forked from mirrors/nixpkgs
grsecurity: enable optional sysfs restrictions
Fairly severe, but can be disabled at bootup via grsec_sysfs_restrict=0. For the NixOS module we ensure that it is disabled, for systemd compatibility.
This commit is contained in:
parent
8c1f5afdf3
commit
071fbcda24
|
@ -59,7 +59,8 @@ in
|
|||
|
||||
boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
|
||||
|
||||
boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
|
||||
boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
|
||||
++ optional cfg.disableEfiRuntimeServices "noefi";
|
||||
|
||||
nixpkgs.config.grsecurity = true;
|
||||
|
||||
|
|
|
@ -151,9 +151,6 @@
|
|||
a TCP simultaneous OPEN on that port before the connection is actually
|
||||
established.</para></listitem>
|
||||
|
||||
<listitem><para><filename class="directory">/sys</filename> hardening:
|
||||
breaks systemd.</para></listitem>
|
||||
|
||||
<listitem><para>Trusted path execution: a desirable feature, but
|
||||
requires some more work to operate smoothly on NixOS.</para></listitem>
|
||||
|
||||
|
@ -357,6 +354,12 @@
|
|||
<literal>pax_size_overflow_report_only</literal>: log size overflow
|
||||
violations but leave the violating task running
|
||||
</para></listitem>
|
||||
|
||||
<listitem><para>
|
||||
<literal>grsec_sysfs_restrict=[0|1]</literal>: toggle sysfs
|
||||
restrictions. The NixOS module sets this to <literal>0</literal>
|
||||
for systemd compatibility
|
||||
</para></listitem>
|
||||
</itemizedlist>
|
||||
</para>
|
||||
|
||||
|
|
|
@ -29,6 +29,7 @@ PAX_KERNEXEC_PLUGIN_METHOD_BTS y
|
|||
|
||||
# Additional grsec hardening not implied by auto constraints
|
||||
GRKERNSEC_IO y
|
||||
GRKERNSEC_SYSFS_RESTRICT y
|
||||
|
||||
# Disable protections rendered useless by redistribution
|
||||
GRKERNSEC_HIDESYM n
|
||||
|
|
Loading…
Reference in a new issue