3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/os-specific/linux/kernel
Austin Seipp 172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
..
common-config.nix Enable CC_STACKPROTECTOR_REGULAR on linux 3.14+ 2014-04-02 17:58:54 -04:00
generate-config.pl Implement generic kernel build via manual-config 2014-01-01 09:21:25 -05:00
generic.nix kernel.passthru: Don't include meta to be consistent with stdenv.mkDerivation 2014-01-21 21:12:58 -05:00
grsec-path.patch grsecurity: Fix grsec-path.patch to apply with newest patches 2014-03-15 18:01:47 +01:00
linux-3.2.nix linux: Update to 3.2.57 2014-04-10 00:37:33 +02:00
linux-3.4.nix kernel: longterm updates 2014-04-07 13:56:50 -05:00
linux-3.10.nix kernel: longterm updates 2014-04-07 13:56:50 -05:00
linux-3.12.nix kernel: longterm updates 2014-04-07 13:56:50 -05:00
linux-3.13.nix linux: Update to 3.13.9 2014-04-07 15:31:12 +02:00
linux-3.14.nix Add linux 3.14 2014-03-31 20:54:47 -04:00
linux-rpi-3.6.nix Set meta.hydraPlatforms instead of meta.platforms for some packages 2013-11-05 00:06:10 +01:00
linux.upstream.template Linux: Add 3.9-rc1 as lowPrio (it has a regression fix 3.8.2 lacks) 2013-03-06 23:59:49 +04:00
manual-config.nix Remove timestamp from the kernel. 2014-04-05 08:40:55 +02:00
mips-ext3-n32.patch mips linux: Adding a patch to fix an ext3 bug in 3.5 and 3.6 2012-11-06 00:16:13 +01:00
mips-fpu-sigill.patch Fixing the mips patch for sigill fpu cases. 2012-06-16 15:37:04 +00:00
mips-fpureg-emulation.patch Adding two kernel patches for mips, that make the life easier on loongson2f 2012-06-16 10:49:03 +00:00
no-xsave.patch Linux no-xsave.patch: commit patch into Nixpkgs since fetchurl no longer works 2012-07-02 16:53:53 +02:00
patches.nix nixos: add grsecurity module (#1875) 2014-04-11 22:43:51 -05:00
perf.diff linux-perf: Fix build (unportable shell hack broke). 2014-01-25 16:30:14 +01:00
perf.nix perf: Make build fix for 3.13 cleaner. 2014-02-07 22:53:55 +01:00