forked from mirrors/nixpkgs
9a9237e0aa
Cleanup: - Restructure & add some commentary - Remove redundant option specs given the auto config constraints (some are left in for documentation purposes) Changes: - GRKERNSEC_CONFIG_VIRT_HOST -> GUEST The former deselects paravirtualization and friends - PAX_LATENT_ENTROPY n -> y (implied by auto) - GRKERNSEC_ACL_HIDEKERN y -> n Possibly useless with redistribution
60 lines
1.4 KiB
Nix
60 lines
1.4 KiB
Nix
{ stdenv }:
|
|
|
|
with stdenv.lib;
|
|
|
|
''
|
|
# Auto configuration with these constraints will enable most of the
|
|
# important features (RAP, UDEREF, ASLR, memory sanitization).
|
|
GRKERNSEC_CONFIG_AUTO y
|
|
GRKERNSEC_CONFIG_DESKTOP y
|
|
GRKERNSEC_CONFIG_PRIORITY_SECURITY y
|
|
|
|
# We specify virt guest rather than host here, the latter deselects e.g.,
|
|
# paravirtualization.
|
|
GRKERNSEC_CONFIG_VIRT_GUEST y
|
|
# Note: assumes platform supports CPU-level virtualization (so no pentium 4)
|
|
GRKERNSEC_CONFIG_VIRT_EPT y
|
|
GRKERNSEC_CONFIG_VIRT_KVM y
|
|
|
|
# PaX control
|
|
PAX_SOFTMODE y
|
|
PAX_PT_PAX_FLAGS y
|
|
PAX_XATTR_PAX_FLAGS y
|
|
PAX_EI_PAX n
|
|
|
|
# The bts instrumentation method is compatible with binary only modules.
|
|
#
|
|
# Note: if platform supports SMEP, we could do without this
|
|
PAX_KERNEXEC_PLUGIN_METHOD_BTS y
|
|
|
|
# Additional grsec hardening not implied by auto constraints
|
|
GRKERNSEC_IO y
|
|
|
|
# Disable protections rendered useless by redistribution
|
|
GRKERNSEC_HIDESYM n
|
|
GRKERNSEC_RANDSTRUCT n
|
|
|
|
# Disable protections covered by vanilla mechanisms
|
|
GRKERNSEC_DMESG n
|
|
GRKERNSEC_KMEM n
|
|
GRKERNSEC_PROC n
|
|
|
|
# Disable protections that are inappropriate for a general-purpose kernel
|
|
GRKERNSEC_NO_SIMULT_CONNECT n
|
|
|
|
# Enable additional audititing
|
|
GRKERNSEC_AUDIT_MOUNT y
|
|
GRKERNSEC_AUDIT_PTRACE y
|
|
GRKERNSEC_FORKFAIL y
|
|
|
|
# Wishlist: support trusted path execution
|
|
GRKERNSEC_TPE n
|
|
|
|
# Wishlist: enable this, but breaks user initiated module loading
|
|
GRKERNSEC_MODHARDEN n
|
|
|
|
GRKERNSEC_SYSCTL y
|
|
GRKERNSEC_SYSCTL_DISTRO y
|
|
GRKERNSEC_SYSCTL_ON y
|
|
''
|