NixOS · Sep 16, 2017 · Sep 16, 2017 · Sep 16, 2017 · Sep 16, 2017
Showing with 16 additions and 2 deletions.

+10 −0 nixos/tests/hardened.nix

+6 −2 pkgs/os-specific/linux/kernel/hardened-config.nix
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
@@ -32,5 +32,15 @@ import ./make-test.nix ({ pkgs, ...} : {
       subtest "userns", sub {
           $machine->fail("unshare --user");
       };
+
+      # Test dmesg restriction
+      subtest "dmesg", sub {
+          $machine->fail("su -l alice -c dmesg");
+      };
+
+      # Test access to kcore
+      subtest "kcore", sub {
+          $machine->fail("cat /proc/kcore");
+      };
     '';
 })
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -18,7 +18,11 @@ assert (versionAtLeast version "4.9");
 # Report BUG() conditions and kill the offending process.
 BUG y
 
-${optionalString (stdenv.system == "x86_64-linux") ''
+${optionalString (versionAtLeast version "4.10") ''
+  BUG_ON_DATA_CORRUPTION y
+''}
+
+${optionalString (stdenv.platform.kernelArch == "x86_64") ''
   DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
 
   # Reduce attack surface by disabling various emulations
@@ -64,9 +68,9 @@ IO_STRICT_DEVMEM y
 DEBUG_CREDENTIALS y
 DEBUG_NOTIFIERS y
 DEBUG_LIST y
+DEBUG_PI_LIST y # doesn't BUG()
 DEBUG_SG y
 SCHED_STACK_END_CHECK y
-BUG_ON_DATA_CORRUPTION y
 
 ${optionalString (versionAtLeast version "4.13") ''
   REFCOUNT_FULL y