3
0
Fork 0
forked from mirrors/nixpkgs

grsecurity: enable optional sysfs restrictions

Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
This commit is contained in:
Joachim Fasting 2016-12-05 19:04:49 +01:00
parent 8c1f5afdf3
commit 071fbcda24
No known key found for this signature in database
GPG key ID: 7544761007FE4E08
3 changed files with 9 additions and 4 deletions

View file

@ -59,7 +59,8 @@ in
boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
++ optional cfg.disableEfiRuntimeServices "noefi";
nixpkgs.config.grsecurity = true;

View file

@ -151,9 +151,6 @@
a TCP simultaneous OPEN on that port before the connection is actually
established.</para></listitem>
<listitem><para><filename class="directory">/sys</filename> hardening:
breaks systemd.</para></listitem>
<listitem><para>Trusted path execution: a desirable feature, but
requires some more work to operate smoothly on NixOS.</para></listitem>
@ -357,6 +354,12 @@
<literal>pax_size_overflow_report_only</literal>: log size overflow
violations but leave the violating task running
</para></listitem>
<listitem><para>
<literal>grsec_sysfs_restrict=[0|1]</literal>: toggle sysfs
restrictions. The NixOS module sets this to <literal>0</literal>
for systemd compatibility
</para></listitem>
</itemizedlist>
</para>

View file

@ -29,6 +29,7 @@ PAX_KERNEXEC_PLUGIN_METHOD_BTS y
# Additional grsec hardening not implied by auto constraints
GRKERNSEC_IO y
GRKERNSEC_SYSFS_RESTRICT y
# Disable protections rendered useless by redistribution
GRKERNSEC_HIDESYM n