist anymore.
|
||||||
STRICT_DEVMEM = option no;
|
STRICT_DEVMEM = option no;
|
||||||
IO_STRICT_DEVMEM = option no;
|
IO_STRICT_DEVMEM = option no;
|
||||||
|
|
||||||
|
# stricter IOMMU TLB invalidation
|
||||||
|
IOMMU_DEFAULT_DMA_STRICT = option yes;
|
||||||
|
IOMMU_DEFAULT_DMA_LAZY = option no;
|
||||||
|
|
||||||
|
# not needed for less than a decade old glibc versions
|
||||||
|
LEGACY_VSYSCALL_NONE = yes;
|
||||||
|
|
||||||
|
# Straight-Line-Speculation
|
||||||
|
# https://lwn.net/Articles/877845/
|
||||||
|
SLS = option yes;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user