forked from mirrors/nixpkgs
e99228db30
Previously, we would only set a default value, on the theory that `boot.kernelPackages` could be used to sanely configure a custom grsec kernel. Regrettably, this is not the case and users who expect e.g., `boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up with a non-grsec kernel (this problem has come up twice on the bug tracker recently). With this patch, `security.grsecurity.enable = true` implies `boot.kernelPackages = linuxPackages_grsec_nixos` and any customization must be done via package override or by eschewing the module.
129 lines
4 KiB
Nix
129 lines
4 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.security.grsecurity;
|
|
grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
|
|
|
|
# Ascertain whether NixOS container support is required
|
|
containerSupportRequired =
|
|
config.boot.enableContainers && config.containers != {};
|
|
in
|
|
|
|
{
|
|
meta = {
|
|
maintainers = with maintainers; [ joachifm ];
|
|
doc = ./grsecurity.xml;
|
|
};
|
|
|
|
options.security.grsecurity = {
|
|
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
example = true;
|
|
default = false;
|
|
description = ''
|
|
Enable grsecurity/PaX.
|
|
'';
|
|
};
|
|
|
|
lockTunables = mkOption {
|
|
type = types.bool;
|
|
example = false;
|
|
default = true;
|
|
description = ''
|
|
Whether to automatically lock grsecurity tunables
|
|
(<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>). Disable
|
|
this to allow runtime configuration of grsecurity features. Activate
|
|
the <literal>grsec-lock</literal> service unit to prevent further
|
|
configuration until the next reboot.
|
|
'';
|
|
};
|
|
|
|
disableEfiRuntimeServices = mkOption {
|
|
type = types.bool;
|
|
example = false;
|
|
default = true;
|
|
description = ''
|
|
Whether to disable access to EFI runtime services. Enabling EFI runtime
|
|
services creates a venue for code injection attacks on the kernel and
|
|
should be disabled if at all possible. Changing this option enters into
|
|
effect upon reboot.
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
|
|
|
|
boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
|
|
|
|
nixpkgs.config.grsecurity = true;
|
|
|
|
# Install PaX related utillities into the system profile.
|
|
environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ];
|
|
|
|
# Install rules for the grsec device node
|
|
services.udev.packages = [ pkgs.gradm ];
|
|
|
|
# This service unit is responsible for locking the grsecurity tunables. The
|
|
# unit is always defined, but only activated on bootup if lockTunables is
|
|
# toggled. When lockTunables is toggled, failure to activate the unit will
|
|
# enter emergency mode. The intent is to make it difficult to silently
|
|
# enter multi-user mode without having locked the tunables. Some effort is
|
|
# made to ensure that starting the unit is an idempotent operation.
|
|
systemd.services.grsec-lock = {
|
|
description = "Lock grsecurity tunables";
|
|
|
|
wantedBy = optional cfg.lockTunables "multi-user.target";
|
|
|
|
wants = [ "local-fs.target" "systemd-sysctl.service" ];
|
|
after = [ "local-fs.target" "systemd-sysctl.service" ];
|
|
conflicts = [ "shutdown.target" ];
|
|
|
|
restartIfChanged = false;
|
|
|
|
script = ''
|
|
if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then
|
|
echo -n 1 > ${grsecLockPath}
|
|
fi
|
|
'';
|
|
|
|
unitConfig = {
|
|
ConditionPathIsReadWrite = grsecLockPath;
|
|
DefaultDependencies = false;
|
|
} // optionalAttrs cfg.lockTunables {
|
|
OnFailure = "emergency.target";
|
|
};
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
};
|
|
};
|
|
|
|
# Configure system tunables
|
|
boot.kernel.sysctl = {
|
|
# Read-only under grsecurity
|
|
"kernel.kptr_restrict" = mkForce null;
|
|
} // optionalAttrs config.nix.useSandbox {
|
|
# chroot(2) restrictions that conflict with sandboxed Nix builds
|
|
"kernel.grsecurity.chroot_caps" = mkForce 0;
|
|
"kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
|
|
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
|
|
"kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
|
|
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
|
|
} // optionalAttrs containerSupportRequired {
|
|
# chroot(2) restrictions that conflict with NixOS lightweight containers
|
|
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
|
|
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
|
|
"kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
|
|
"kernel.grsecurity.chroot_caps" = mkForce 0;
|
|
};
|
|
|
|
};
|
|
}
|