Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: a0a8f0ac8734
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: dd170cd5df83
Choose a head ref
  • 3 commits
  • 1 file changed
  • 1 contributor

Commits on Sep 15, 2017

  1. hardened-config: additional refcount checking

    @joachifm
    joachifm committed Sep 15, 2017
    Copy the full SHA
    edd0d2f View commit details

  2. hardened-config: enable the randstruct plugin

    @joachifm
    joachifm committed Sep 15, 2017
    1
    Copy the full SHA
    9a763f8 View commit details

  3. hardened-config: build with fortify source

    @joachifm
    joachifm committed Sep 15, 2017
    Copy the full SHA
    dd170cd View commit details
Showing with 14 additions and 0 deletions.
  1. +14 −0 pkgs/os-specific/linux/kernel/hardened-config.nix
14 changes: 14 additions & 0 deletions pkgs/os-specific/linux/kernel/hardened-config.nix
View file
Original file line number Diff line number Diff line change
@@ -68,6 +68,10 @@ DEBUG_SG y
SCHED_STACK_END_CHECK y
BUG_ON_DATA_CORRUPTION y
${optionalString (versionAtLeast version "4.13") ''
REFCOUNT_FULL y
''}
# Perform usercopy bounds checking.
HARDENED_USERCOPY y
@@ -89,6 +93,11 @@ ${optionalString (versionAtLeast version "4.11") ''
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
''}
${optionalString (versionAtLeast version "4.13") ''
GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin
GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y
''}
# Disable various dangerous settings
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
PROC_KCORE n # Exposes kernel text image layout
@@ -97,4 +106,9 @@ INET_DIAG n # Has been used for heap based attacks in the past
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CC_STACKPROTECTOR_REGULAR n
CC_STACKPROTECTOR_STRONG y
# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
${optionalString (versionAtLeast version "4.13") ''
FORTIFY_SOURCE y
''}
''