Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
base: e36c93b3a0f0
Choose a base ref
...
head repository: NixOS/nixpkgs
compare: 167578163a50
Choose a head ref
  • 8 commits
  • 2 files changed
  • 1 contributor

Commits on Jan 5, 2019

  1. Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT"

    This reverts commit 5dda132.
    
    Presumably this was done to work around build errors or something but it
    works fine now.
    joachifm committed Jan 5, 2019
    4
    Copy the full SHA
    c68e8b0 View commit details
    Browse the repository at this point in the history
  2. hardened-config: clarify readonly LSM hooks config

    SECURITY_WRITABLE_HOOKS is implicitly controlled by SECURITY_SELINUX_DISABLE;
    explicitly unsetting results in an error because the configfile builder fails
    to detect that it has in fact been unset (reporting it as an unused option).
    For now, leave WRITABLE_HOOKS as an "optional" config for documentation
    purposes.
    joachifm committed Jan 5, 2019
    Copy the full SHA
    abc8ed3 View commit details
    Browse the repository at this point in the history
  3. hardened-config: clarify MODIFY_LDT_SYSCALL

    This likely never worked; MODIFY_LDT_SYSCALL depends on EXPERT; enabling
    EXPERT however seems to introduce quite a few changes that would need to be
    properly vetted.
    
    The version guard is unnecessary, however, as this config has been supported
    since 4.3.
    joachifm committed Jan 5, 2019
    Copy the full SHA
    1801aad View commit details
    Browse the repository at this point in the history
  4. hardened-config: ensure STRICT_KERNEL_RWX

    This is y in the default config, but enable it explicitly here to catch
    situations where it has been disabled (explicitly or implicitly).
    joachifm committed Jan 5, 2019
    Copy the full SHA
    dfd77a0 View commit details
    Browse the repository at this point in the history
  5. Copy the full SHA
    11840f5 View commit details
    Browse the repository at this point in the history
  6. Copy the full SHA
    d62086e View commit details
    Browse the repository at this point in the history
  7. nixos/hardened profile: slab/slub hardening

    slab_nomerge may reduce surface somewhat
    
    slub_debug is used to enable additional sanity checks and "red zones" around
    allocations to detect read/writes beyond the allocated area, as well as
    poisoning to overwrite free'd data.
    
    The cost is yet more memory fragmentation ...
    joachifm committed Jan 5, 2019
    Copy the full SHA
    3f1f443 View commit details
    Browse the repository at this point in the history
  8. Copy the full SHA
    1675781 View commit details
    Browse the repository at this point in the history