forked from mirrors/nixpkgs
172dc1336f
This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
77 lines
2.5 KiB
Nix
77 lines
2.5 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
with pkgs.lib;
|
|
|
|
let
|
|
|
|
sysctlOption = mkOptionType {
|
|
name = "sysctl option value";
|
|
check = x: isBool x || isString x || isInt x || isNull x;
|
|
merge = args: defs: (last defs).value; # FIXME: hacky way to allow overriding in configuration.nix.
|
|
};
|
|
|
|
in
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
boot.kernel.sysctl = mkOption {
|
|
default = {};
|
|
example = {
|
|
"net.ipv4.tcp_syncookies" = false;
|
|
"vm.swappiness" = 60;
|
|
};
|
|
type = types.attrsOf sysctlOption;
|
|
description = ''
|
|
Runtime parameters of the Linux kernel, as set by
|
|
<citerefentry><refentrytitle>sysctl</refentrytitle>
|
|
<manvolnum>8</manvolnum></citerefentry>. Note that sysctl
|
|
parameters names must be enclosed in quotes
|
|
(e.g. <literal>"vm.swappiness"</literal> instead of
|
|
<literal>vm.swappiness</literal>). The value of each
|
|
parameter may be a string, integer, boolean, or null
|
|
(signifying the option will not appear at all).
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
config = {
|
|
|
|
environment.etc."sysctl.d/nixos.conf".text =
|
|
concatStrings (mapAttrsToList (n: v:
|
|
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
|
|
) config.boot.kernel.sysctl);
|
|
|
|
systemd.services.systemd-sysctl =
|
|
{ description = "Apply Kernel Variables";
|
|
before = [ "sysinit.target" "shutdown.target" ];
|
|
wantedBy = [ "sysinit.target" "multi-user.target" ];
|
|
restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
|
|
unitConfig = {
|
|
DefaultDependencies = false; # needed to prevent a cycle
|
|
ConditionPathIsReadWrite = "/proc/sys/"; # prevent systemd-sysctl in containers
|
|
};
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = true;
|
|
ExecStart = "${config.systemd.package}/lib/systemd/systemd-sysctl";
|
|
};
|
|
};
|
|
|
|
# Enable hardlink and symlink restrictions. See
|
|
# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
|
|
# for details.
|
|
boot.kernel.sysctl."fs.protected_hardlinks" = true;
|
|
boot.kernel.sysctl."fs.protected_symlinks" = true;
|
|
|
|
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
|
|
# users as these make it easier to exploit kernel vulnerabilities.
|
|
#
|
|
# Removed under grsecurity.
|
|
boot.kernel.sysctl."kernel.kptr_restrict" =
|
|
if config.security.grsecurity.enable then null else 1;
|
|
};
|
|
}
|