New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
linuxPackages_{,_latest,_testing}_hardened: enable 32-bit emulation #82006
linuxPackages_{,_latest,_testing}_hardened: enable 32-bit emulation #82006
Conversation
Per discussion in NixOS#81943. Resolves NixOS#79798.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Arch, Alpine hardened kernels, as well as Subgraph OS kernel all enable IA32 emulation. In addition, not having it enabled has caused a number of issue reports. See #81943 (comment).
What does Qubes OS do? |
( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that even the Qubes people trust it (which are very paranoid from my experience), it seems like a reasonable choice to have.
The Kernel Self Protection Project recommends turning it off. That said, I personally deploy at least 3 systems with this exact config, meaning hardened + ia32 emu, because I needed ia32. What do users expect from this kernel? Maximum possible hardening or actually being able to use it on their systems without needing to recompile. Evidently a bunch of users have run into issues with this, that they weren't able to solve easily, as can be seen from the issues linked above. Will anyone run into any issues because we enable this? Is this an actual security risk to anyone and if so, do they rely on us not changing this option? I highly doubt that. Personally, I have a custom kernel hardened config for systems where I care, anyways. |
It's worth noting that for ideal hardening you want to compile your own kernels anyway, to make maximum use of RANDSTRUCT and the like. |
Based on discussion, sounds like it's good to merge? cc @joachifm |
Motivation for this change
Per discussion in #81943.
Resolves #79798.
If anyone has a strong objection to this, probably a good time to speak up :)
@GrahamcOfBorg build linux_latest_hardened
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)