MirrorHub/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-16 06:45:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

nixos/hardened: fix lower bounds of hardened options

Browse source 
Without the change build of `linux-config-4.19.306` fails as
https://cache.nixos.org/log/994zy6g5fsb4p6c8jdwham8sp0mqh1w4-linux-config-4.19.306.drv:

    error: unused option: INIT_ON_ALLOC_DEFAULT_ON
    error: unused option: INIT_ON_FREE_DEFAULT_ON
    error: unused option: UBSAN_TRAP
    error: unused option: ZERO_CALL_USED_REGS
This commit is contained in:
Sergei Trofimovich 2024-02-09 23:26:29 +00:00
parent 442d407992
commit 9ce46e61eb
1 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
pkgs/os-specific/linux/kernel/hardened/config.nix
View file

@ -60,11 +60,11 @@ assert (versionAtLeast version "4.9");
PAGE_POISONING_ZERO = whenOlder "5.11" yes;
# Enable init_on_alloc and init_on_free by default
INIT_ON_ALLOC_DEFAULT_ON = yes;
INIT_ON_FREE_DEFAULT_ON = yes;
INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes;
# Wipe all caller-used registers on exit from a function
ZERO_CALL_USED_REGS = yes;
ZERO_CALL_USED_REGS = whenAtLeast "5.15" yes;
# Enable the SafeSetId LSM
SECURITY_SAFESETID = whenAtLeast "5.1" yes;
@ -86,8 +86,8 @@ assert (versionAtLeast version "4.9");
# https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html
# https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan
UBSAN = yes;
UBSAN_TRAP = yes;
UBSAN_BOUNDS = yes;
UBSAN_TRAP = whenAtLeast "5.7" yes;
UBSAN_BOUNDS = whenAtLeast "5.7" yes;
UBSAN_SANITIZE_ALL = yes;
UBSAN_LOCAL_BOUNDS = option yes; # clang only
CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1