Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linux/common-config: restrict access to dmesg #316161

Merged
merged 1 commit into from
Jul 24, 2024
Merged

linux/common-config: restrict access to dmesg #316161

merged 1 commit into from
Jul 24, 2024

Conversation

LeSuisse
Copy link
Contributor

Description of changes

SECURITY_DMESG_RESTRICT is enabled by default by a lot of other distributions for a quite a while now, NixOS is a bit of an outlier. The main justification to enable it is that kernel log might leak kernel pointers which can then be used by exploits to defeat KASLR (NixOS also enables kernel.kptr_restrict by default since 2013).

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

tomfitzhenry
tomfitzhenry previously requested changes Jun 11, 2024
View reviewed changes
Copy link
Contributor

@tomfitzhenry tomfitzhenry left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good in principle.

common-config.nix advises:

# WARNING/NOTE: whenever you want to add an option here you need to either
# * mark it as an optional one with `option`,
# * or make sure it works for all the versions in nixpkgs,
# * or check for which kernel versions it will work (using kernel
#   changelog, google or whatever) and mark it with `whenOlder` or
#   `whenAtLeast`.
# Then do test your change by building all the kernels (or at least
# their configs) in Nixpkgs or else you will guarantee lots and lots
# of pain to users trying to switch to an older kernel because of some
# hardware problems with a new one.

Thoughts on how this applies to this PR?

Also, should this PR target staging rather than master, in light of rebuild-linux: 2501-5000?

@LeSuisse
Copy link
Contributor Author

LeSuisse commented Jun 13, 2024
edited
Loading

Sounds good in principle.

common-config.nix advises:

# WARNING/NOTE: whenever you want to add an option here you need to either
# * mark it as an optional one with `option`,
# * or make sure it works for all the versions in nixpkgs,
# * or check for which kernel versions it will work (using kernel
#   changelog, google or whatever) and mark it with `whenOlder` or
#   `whenAtLeast`.
# Then do test your change by building all the kernels (or at least
# their configs) in Nixpkgs or else you will guarantee lots and lots
# of pain to users trying to switch to an older kernel because of some
# hardware problems with a new one.

Thoughts on how this applies to this PR?

It is fine, CONFIG_SECURITY_DMESG_RESTRICT exists since 2.6.37 and the oldest supported kernel in nixpkgs is 4.19.

Also, should this PR target staging rather than master, in light of rebuild-linux: 2501-5000?

I will rebase on top of staging, the recent PRs targetting this file were made against master and I did not think much about it.

@LeSuisse LeSuisse closed this Jun 13, 2024
@LeSuisse LeSuisse reopened this Jun 13, 2024
@LeSuisse LeSuisse marked this pull request as draft June 13, 2024 19:43
@LeSuisse LeSuisse changed the base branch from master to staging June 13, 2024 19:45
@LeSuisse LeSuisse marked this pull request as ready for review June 13, 2024 19:46
@fabianhjr
Copy link
Member

There is a merge conflict, feel free to ping me when resolved to merge.

Thanks for contributing :3

@LeSuisse @JohnRTitor
linux/common-config: restrict access to dmesg
e547534 
`SECURITY_DMESG_RESTRICT` is enabled by default by a lot of
other distributions for a quite a while now, NixOS is a bit of an outlier.
The main justification to enable it is that kernel log might leak kernel
pointers which can then be used by exploits to defeat KASLR (NixOS also
enables `kernel.kptr_restrict` by default since 2013).
@JohnRTitor JohnRTitor merged commit 39c26a4 into NixOS:staging Jul 24, 2024
22 checks passed
@LeSuisse LeSuisse deleted the restrict-dmesg branch July 24, 2024 12:36
@LeSuisse
Copy link
Contributor Author

Thanks for the conflict resolution @JohnRTitor ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabianhjr fabianhjr fabianhjr approved these changes

@JohnRTitor JohnRTitor JohnRTitor approved these changes

@tomfitzhenry tomfitzhenry tomfitzhenry left review comments

Assignees
No one assigned
Labels
6.topic: kernel 6.topic: nixos 8.has: changelog 8.has: documentation 10.rebuild-darwin: 1-10 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 12.approvals: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@LeSuisse @fabianhjr @tomfitzhenry @JohnRTitor @wegank