linux_hardened: move to 4.11

Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX & STRICT_MODULE_RWX, which are on by default (non-optional).
2017-05-06 19:02:16 +02:00 · 2017-05-06 19:02:16 +02:00 · a7ecdffc28
commit a7ecdffc28
parent 42c58cd2e8
2 changed files with 5 additions and 7 deletions
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@ -2,22 +2,19 @@
 # http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
 # https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
 #
-# The base kernel is assumed to be at least 4.9 or whatever the toplevel
-# linux_hardened package expression uses.
-#
 # Dangerous features that can be permanently (for the boot session) disabled at
 # boot via sysctl or kernel cmdline are left enabled here, for improved
 # flexibility.

-{ stdenv }:
+{ stdenv, version }:

 with stdenv.lib;

+assert (versionAtLeast version "4.9");
+
 ''
 GCC_PLUGINS y # Enable gcc plugin options

-DEBUG_KERNEL y
-DEBUG_RODATA y # Make kernel text & rodata read-only
 DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning

 # Additional validation of commonly targetted structures
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -11995,9 +11995,10 @@ with pkgs;
  linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }));

  # Hardened linux
-  linux_hardened = linux_4_9.override {
+  linux_hardened = let linux = pkgs.linux_4_11; in linux.override {
    extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
      inherit stdenv;
+      inherit (linux) version;
    };
  };