From ba93a75724b9671208d7e48789bc9d71a9da648b Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Fri, 3 Apr 2015 12:46:21 +0200 Subject: [PATCH] grsecurity module: use types.enum Also - set desktop as default system - make virtualisationSoftware nullOr - make virtualisationConfig nullOr --- nixos/modules/security/grsecurity.nix | 65 ++++++----------------- pkgs/build-support/grsecurity/default.nix | 6 +-- 2 files changed, 20 insertions(+), 51 deletions(-) diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 8cd400933487..35974f6890e6 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -44,53 +44,41 @@ in config = { mode = mkOption { - type = types.str; + type = types.enum [ "auto" "custom" ]; default = "auto"; - example = "custom"; description = '' grsecurity configuration mode. This specifies whether grsecurity is auto-configured or otherwise completely - manually configured. Can either be - custom or auto. - - auto is recommended. + manually configured. ''; }; priority = mkOption { - type = types.str; + type = types.enum [ "security" "performance" ]; default = "security"; - example = "performance"; description = '' grsecurity configuration priority. This specifies whether the kernel configuration should emphasize speed or - security. Can either be security or - performance. + security. ''; }; system = mkOption { - type = types.str; - default = ""; - example = "desktop"; + type = types.enum [ "desktop" "server" ]; + default = "desktop"; description = '' - grsecurity system configuration. This specifies whether - the kernel configuration should be suitable for a Desktop - or a Server. Can either be server or - desktop. + grsecurity system configuration. ''; }; virtualisationConfig = mkOption { - type = types.str; - default = "none"; - example = "host"; + type = types.nullOr (types.enum [ "host" "guest" ]); + default = null; description = '' grsecurity virtualisation configuration. This specifies the virtualisation role of the machine - that is, whether it will be a virtual machine guest, a virtual machine - host, or neither. Can be one of none, - host, or guest. + host, or neither. ''; }; @@ -106,17 +94,10 @@ in }; virtualisationSoftware = mkOption { - type = types.str; - default = ""; - example = "kvm"; + type = types.nullOr (types.enum [ "kvm" "xen" "vmware" "virtualbox" ]); + default = null; description = '' - grsecurity virtualisation software. Set this to the - specified virtual machine technology if the machine is - running as a guest, or a host. - - Can be one of kvm, - xen, vmware or - virtualbox. + Configure grsecurity for use with this virtualisation software. ''; }; @@ -262,25 +243,13 @@ in && config.boot.kernelPackages.kernel.features.grsecurity; message = "grsecurity enabled, but kernel doesn't have grsec support"; } - { assertion = elem cfg.config.mode [ "auto" "custom" ]; - message = "grsecurity mode must either be 'auto' or 'custom'."; - } - { assertion = cfg.config.mode == "auto" -> elem cfg.config.system [ "desktop" "server" ]; - message = "when using auto grsec mode, system must be either 'desktop' or 'server'"; - } - { assertion = cfg.config.mode == "auto" -> elem cfg.config.priority [ "performance" "security" ]; - message = "when using auto grsec mode, priority must be 'performance' or 'security'."; - } - { assertion = cfg.config.mode == "auto" -> elem cfg.config.virtualisationConfig [ "host" "guest" "none" ]; - message = "when using auto grsec mode, 'virt' must be 'host', 'guest' or 'none'."; - } - { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) -> + { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) -> cfg.config.hardwareVirtualisation != null; message = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions"; } - { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) -> - elem cfg.config.virtualisationSoftware [ "kvm" "xen" "virtualbox" "vmware" ]; - message = "virtualisation software must be 'kvm', 'xen', 'vmware' or 'virtualbox'"; + { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) -> + cfg.config.virtualisationSoftware != null; + message = "grsecurity configured for virtualisation but no virtualisation software specified"; } ]; diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix index 7bafd78d76a3..e82792be033a 100644 --- a/pkgs/build-support/grsecurity/default.nix +++ b/pkgs/build-support/grsecurity/default.nix @@ -50,14 +50,14 @@ let "GRKERNSEC_CONFIG_SERVER y"; grsecVirtCfg = - if cfg.config.virtualisationConfig == "none" then + if cfg.config.virtualisationConfig == null then "GRKERNSEC_CONFIG_VIRT_NONE y" else if cfg.config.virtualisationConfig == "host" then "GRKERNSEC_CONFIG_VIRT_HOST y" else "GRKERNSEC_CONFIG_VIRT_GUEST y"; - grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else + grsecHwvirtCfg = if cfg.config.virtualisationConfig == null then "" else if cfg.config.hardwareVirtualisation == true then "GRKERNSEC_CONFIG_VIRT_EPT y" else @@ -66,7 +66,7 @@ let grsecVirtswCfg = let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y"; in - if cfg.config.virtualisationConfig == "none" then "" + if cfg.config.virtualisationConfig == null then "" else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN" else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM" else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"