Skip to content

Commit

Permalink
linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT
Browse files Browse the repository at this point in the history
  • Loading branch information
@NeQuissimus
NeQuissimus committed Oct 11, 2017
1 parent 48f0389 commit 5dda132
Showing 1 changed file with 0 additions and 5 deletions.
5 changes: 0 additions & 5 deletions pkgs/os-specific/linux/kernel/hardened-config.nix
View file
Expand Up @@ -97,11 +97,6 @@ ${optionalString (versionAtLeast version "4.11") ''
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
''}
${optionalString (versionAtLeast version "4.13") ''
GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin
GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y
''}
# Disable various dangerous settings
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
PROC_KCORE n # Exposes kernel text image layout
Expand Down

7 comments on commit 5dda132

@delroth
Copy link
Contributor

@delroth delroth commented on 5dda132 Jan 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this removed? I'm thinking of adding it back.

Ideally the reason would have been mentioned in the commit description...

@joachifm
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. If you can, maybe try building with this patch reverted, if it works I think we should revert, unless there's a good reason not to.

@delroth
Copy link
Contributor

@delroth delroth commented on 5dda132 Jan 4, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll send a PR once #53369 is in.

@joachifm
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've pushed a revert of this along with a batch of other hardened related stuff.

@joachifm
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@delroth unfortunately I've had to re-revert, turns out there are some problems with out-of-tree modules ...

@delroth
Copy link
Contributor

@delroth delroth commented on 5dda132 Jan 7, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well that would explain the issue I was having with wireguard which I was procrastinating to debug... :/

Since I have a use case I'll be happy to try and look into it. I'll file an issue for tracking for now so we can at least share findings.

@delroth
Copy link
Contributor

@delroth delroth commented on 5dda132 Jan 7, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#53592

Please sign in to comment.