cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

linuxKernel.kernels: mark {IO_,}STRICT_DEVMEM optional to unbreak hardened kernels

Browse source
This commit is contained in:
Bernardo Meurer 2022-01-10 17:45:21 -03:00
parent d36d401087
commit 5f36161ae1
No known key found for this signature in database
GPG key ID: F4C0D53B8D14C246
2 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pkgs/os-specific/linux/kernel/common-config.nix
View file

@ -457,8 +457,8 @@ let
# Detect writes to read-only module pages # Detect writes to read-only module pages
DEBUG_SET_MODULE_RONX = { optional = true; tristate = whenOlder "4.11" "y"; }; DEBUG_SET_MODULE_RONX = { optional = true; tristate = whenOlder "4.11" "y"; };
RANDOMIZE_BASE = option yes; RANDOMIZE_BASE = option yes;
STRICT_DEVMEM = yes; # Filter access to /dev/mem STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem
IO_STRICT_DEVMEM = whenAtLeast "4.5" yes; IO_STRICT_DEVMEM = whenAtLeast "4.5" (mkDefault yes);
SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
# Prevent processes from ptracing non-children processes # Prevent processes from ptracing non-children processes
SECURITY_YAMA = option yes; SECURITY_YAMA = option yes;

4
pkgs/os-specific/linux/kernel/hardened/config.nix
View file

@ -93,4 +93,8 @@ assert (versionAtLeast version "4.9");
# Detect out-of-bound reads/writes and use-after-free # Detect out-of-bound reads/writes and use-after-free
KFENCE = whenAtLeast "5.12" yes; KFENCE = whenAtLeast "5.12" yes;
# CONFIG_DEVMEM=n causes these to not exist anymore.
STRICT_DEVMEM = option no;
IO_STRICT_DEVMEM = option no;
} }