linux/hardened/patches/6.9: init at 6.9.1-hardened1

- ACPI_CUSTOM_METHOD: dropped in 0cc46f1a52b4220ec11d98a01575909ca820a7b4 - UBSAN_SANITIZE_ALL: dropped in 918327e9b7ffb45321cbb4b9b86b58ec555fe6b3
2024-11-16 06:45:16 +01:00 · 2024-05-20 14:43:59 -06:00 · 2024-05-20 14:43:59 -06:00 · 79081fda5e
commit 79081fda5e
parent 2da6412799
5 changed files with 17 additions and 2 deletions
--- a/nixos/tests/kernel-generic.nix
+++ b/nixos/tests/kernel-generic.nix
@ -32,6 +32,7 @@ let
      linux_6_1_hardened
      linux_6_6_hardened
      linux_6_8_hardened
+      linux_6_9_hardened
      linux_rt_5_4
      linux_rt_5_10
      linux_rt_5_15
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@ -88,7 +88,7 @@ assert (versionAtLeast version "4.9");
  UBSAN      = yes;
  UBSAN_TRAP = whenAtLeast "5.7" yes;
  UBSAN_BOUNDS = whenAtLeast "5.7" yes;
-  UBSAN_SANITIZE_ALL = yes;
+  UBSAN_SANITIZE_ALL = whenOlder "6.9" yes;
  UBSAN_LOCAL_BOUNDS = option yes; # clang only
  CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1

@ -97,7 +97,7 @@ assert (versionAtLeast version "4.9");
  RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;

  # Disable various dangerous settings
-  ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
+  ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory
  PROC_KCORE         = no; # Exposes kernel text image layout
  INET_DIAG          = no; # Has been used for heap based attacks in the past

--- a/pkgs/os-specific/linux/kernel/hardened/patches.json
+++ b/pkgs/os-specific/linux/kernel/hardened/patches.json
@ -68,5 +68,15 @@
        },
        "sha256": "0xjirg2w5fc2w2q6wr702akszq32m31lk4q5nbjq10zqhbcr5fxh",
        "version": "6.8.10"
+    },
+    "6.9": {
+        "patch": {
+            "extra": "-hardened1",
+            "name": "linux-hardened-6.9.1-hardened1.patch",
+            "sha256": "1zp0qwri43v4h234x1vqbwcbd50hryshi7i717xandzkpxvq72l2",
+            "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.9.1-hardened1/linux-hardened-6.9.1-hardened1.patch"
+        },
+        "sha256": "0jn0qp22vx7xf2mgaj7cwf8agqhahvrwlda4ak6rw67xk2x19d01",
+        "version": "6.9.1"
    }
 }
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -27330,6 +27330,8 @@ with pkgs;
  linux_6_6_hardened = linuxKernel.kernels.linux_6_6_hardened;
  linuxPackages_6_8_hardened = linuxKernel.packages.linux_6_8_hardened;
  linux_6_8_hardened = linuxKernel.kernels.linux_6_8_hardened;
+  linuxPackages_6_9_hardened = linuxKernel.packages.linux_6_9_hardened;
+  linux_6_9_hardened = linuxKernel.kernels.linux_6_9_hardened;

  # GNU Linux-libre kernels
  linuxPackages-libre = linuxKernel.packages.linux_libre;
--- a/pkgs/top-level/linux-kernels.nix
+++ b/pkgs/top-level/linux-kernels.nix
@ -270,6 +270,7 @@ in {
    linux_6_1_hardened = hardenedKernelFor kernels.linux_6_1 { };
    linux_6_6_hardened = hardenedKernelFor kernels.linux_6_6 { };
    linux_6_8_hardened = hardenedKernelFor kernels.linux_6_8 { };
+    linux_6_9_hardened = hardenedKernelFor kernels.linux_6_9 { };

  } // lib.optionalAttrs config.allowAliases {
    linux_4_9 = throw "linux 4.9 was removed because it will reach its end of life within 22.11";
@ -659,6 +660,7 @@ in {
    linux_6_1_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_1_hardened);
    linux_6_6_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_6_hardened);
    linux_6_8_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_8_hardened);
+    linux_6_9_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_9_hardened);

    linux_zen = recurseIntoAttrs (packagesFor kernels.linux_zen);
    linux_lqx = recurseIntoAttrs (packagesFor kernels.linux_lqx);