mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-15 06:14:57 +01:00
b80c3284d5
Borrowing from here to match hardened profile with more recent kernels: * https://madaidans-insecurities.github.io/guides/linux-hardening.html?#boot-parameters * https://github.com/a13xp0p0v/kernel-hardening-checker/ Removed "slub_debug" as that option disables kernel memory address hashing. You also see a big warning about this in the dmesg: "This system shows unhashed kernel memory addresses via the console, logs, and other interfaces." "init_on_alloc=1" and "init_on_free=1" zeroes all SLAB and SLUB allocations. Introduced in 6471384af2a6530696fc0203bafe4de41a23c9ef. Also the default for the Android Google kernel btw. It is on by default through the KConfig. "slab_nomerge" prevents the merging of slab/slub caches. These are effectively slab/slub pools. "LEGACY_VSYSCALL_NONE" disables the older vsyscall mechanic that relies on static address. It got superseeded by vdsos a decade ago. Read some LWN.net to learn more ;) "debugfs=off" I'm sure there are some few userspace programs that rely on debugfs, but they shouldn't. Most other things mentioned on the blog where already the default on a running machine or may not be applicable. Most other Kconfigs changes come from the kernel hardening checker and were added, when they were not applied to the kernel already. Unsure about CONFIG_STATIC_USERMODEHELPER. Would need testing. |
||
|---|---|---|
| .. | ||
| keys | ||
| all-hardware.nix | ||
| base.nix | ||
| clone-config.nix | ||
| demo.nix | ||
| docker-container.nix | ||
| graphical.nix | ||
| hardened.nix | ||
| headless.nix | ||
| image-based-appliance.nix | ||
| installation-device.nix | ||
| macos-builder.nix | ||
| minimal.nix | ||
| perlless.nix | ||
| qemu-guest.nix | ||