forked from mirrors/nixpkgs
172dc1336f
This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com> |
||
---|---|---|
.. | ||
common-config.nix | ||
generate-config.pl | ||
generic.nix | ||
grsec-path.patch | ||
linux-3.2.nix | ||
linux-3.4.nix | ||
linux-3.10.nix | ||
linux-3.12.nix | ||
linux-3.13.nix | ||
linux-3.14.nix | ||
linux-rpi-3.6.nix | ||
linux.upstream.template | ||
manual-config.nix | ||
mips-ext3-n32.patch | ||
mips-fpu-sigill.patch | ||
mips-fpureg-emulation.patch | ||
no-xsave.patch | ||
patches.nix | ||
perf.diff | ||
perf.nix |