3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
Joachim Fasting 9a9237e0aa
grsecurity: revamp nixos kernel config
Cleanup:
- Restructure & add some commentary
- Remove redundant option specs given the auto config
  constraints (some are left in for documentation purposes)

Changes:
- GRKERNSEC_CONFIG_VIRT_HOST -> GUEST
  The former deselects paravirtualization and friends
- PAX_LATENT_ENTROPY n -> y (implied by auto)
- GRKERNSEC_ACL_HIDEKERN y -> n
  Possibly useless with redistribution
2016-10-02 19:25:58 +02:00

60 lines
1.4 KiB
Nix

{ stdenv }:
with stdenv.lib;
''
# Auto configuration with these constraints will enable most of the
# important features (RAP, UDEREF, ASLR, memory sanitization).
GRKERNSEC_CONFIG_AUTO y
GRKERNSEC_CONFIG_DESKTOP y
GRKERNSEC_CONFIG_PRIORITY_SECURITY y
# We specify virt guest rather than host here, the latter deselects e.g.,
# paravirtualization.
GRKERNSEC_CONFIG_VIRT_GUEST y
# Note: assumes platform supports CPU-level virtualization (so no pentium 4)
GRKERNSEC_CONFIG_VIRT_EPT y
GRKERNSEC_CONFIG_VIRT_KVM y
# PaX control
PAX_SOFTMODE y
PAX_PT_PAX_FLAGS y
PAX_XATTR_PAX_FLAGS y
PAX_EI_PAX n
# The bts instrumentation method is compatible with binary only modules.
#
# Note: if platform supports SMEP, we could do without this
PAX_KERNEXEC_PLUGIN_METHOD_BTS y
# Additional grsec hardening not implied by auto constraints
GRKERNSEC_IO y
# Disable protections rendered useless by redistribution
GRKERNSEC_HIDESYM n
GRKERNSEC_RANDSTRUCT n
# Disable protections covered by vanilla mechanisms
GRKERNSEC_DMESG n
GRKERNSEC_KMEM n
GRKERNSEC_PROC n
# Disable protections that are inappropriate for a general-purpose kernel
GRKERNSEC_NO_SIMULT_CONNECT n
# Enable additional audititing
GRKERNSEC_AUDIT_MOUNT y
GRKERNSEC_AUDIT_PTRACE y
GRKERNSEC_FORKFAIL y
# Wishlist: support trusted path execution
GRKERNSEC_TPE n
# Wishlist: enable this, but breaks user initiated module loading
GRKERNSEC_MODHARDEN n
GRKERNSEC_SYSCTL y
GRKERNSEC_SYSCTL_DISTRO y
GRKERNSEC_SYSCTL_ON y
''