2016-06-09 19:12:31 +01:00
|
|
|
{ config, pkgs, lib, ... }:
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
|
2014-04-14 15:26:48 +01:00
|
|
|
with lib;
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
|
|
|
|
let
|
2014-05-18 13:38:13 +01:00
|
|
|
cfg = config.security.grsecurity;
|
2016-06-09 19:12:31 +01:00
|
|
|
grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
|
|
|
|
|
2016-07-14 15:00:17 +01:00
|
|
|
# Ascertain whether NixOS container support is required
|
|
|
|
containerSupportRequired =
|
|
|
|
config.boot.enableContainers && config.containers != {};
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
in
|
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
{
|
2016-08-29 17:10:38 +01:00
|
|
|
meta = {
|
2017-04-27 19:42:23 +01:00
|
|
|
maintainers = with maintainers; [ ];
|
2016-08-29 17:10:38 +01:00
|
|
|
doc = ./grsecurity.xml;
|
|
|
|
};
|
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
options.security.grsecurity = {
|
|
|
|
|
2016-11-20 20:51:11 +00:00
|
|
|
enable = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Enable grsecurity/PaX.
|
|
|
|
'';
|
|
|
|
};
|
2016-06-09 19:12:31 +01:00
|
|
|
|
|
|
|
lockTunables = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Whether to automatically lock grsecurity tunables
|
|
|
|
(<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>). Disable
|
2016-07-14 16:44:05 +01:00
|
|
|
this to allow runtime configuration of grsecurity features. Activate
|
|
|
|
the <literal>grsec-lock</literal> service unit to prevent further
|
|
|
|
configuration until the next reboot.
|
2016-06-09 19:12:31 +01:00
|
|
|
'';
|
|
|
|
};
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
|
2016-08-01 14:36:03 +01:00
|
|
|
disableEfiRuntimeServices = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Whether to disable access to EFI runtime services. Enabling EFI runtime
|
|
|
|
services creates a venue for code injection attacks on the kernel and
|
|
|
|
should be disabled if at all possible. Changing this option enters into
|
|
|
|
effect upon reboot.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
};
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
config = mkIf cfg.enable {
|
2016-05-08 07:32:28 +01:00
|
|
|
|
2016-11-28 11:04:51 +00:00
|
|
|
boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
|
2016-05-08 07:32:28 +01:00
|
|
|
|
2016-12-05 18:04:49 +00:00
|
|
|
boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
|
|
|
|
++ optional cfg.disableEfiRuntimeServices "noefi";
|
2016-08-01 14:36:03 +01:00
|
|
|
|
2016-09-04 18:22:00 +01:00
|
|
|
nixpkgs.config.grsecurity = true;
|
|
|
|
|
2016-07-17 20:14:24 +01:00
|
|
|
# Install PaX related utillities into the system profile.
|
|
|
|
environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ];
|
2015-01-19 17:11:54 +00:00
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
# Install rules for the grsec device node
|
|
|
|
services.udev.packages = [ pkgs.gradm ];
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
|
2016-07-14 16:43:43 +01:00
|
|
|
# This service unit is responsible for locking the grsecurity tunables. The
|
2016-06-09 19:12:31 +01:00
|
|
|
# unit is always defined, but only activated on bootup if lockTunables is
|
|
|
|
# toggled. When lockTunables is toggled, failure to activate the unit will
|
|
|
|
# enter emergency mode. The intent is to make it difficult to silently
|
|
|
|
# enter multi-user mode without having locked the tunables. Some effort is
|
|
|
|
# made to ensure that starting the unit is an idempotent operation.
|
|
|
|
systemd.services.grsec-lock = {
|
|
|
|
description = "Lock grsecurity tunables";
|
2014-04-12 17:16:03 +01:00
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
wantedBy = optional cfg.lockTunables "multi-user.target";
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
wants = [ "local-fs.target" "systemd-sysctl.service" ];
|
|
|
|
after = [ "local-fs.target" "systemd-sysctl.service" ];
|
|
|
|
conflicts = [ "shutdown.target" ];
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
restartIfChanged = false;
|
2016-05-04 01:20:49 +01:00
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
script = ''
|
|
|
|
if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then
|
|
|
|
echo -n 1 > ${grsecLockPath}
|
|
|
|
fi
|
|
|
|
'';
|
2016-05-04 01:20:49 +01:00
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
unitConfig = {
|
|
|
|
ConditionPathIsReadWrite = grsecLockPath;
|
|
|
|
DefaultDependencies = false;
|
|
|
|
} // optionalAttrs cfg.lockTunables {
|
|
|
|
OnFailure = "emergency.target";
|
|
|
|
};
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
RemainAfterExit = true;
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2016-06-09 19:12:31 +01:00
|
|
|
# Configure system tunables
|
|
|
|
boot.kernel.sysctl = {
|
2016-08-01 14:56:09 +01:00
|
|
|
# Read-only under grsecurity
|
2016-06-09 19:12:31 +01:00
|
|
|
"kernel.kptr_restrict" = mkForce null;
|
2016-12-05 18:02:10 +00:00
|
|
|
|
|
|
|
# All grsec tunables default to off, those not enabled below are
|
|
|
|
# *disabled*. We use mkDefault to allow expert users to override
|
|
|
|
# our choices, but use mkForce where tunables would outright
|
|
|
|
# conflict with other settings.
|
|
|
|
|
|
|
|
# Enable all chroot restrictions by default (overwritten as
|
|
|
|
# necessary below)
|
|
|
|
"kernel.grsecurity.chroot_caps" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_deny_chmod" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_deny_chroot" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_deny_mknod" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_deny_mount" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_deny_pivot" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_deny_shmat" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_deny_unix" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_findtask" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.chroot_restrict_nice" = mkDefault 1;
|
|
|
|
|
|
|
|
# Enable various grsec protections
|
|
|
|
"kernel.grsecurity.consistent_setxid" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.deter_bruteforce" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.fifo_restrictions" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.harden_ipc" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.harden_ptrace" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.harden_tty" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.ip_blackhole" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.linking_restrictions" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.ptrace_readexec" = mkDefault 1;
|
|
|
|
|
|
|
|
# Enable auditing
|
|
|
|
"kernel.grsecurity.audit_ptrace" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.forkfail_logging" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.rwxmap_logging" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.signal_logging" = mkDefault 1;
|
|
|
|
"kernel.grsecurity.timechange_logging" = mkDefault 1;
|
2016-06-09 19:12:31 +01:00
|
|
|
} // optionalAttrs config.nix.useSandbox {
|
|
|
|
# chroot(2) restrictions that conflict with sandboxed Nix builds
|
|
|
|
"kernel.grsecurity.chroot_caps" = mkForce 0;
|
2016-12-05 18:02:10 +00:00
|
|
|
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
|
2016-06-09 19:12:31 +01:00
|
|
|
"kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
|
|
|
|
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
|
|
|
|
"kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
|
2016-07-14 15:00:17 +01:00
|
|
|
} // optionalAttrs containerSupportRequired {
|
2016-06-09 19:12:31 +01:00
|
|
|
# chroot(2) restrictions that conflict with NixOS lightweight containers
|
2016-12-05 18:02:10 +00:00
|
|
|
"kernel.grsecurity.chroot_caps" = mkForce 0;
|
2016-06-09 19:12:31 +01:00
|
|
|
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
|
|
|
|
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
|
|
|
|
"kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
|
2016-12-05 18:02:10 +00:00
|
|
|
# Disable privileged IO by default, unless X is enabled
|
|
|
|
} // optionalAttrs (!config.services.xserver.enable) {
|
|
|
|
"kernel.grsecurity.disable_priv_io" = mkDefault 1;
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 20:18:12 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
}
|