2018-07-20 21:56:59 +01:00
|
|
|
{ config, lib, ... }:
|
2013-03-02 18:53:48 +00:00
|
|
|
|
2014-04-14 15:26:48 +01:00
|
|
|
with lib;
|
2013-03-02 18:53:48 +00:00
|
|
|
|
|
|
|
let
|
|
|
|
|
|
|
|
sysctlOption = mkOptionType {
|
|
|
|
name = "sysctl option value";
|
2014-04-15 20:13:34 +01:00
|
|
|
check = val:
|
|
|
|
let
|
2019-04-24 04:48:22 +01:00
|
|
|
checkType = x: isBool x || isString x || isInt x || x == null;
|
2014-04-15 20:13:34 +01:00
|
|
|
in
|
|
|
|
checkType val || (val._type or "" == "override" && checkType val.content);
|
|
|
|
merge = loc: defs: mergeOneOption loc (filterOverrides defs);
|
2013-03-02 18:53:48 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
|
|
boot.kernel.sysctl = mkOption {
|
|
|
|
default = {};
|
2015-12-30 18:10:39 +00:00
|
|
|
example = literalExample ''
|
|
|
|
{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }
|
|
|
|
'';
|
2013-03-02 18:53:48 +00:00
|
|
|
type = types.attrsOf sysctlOption;
|
|
|
|
description = ''
|
|
|
|
Runtime parameters of the Linux kernel, as set by
|
|
|
|
<citerefentry><refentrytitle>sysctl</refentrytitle>
|
|
|
|
<manvolnum>8</manvolnum></citerefentry>. Note that sysctl
|
|
|
|
parameters names must be enclosed in quotes
|
|
|
|
(e.g. <literal>"vm.swappiness"</literal> instead of
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
<literal>vm.swappiness</literal>). The value of each
|
|
|
|
parameter may be a string, integer, boolean, or null
|
|
|
|
(signifying the option will not appear at all).
|
2013-03-02 18:53:48 +00:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
config = {
|
|
|
|
|
2019-08-11 14:38:20 +01:00
|
|
|
environment.etc."sysctl.d/60-nixos.conf".text =
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
concatStrings (mapAttrsToList (n: v:
|
|
|
|
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
|
|
|
|
) config.boot.kernel.sysctl);
|
2013-03-02 18:53:48 +00:00
|
|
|
|
|
|
|
systemd.services.systemd-sysctl =
|
2014-04-17 17:52:31 +01:00
|
|
|
{ wantedBy = [ "multi-user.target" ];
|
2019-08-11 14:38:20 +01:00
|
|
|
restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
|
2013-03-02 18:53:48 +00:00
|
|
|
};
|
|
|
|
|
2013-03-02 18:57:55 +00:00
|
|
|
# Enable hardlink and symlink restrictions. See
|
|
|
|
# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
|
|
|
|
# for details.
|
|
|
|
boot.kernel.sysctl."fs.protected_hardlinks" = true;
|
|
|
|
boot.kernel.sysctl."fs.protected_symlinks" = true;
|
|
|
|
|
2013-07-31 15:10:13 +01:00
|
|
|
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
|
|
|
|
# users as these make it easier to exploit kernel vulnerabilities.
|
2017-05-12 17:38:27 +01:00
|
|
|
boot.kernel.sysctl."kernel.kptr_restrict" = 1;
|
2017-03-21 17:41:58 +00:00
|
|
|
|
|
|
|
# Disable YAMA by default to allow easy debugging.
|
|
|
|
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkDefault 0;
|
|
|
|
|
2013-03-02 18:53:48 +00:00
|
|
|
};
|
|
|
|
}
|