linux: enable STRICT_KERNEL_RWX & STRICT_MODULE_RWX

Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel Self Protection Project][4]. As it is now in common-config, remove from hardened’s extra config. [1]: 6392fb2bed/config (L914-917) [2]: 5f6aa5cb48/debian/config/config (L11-12) [3]: e8025dc0fb/f/kernel-x86_64-fedora.config (_7449) [4]: https://kernsec.org/wiki/index.php?title=Kernel_Self_Protection_Project/Recommended_Settings&oldid=4078
2024-04-01 11:37:34 -04:00 · 2024-04-01 11:37:34 -04:00 · dd666b86ad
commit dd666b86ad
parent ff5cd23067
2 changed files with 2 additions and 2 deletions
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@ -674,6 +674,8 @@ let

      HARDENED_USERCOPY                = yes;
      RANDOMIZE_BASE                   = option yes;
+      STRICT_KERNEL_RWX                = yes;
+      STRICT_MODULE_RWX                = yes;
      STRICT_DEVMEM                    = mkDefault yes; # Filter access to /dev/mem
      IO_STRICT_DEVMEM                 = mkDefault yes;
      SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@ -31,8 +31,6 @@ assert (versionAtLeast version "4.9");
  SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
  SECURITY_WRITABLE_HOOKS  = option no;

-  STRICT_KERNEL_RWX = yes;
-
  # Perform additional validation of commonly targeted structures.
  DEBUG_CREDENTIALS     = whenOlder "6.6" yes;
  DEBUG_NOTIFIERS       = yes;