linuxPackages_{,_latest,_testing}_hardened: enable 32-bit emulation #82006
Conversation
Per discussion in NixOS#81943. Resolves NixOS#79798.
There was a problem hiding this comment.
Arch, Alpine hardened kernels, as well as Subgraph OS kernel all enable IA32 emulation. In addition, not having it enabled has caused a number of issue reports. See #81943 (comment).
|
What does Qubes OS do? |
|
( |
|
The Kernel Self Protection Project recommends turning it off. That said, I personally deploy at least 3 systems with this exact config, meaning hardened + ia32 emu, because I needed ia32. What do users expect from this kernel? Maximum possible hardening or actually being able to use it on their systems without needing to recompile. Evidently a bunch of users have run into issues with this, that they weren't able to solve easily, as can be seen from the issues linked above. Will anyone run into any issues because we enable this? Is this an actual security risk to anyone and if so, do they rely on us not changing this option? I highly doubt that. Personally, I have a custom kernel hardened config for systems where I care, anyways. |
|
It's worth noting that for ideal hardening you want to compile your own kernels anyway, to make maximum use of RANDSTRUCT and the like. |
|
Based on discussion, sounds like it's good to merge? cc @joachifm |
Motivation for this change
Per discussion in #81943.
Resolves #79798.
If anyone has a strong objection to this, probably a good time to speak up :)
@GrahamcOfBorg build linux_latest_hardened
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)