forked from mirrors/nixpkgs
grsecurity module: use types.enum
Also - set desktop as default system - make virtualisationSoftware nullOr - make virtualisationConfig nullOr
This commit is contained in:
Joachim Fasting
parent
8028357084
commit
ba93a75724
|
|
@ -44,53 +44,41 @@ in
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
mode = mkOption {
|
mode = mkOption {
|
||||||
type = types.str;
|
type = types.enum [ "auto" "custom" ];
|
||||||
default = "auto";
|
default = "auto";
|
||||||
example = "custom";
|
|
||||||
description = ''
|
description = ''
|
||||||
grsecurity configuration mode. This specifies whether
|
grsecurity configuration mode. This specifies whether
|
||||||
grsecurity is auto-configured or otherwise completely
|
grsecurity is auto-configured or otherwise completely
|
||||||
manually configured. Can either be
|
manually configured.
|
||||||
<literal>custom</literal> or <literal>auto</literal>.
|
|
||||||
|
|
||||||
<literal>auto</literal> is recommended.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
priority = mkOption {
|
priority = mkOption {
|
||||||
type = types.str;
|
type = types.enum [ "security" "performance" ];
|
||||||
default = "security";
|
default = "security";
|
||||||
example = "performance";
|
|
||||||
description = ''
|
description = ''
|
||||||
grsecurity configuration priority. This specifies whether
|
grsecurity configuration priority. This specifies whether
|
||||||
the kernel configuration should emphasize speed or
|
the kernel configuration should emphasize speed or
|
||||||
security. Can either be <literal>security</literal> or
|
security.
|
||||||
<literal>performance</literal>.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
system = mkOption {
|
system = mkOption {
|
||||||
type = types.str;
|
type = types.enum [ "desktop" "server" ];
|
||||||
default = "";
|
default = "desktop";
|
||||||
example = "desktop";
|
|
||||||
description = ''
|
description = ''
|
||||||
grsecurity system configuration. This specifies whether
|
grsecurity system configuration.
|
||||||
the kernel configuration should be suitable for a Desktop
|
|
||||||
or a Server. Can either be <literal>server</literal> or
|
|
||||||
<literal>desktop</literal>.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualisationConfig = mkOption {
|
virtualisationConfig = mkOption {
|
||||||
type = types.str;
|
type = types.nullOr (types.enum [ "host" "guest" ]);
|
||||||
default = "none";
|
default = null;
|
||||||
example = "host";
|
|
||||||
description = ''
|
description = ''
|
||||||
grsecurity virtualisation configuration. This specifies
|
grsecurity virtualisation configuration. This specifies
|
||||||
the virtualisation role of the machine - that is, whether
|
the virtualisation role of the machine - that is, whether
|
||||||
it will be a virtual machine guest, a virtual machine
|
it will be a virtual machine guest, a virtual machine
|
||||||
host, or neither. Can be one of <literal>none</literal>,
|
host, or neither.
|
||||||
<literal>host</literal>, or <literal>guest</literal>.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -106,17 +94,10 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
virtualisationSoftware = mkOption {
|
virtualisationSoftware = mkOption {
|
||||||
type = types.str;
|
type = types.nullOr (types.enum [ "kvm" "xen" "vmware" "virtualbox" ]);
|
||||||
default = "";
|
default = null;
|
||||||
example = "kvm";
|
|
||||||
description = ''
|
description = ''
|
||||||
grsecurity virtualisation software. Set this to the
|
Configure grsecurity for use with this virtualisation software.
|
||||||
specified virtual machine technology if the machine is
|
|
||||||
running as a guest, or a host.
|
|
||||||
|
|
||||||
Can be one of <literal>kvm</literal>,
|
|
||||||
<literal>xen</literal>, <literal>vmware</literal> or
|
|
||||||
<literal>virtualbox</literal>.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -262,25 +243,13 @@ in
|
||||||
&& config.boot.kernelPackages.kernel.features.grsecurity;
|
&& config.boot.kernelPackages.kernel.features.grsecurity;
|
||||||
message = "grsecurity enabled, but kernel doesn't have grsec support";
|
message = "grsecurity enabled, but kernel doesn't have grsec support";
|
||||||
}
|
}
|
||||||
{ assertion = elem cfg.config.mode [ "auto" "custom" ];
|
{ assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) ->
|
||||||
message = "grsecurity mode must either be 'auto' or 'custom'.";
|
|
||||||
}
|
|
||||||
{ assertion = cfg.config.mode == "auto" -> elem cfg.config.system [ "desktop" "server" ];
|
|
||||||
message = "when using auto grsec mode, system must be either 'desktop' or 'server'";
|
|
||||||
}
|
|
||||||
{ assertion = cfg.config.mode == "auto" -> elem cfg.config.priority [ "performance" "security" ];
|
|
||||||
message = "when using auto grsec mode, priority must be 'performance' or 'security'.";
|
|
||||||
}
|
|
||||||
{ assertion = cfg.config.mode == "auto" -> elem cfg.config.virtualisationConfig [ "host" "guest" "none" ];
|
|
||||||
message = "when using auto grsec mode, 'virt' must be 'host', 'guest' or 'none'.";
|
|
||||||
}
|
|
||||||
{ assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) ->
|
|
||||||
cfg.config.hardwareVirtualisation != null;
|
cfg.config.hardwareVirtualisation != null;
|
||||||
message = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions";
|
message = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions";
|
||||||
}
|
}
|
||||||
{ assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) ->
|
{ assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) ->
|
||||||
elem cfg.config.virtualisationSoftware [ "kvm" "xen" "virtualbox" "vmware" ];
|
cfg.config.virtualisationSoftware != null;
|
||||||
message = "virtualisation software must be 'kvm', 'xen', 'vmware' or 'virtualbox'";
|
message = "grsecurity configured for virtualisation but no virtualisation software specified";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -50,14 +50,14 @@ let
|
||||||
"GRKERNSEC_CONFIG_SERVER y";
|
"GRKERNSEC_CONFIG_SERVER y";
|
||||||
|
|
||||||
grsecVirtCfg =
|
grsecVirtCfg =
|
||||||
if cfg.config.virtualisationConfig == "none" then
|
if cfg.config.virtualisationConfig == null then
|
||||||
"GRKERNSEC_CONFIG_VIRT_NONE y"
|
"GRKERNSEC_CONFIG_VIRT_NONE y"
|
||||||
else if cfg.config.virtualisationConfig == "host" then
|
else if cfg.config.virtualisationConfig == "host" then
|
||||||
"GRKERNSEC_CONFIG_VIRT_HOST y"
|
"GRKERNSEC_CONFIG_VIRT_HOST y"
|
||||||
else
|
else
|
||||||
"GRKERNSEC_CONFIG_VIRT_GUEST y";
|
"GRKERNSEC_CONFIG_VIRT_GUEST y";
|
||||||
|
|
||||||
grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else
|
grsecHwvirtCfg = if cfg.config.virtualisationConfig == null then "" else
|
||||||
if cfg.config.hardwareVirtualisation == true then
|
if cfg.config.hardwareVirtualisation == true then
|
||||||
"GRKERNSEC_CONFIG_VIRT_EPT y"
|
"GRKERNSEC_CONFIG_VIRT_EPT y"
|
||||||
else
|
else
|
||||||
|
|
@ -66,7 +66,7 @@ let
|
||||||
grsecVirtswCfg =
|
grsecVirtswCfg =
|
||||||
let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
|
let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
|
||||||
in
|
in
|
||||||
if cfg.config.virtualisationConfig == "none" then ""
|
if cfg.config.virtualisationConfig == null then ""
|
||||||
else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN"
|
else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN"
|
||||||
else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM"
|
else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM"
|
||||||
else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"
|
else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue