linux_*_hardened: use linux-hardened patch set #84522
Conversation
emilazy
force-pushed
the
add-linux-hardened-patches
branch
from
cf6273b
to
24e0f45
Compare
|
@GrahamcOfBorg test hardened latestKernel.hardened |
|
Tests pass on diff --git a/pkgs/development/libraries/graphene-hardened-malloc/default.nix b/pkgs/development/libraries/graphene-hardened-malloc/default.nix
index be32a74ea45..5a788a0b7f0 100644
--- a/pkgs/development/libraries/graphene-hardened-malloc/default.nix
+++ b/pkgs/development/libraries/graphene-hardened-malloc/default.nix
@@ -52,6 +52,6 @@ stdenv.mkDerivation rec {
'';
license = licenses.mit;
maintainers = with maintainers; [ ris ];
- platforms = [ "x86_64-linux" ];
+ platforms = [ "x86_64-linux" "aarch64-linux" ];
};
} |
There was a problem hiding this comment.
Thanks. Looks solid. I also want to get the opinion of @joachifm
In future it would be great to also integrate this kernel into nixpkgs/pkgs/os-specific/linux/kernel/update.sh Otherwise we the hardened kernel might get out-of-date.
|
@a13xp0p0v I might send you an updated kernel config to https://github.com/a13xp0p0v/kconfig-hardened-check as soon as this is merged. |
|
If |
emilazy
force-pushed
the
add-linux-hardened-patches
branch
from
24e0f45
to
11f3bff
Compare
|
Pushed to fix conflicts, unbreak the test on AArch64, and update for newer kernels. I'd definitely like to integrate automatic updates into this (and my other packages); is there an existing update script that interfaces with the GitHub releases API that I could reference? FWIW, I have plans to improve the Kconfig hardening further insofar as that can be done without jeopardizing general server/desktop use, but wanted to keep this PR relatively standalone. @GrahamcOfBorg test hardened latestKernel.hardened |
emilazy
force-pushed
the
add-linux-hardened-patches
branch
2 times, most recently
from
dbb8f31
to
8bd37be
Compare
|
Now with fancy over-engineered Python update script~ |
emilazy
force-pushed
the
add-linux-hardened-patches
branch
3 times, most recently
from
caf765f
to
daffeaf
Compare
|
@GrahamcOfBorg test hardened latestKernel.hardened |
|
FWIW, since keyservers are a trash fire and the PGP key links on the Arch site are consequently broken: You can reproduce |
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see anthraxx/linux-hardened@104f440. This allows the Nix sandbox to function while reducing the attack surface posed by user namespaces, which allow unprivileged code to exercise lots of root-only code paths and have lead to privilege escalation vulnerabilities in the past. We can safely leave user namespaces on for privileged users, as root already has root privileges, but if you're not running builds on your machine and really want to minimize the kernel attack surface then you can set security.allowUserNamespaces to false. Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or setuid, and Firefox's silently reduces the security level if it isn't allowed (see about:support), so desktop users may want to set: boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
Seems like a good idea to ensure that you can always use the latest stable upstream kernel.
These now depend on an external patch set; add them to the release tests to ensure that the build doesn't break silently as new kernel updates are merged.
emilazy
force-pushed
the
add-linux-hardened-patches
branch
from
bcabc22
to
2e31fb4
Compare
|
@GrahamcOfBorg test hardened latestKernel.hardened |
|
I would like to merge this tomorrow at 6 pm UTC unless anyone has objections. |
|
Well this fails our Hydra with: |
|
Seems like the test was broken to begin with as it was already there before this PR. |
|
Oof. Doesn't seem directly related to the patched kernel, at least, but this PR did add it to the release channel tests. Edit: It seems like the test passes fine on nixpkgs master, and the error is about it not being present on your local Hydra. I don't use Hydra so unfortunately I'm not sure what the problem might be; maybe jobs for the tests have to be manually set up? |
|
Wha… surely seems to work. Sorry for bothering you |
|
Nvm, upstream Hydra is affected as well: https://hydra.nixos.org/jobset/nixos/unstable-small#tabs-errors |
|
With this kernel, nginx started with this warning: |
|
It is possible to activate CONFIG_AIO? |
|
You'll have to manually patch it (i.e. with a |
|
It is possible to disable |
|
This seems to be breaking ofborg now, these patches need to be updated along with the kernel bumps example failure: https://gist.github.com/GrahamcOfBorg/dc0c1bbb7502ad569c8bc49213949f73 |
I don't know about Firefox, but I find that, using the SUID sandbox, Chromium's internal sandbox status page reports all sandboxing features as operational, which is one more than it reports as operational when using the unprivileged-user-namespace sandbox. (The feature whose status differs is "Ptrace Protection with Yama LSM (Non-broker)".) (Edit: Also, thanks! I hadn't realized we were running that |
Motivation for this change
anthraxx/linux-hardened is an updated version of the dormant AndroidHardeningArchive/linux-hardened repository, which was previously offered in NixOS (as
linux_copperhead_*; not sure if it was ever used forlinux_hardened).It adds a relatively conservative grab-bag of hardening patches and defaults on top of the stock Kernel Self Protection Project, and is actively used by the Arch
linux-hardenedpackage (as documented on the ArchWiki; see also some ASLR comparison notes from the original author @thestinger, circa 2017). The patch set incorporates many of our hardened Kconfig/sysctl defaults, and releases are timely (Linux 5.5.15 and 5.6.2 were released on 2020-04-02; linux-hardened patches for them came out on 2020-04-03 and 2020-04-04 respectively). It also includes the Debian/Arch patch to allow restrictingCLONE_USERNSto privileged users, allowing the Nix sandbox to be re-enabled (see #73763 for discussion).You can see a list of commits on top of the vanilla 5.6.2 kernel here: anthraxx/linux-hardened@9fbe5c8...5.6.2.a
linux{,Packages}_testing_hardenedis removed as the patch set only tracks releases; if anyone actually uses it then it could probably be re-added on a best-effort basis with the 5.6 patches.I'm running this on my laptop and server, including ZFS (with #84303), Firefox and Wine. (I had to disable the hardened allocator for Firefox, per #73763 (comment), but that's unrelated to these kernel changes.)
paxtest blackhatresults for5.6.2-hardenedfrom this branch:Using the
libcallocator (measuring the kernel ASLR entropy directly)Improvements over current NixOS:
Using the hardened profile default
scudoallocatorImprovements over current NixOS:
These mostly match the expected results from ArchWiki. The mprotect "Vulnerable" results are because there's no port of the PaX MPROTECT/NOEXECSTACK features, as these can be implemented with a Mandatory Access Control LSM like SELinux. I'm not sure why ET_EXEC is doing worse; the main executable randomization shouldn't be too relevant as position-independent executables generally use the ET_DYN/PIE mechanism and Arch bug FS#52089 suggests that grsecurity dropped support for this anyway, but the heap randomization results could be a little better according to ArchWiki; it might be that results there were measured with GrapheneOS hardened_malloc, which is recommended elsewhere on the page. In any case, it's a distinct improvement on the status quo.
Note the commit message of b309ef56e8d8; disabling unprivileged
CLONE_NEWUSERhas security drawbacks for desktop machines due to the impact on the Chromium/Firefox sandboxes. They both have minimal setuid helpers as fallbacks for unprivileged user namespaces, and it'd be nice to arrange for them to get the necessary privileges whenCLONE_NEWUSERis restricted, but I haven't addressed that in this PR as the status quo for the hardened profile has already been that user namespaces are silently disabled as a whole.Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)