Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

linuxPackages_{,_latest,_testing}_hardened: enable 32-bit emulation #82006

Merged
merged 1 commit into from Mar 14, 2020

Conversation

@emilazy
Copy link
Member

emilazy commented Mar 7, 2020

Motivation for this change

Per discussion in #81943.

Resolves #79798.

If anyone has a strong objection to this, probably a good time to speak up :)

@GrahamcOfBorg build linux_latest_hardened

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Per discussion in #81943.

Resolves #79798.
Copy link
Member

yegortimoshenko left a comment

Arch, Alpine hardened kernels, as well as Subgraph OS kernel all enable IA32 emulation. In addition, not having it enabled has caused a number of issue reports. See #81943 (comment).

@Mic92
Copy link
Contributor

Mic92 commented Mar 9, 2020

What does Qubes OS do?

@yegortimoshenko
Copy link
Member

yegortimoshenko commented Mar 9, 2020

Enabled: https://github.com/QubesOS/qubes-linux-kernel/blob/fe861f61c2a81242070c9045bddef00b4343775b/config-base#L646

(config-qubes contains Qubes-specific settings, which do not disable CONFIG_IA32_EMULATION).

@Mic92
Mic92 approved these changes Mar 9, 2020
Copy link
Contributor

Mic92 left a comment

Given that even the Qubes people trust it (which are very paranoid from my experience), it seems like a reasonable choice to have.

@ajs124
Copy link
Member

ajs124 commented Mar 11, 2020

The Kernel Self Protection Project recommends turning it off.

That said, I personally deploy at least 3 systems with this exact config, meaning hardened + ia32 emu, because I needed ia32.

What do users expect from this kernel? Maximum possible hardening or actually being able to use it on their systems without needing to recompile. Evidently a bunch of users have run into issues with this, that they weren't able to solve easily, as can be seen from the issues linked above. Will anyone run into any issues because we enable this? Is this an actual security risk to anyone and if so, do they rely on us not changing this option?

I highly doubt that. Personally, I have a custom kernel hardened config for systems where I care, anyways.
So my vote is a strong "Why not?".

@emilazy
Copy link
Member Author

emilazy commented Mar 11, 2020

It's worth noting that for ideal hardening you want to compile your own kernels anyway, to make maximum use of RANDSTRUCT and the like.

@yegortimoshenko
Copy link
Member

yegortimoshenko commented Mar 12, 2020

Based on discussion, sounds like it's good to merge? cc @joachifm

@grahamc grahamc merged commit 244178e into NixOS:master Mar 14, 2020
13 checks passed
13 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
@emilazy emilazy deleted the emilazy:enable-linux-hardened-ia32-emulation branch May 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

6 participants
You can’t perform that action at this time.