1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-25 15:11:35 +00:00
Commit graph

496 commits

Author SHA1 Message Date
Gregor Kleen e70d293b6b nixos/acme: Allow for time window between cert issue and activation 2017-11-19 17:25:00 +01:00
Bjørn Forsman 3f36f167e6 nixos/pam: fix docs about path to u2f_keys file
Looking at upstream git repo (git://github.com/Yubico/pam-u2f.git) the
docs initially said the path was ~/.yubico/u2f_keys, but it was later
changed to ~/.config/Yubico/u2f_keys (in 2015).

I have run pam_u2f.so with "debug" option and observed that the correct
path indeed is ~/.config/Yubico/u2f_keys.
2017-11-17 17:50:40 +01:00
Pierre-Etienne Meunier 538acd9060 ACME module: add server option (#31122) 2017-11-02 11:10:47 +01:00
Richard Marko 4e26054ff5 pam, lxcfs: enable pam_cgfs
Related to #30023
2017-11-02 02:52:08 +01:00
Chris Martin 0581038e8e nixos/acme: remove doc note about restarting nginx
Discussion from #30945 indicates that it is no longer true that you have
to restart nginx.
2017-10-30 13:51:35 -04:00
edef ea35bc94bf nixos/ecryptfs: init
Currently, ecryptfs support is coupled to `security.pam.enableEcryptfs`, but one
might want to use ecryptfs without enabling the PAM functionality. This commit
splits it out into a `boot.supportedFilesystems` switch.
2017-10-20 17:42:04 +01:00
gnidorah 7867b50881 nixos/pam: add swaylock (#29919) 2017-10-20 16:30:28 +00:00
Tristan Helmich c6761f8578 security.pam.usb: link to wiki on github.com
pamusb.org no longer serves the intended content.
2017-09-28 16:00:28 +02:00
Joachim Fasting 1df6cf5d1d
nixos/lock-kernel-modules: fix deferred fileSystem mounts
Ensure that modules required by all declared fileSystems are explicitly
loaded.  A little ugly but fixes the deferred mount test.

See also https://github.com/NixOS/nixpkgs/issues/29019
2017-09-22 23:55:04 +02:00
Joachim Fasting 15a4f9d8ef
nixos/hardened: simplify script 2017-09-22 23:53:06 +02:00
Michael Weiss 351f5fc585 fuse3: init at 3.1.1
This includes fuse-common (fusePackages.fuse_3.common) as recommended by
upstream. But while fuse(2) and fuse3 would normally depend on
fuse-common we can't do that in nixpkgs while fuse-common is just
another output from the fuse3 multiple-output derivation (i.e. this
would result in a circular dependency). To avoid building fuse3 twice I
decided it would be best to copy the shared files (i.e. the ones
provided by fuse(2) and fuse3) from fuse-common to fuse (version 2) and
avoid collision warnings by defining priorities. Now it should be
possible to install an arbitrary combination of "fuse", "fuse3", and
"fuse-common" without getting any collision warnings. The end result
should be the same and all changes should be backwards compatible
(assuming that mount.fuse from fuse3 is backwards compatible as stated
by upstream [0] - if not this might break some /etc/fstab definitions
but that should be very unlikely).

My tests with sshfs (version 2 and 3) didn't show any problems.

See #28409 for some additional information.

[0]: https://github.com/libfuse/libfuse/releases/tag/fuse-3.0.0
2017-09-21 23:59:46 +02:00
Joachim Fasting bb036a327c
nixos/chromium-suid-sandbox: remove reference to grsecurity 2017-09-02 20:35:28 +02:00
Joachim Fasting 268eb4adb7
nixos: purge remaining grsecurity bits
:(

Fixes https://github.com/NixOS/nixpkgs/issues/28859
2017-09-02 20:35:24 +02:00
Benjamin Staffin 2e65e2df94 nixos: Fix pam_kwallet5 integration
Fixes #28469
2017-08-22 11:52:14 -04:00
Christian Albrecht 93965870a8 nixos/auditd: break ordering cycle (#27577)
auditd creates an ordering cycle by adding wantedBy = [ "basic.target" ],
because of this the job job systemd-update-utmp.service/start is deleted.

Adding unitConfig.DefaultDependencies = false; to the auditd service unbreaks the cycle.

See also #11864
2017-08-01 20:45:01 +01:00
Christian Albrecht ebaff599ba nixos/auditd: init at 2.7.6 (#27261)
#11864 Support Linux audit subsystem
Add the auditd.service as NixOS module to be able to
generate profiles from /var/log/audit/audit.log
with apparmor-utils.

auditd needs the folder /var/log/audit to be present on start
so this is generated in ExecPreStart.

auditd starts with -s nochange so that effective audit processing
is managed by the audit.service.
2017-07-09 17:59:09 +01:00
Jörg Thalheim 343ad1697d Merge pull request #26897 from layus/nixos-terminfo
terminfo: symlink terminfo to /etc for ncurses
2017-07-01 09:27:24 +01:00
Guillaume Maudoux bd562949cf terminfo: symlink terminfo to /etc for ncurses 2017-06-30 11:17:11 +02:00
tv ea44ca47f3 security-wrapper: run activation script after specialfs
Ensures that parentWrapperDir exists before it is used.

Closes #26851
2017-06-26 09:26:16 +02:00
Parnell Springmeyer 5ca644c228
Fixing attribute name mistake: setguid => setgid 2017-06-15 19:25:43 -07:00
Bjørn Forsman 6a55fda61e nixos/acme: improve documentation
* Use literalExample for better readability
* Clarify a bit wrt. 'webroot' and 'allowKeysForGroup'
2017-06-09 19:35:17 +02:00
Bjørn Forsman 7a0e958b97 nixos/acme: support "full.pem" (for lighttpd)
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates

Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
2017-06-09 19:35:17 +02:00
lassulus fd7a8f1b91 nixos/security/acme: fix acme folder permissions 2017-05-11 18:49:26 +02:00
Joachim Fasting 56e1133d75
nixos/lock-kernel-modules: fix typo in unitConfig
I managed to miss this one somehow ... meh
2017-04-30 15:17:29 +02:00
Joachim Fasting 878ad1ce6e
nixos: add option to lock kernel modules
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.

The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.

The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session.  This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).

From an aestethic point of view, enabling this option helps make the
configuration more "declarative".

Closes https://github.com/NixOS/nixpkgs/pull/24681
2017-04-30 12:05:37 +02:00
Joachim Fasting 32b8512e54
grsecurity: discontinue support
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1].  Consequently, we can no longer
responsibly support grsecurity on NixOS.

This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother.  For 17.09 all of it should
probably be pruned.

[1]: https://grsecurity.net/passing_the_baton.php
2017-04-28 12:35:15 +02:00
edanaher e3559c23c2 acme: Add "domain" option to separate domain from name
Fixes #24731.
2017-04-11 18:28:05 +02:00
Eelco Dolstra 01dbf03628
network-link-*.service: Set stopIfChanged = false
This reduces the time window during which IP addresses are gone during
switch-to-configuration. A complication is that with stopIfChanged =
true, preStop would try to delete the *new* IP addresses rather than
the old one (since the preStop script now runs after the switch to the
new configuration). So we now record the actually configured addresses
in /run/nixos/network/addresses/<interface>. This is more robust in
any case.

Issue https://github.com/NixOS/nixops/issues/640.
2017-04-04 15:13:49 +02:00
Niklas Hambüchen ee0f3e7ad9 acme: Use chown -R for challenges directory. Fixes #24529.
Commit 75f131da02 added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.
2017-04-01 15:22:01 +02:00
Robin Gloster e82baf043e
security-wrapper: link old wrapper dir to new one
This makes setuid wrappers not fail after upgrading.

references #23641, #22914, #19862, #16654
2017-03-23 15:57:30 +01:00
Robin Gloster 45f486f096
Revert "security-wrapper: Don't remove the old paths yet as that can create migration pain"
This reverts commit 4c751ced37.

This does not fix the issue as /run is now mounted with nosuid.
2017-03-23 15:57:23 +01:00
Robin Gloster f2ff646e59 Merge pull request #23641 from awakenetworks/parnell/fix-wrapper-migration
security-wrapper: Don't remove the old paths yet as that can create migration pain
2017-03-21 13:40:15 +01:00
Franz Pletz fb50cde71e
nixos/treewide: systemd.time is in manvolume 7
cc #23396
2017-03-21 08:28:53 +01:00
Franz Pletz 9536169074
nixos/treewide: remove boolean examples for options
They contain no useful information and increase the length of the
autogenerated options documentation.

See discussion in #18816.
2017-03-17 23:36:19 +01:00
Léo Gaspard 66e54f25a1 dhparams module: condition on enable option (#23661)
Hence, the init/cleanup service only runs when the dhparams module is enabled.
2017-03-17 01:56:13 +01:00
zetok 4ca17dd6c0 gresecurity docs: fix incorrect option (#23789) 2017-03-12 15:05:14 +01:00
Parnell Springmeyer 4c751ced37
security-wrapper: Don't remove the old paths yet as that can create migration pain 2017-03-08 08:57:52 -06:00
Jesper Geertsen Jonsson 056e57678d
grsecurity docs: fix syntax and indentation errors
Closes https://github.com/NixOS/nixpkgs/pull/23515
2017-03-05 16:05:43 +01:00
Thomas Tuegel 8eb4d2afbc
Remove top-level kde5 attribute
- There is no such thing as KDE 5
2017-02-27 11:49:10 -06:00
Robin Gloster 940492cef5 Merge pull request #22634 from Ekleog/dhparams
dhparams module: initialize
2017-02-23 17:16:04 +01:00
Vladimír Čunát 4509487e82
nixos polkit: fixup setuid wrapper of pkexec
Broken in 628e6a8.  Fixes #23083.
2017-02-22 23:04:21 +01:00
Nikolay Amiantov 2cc4703a2d wrappers service: make /run/wrappers a mountpoint
Also remove some compatibility code because the directory in question would be
shadowed by a mountpoint anyway.
2017-02-21 12:13:35 +03:00
Robin Gloster 12b4556642 Merge pull request #22882 from bjornfor/wireshark
nixos: add programs.wireshark option
2017-02-20 14:03:30 +01:00
Joachim F 6dbe55ca68 Merge pull request #20456 from ericsagnes/feat/loaf-dep-1
Use attrsOf in place of loaOf when relevant
2017-02-19 15:49:25 +01:00
Léo Gaspard e2c78910d1
dhparams module: initialize 2017-02-18 00:07:03 +01:00
Robin Gloster 070825d443
setcapWrapper: add support for setting permissions 2017-02-17 15:42:54 +01:00
Benjamin Staffin 463e90273f pam: add optional pam_kwallet5 integration 2017-02-16 02:26:42 -05:00
Bjørn Forsman ce0a52f9bf nixos/security.wrappers: improve documentation
* The source attribute is mandatory, not optional
* The program attribute is optional
* Move the info about the mandatory attribute first (most important,
  IMHO)
2017-02-15 20:05:27 +01:00
Bjørn Forsman f9cb2b5640 nixos/security.wrappers: use literalExample in documentation
It's much more readable when the example attrset is pretty printed
instead of written as one line.
2017-02-15 09:08:41 +01:00
Bjørn Forsman 448acd8e5e nixos: remove remaining reference to setuidPrograms
The option doesn't exist anymore.
2017-02-15 07:25:33 +01:00
Parnell Springmeyer 1f83f1c878
security-wrapper: Wrap <para> tags in a <note> tag 2017-02-14 21:30:04 -06:00
Parnell Springmeyer 69794e333a
Using para tags for manual formatting 2017-02-14 08:53:30 -06:00
Parnell Springmeyer 794b3721bc
Syntax wibble 2017-02-14 08:42:08 -06:00
Parnell Springmeyer e856d6efe8
Default should be to set owner and group to root on setcap wrappers too 2017-02-14 08:40:12 -06:00
Parnell Springmeyer c01689f8da
Fixing ref to old-wrappersDir 2017-02-14 08:33:07 -06:00
Parnell Springmeyer f8b8c353ff
Simplifying the wrapper program derivation 2017-02-14 08:27:40 -06:00
Parnell Springmeyer fb6d13c01a
Addressing feedback and fixing a bug 2017-02-14 07:38:45 -06:00
Parnell Springmeyer ba499e3aa0
Removing unused module option old-wrapperDir 2017-02-14 07:30:21 -06:00
Parnell Springmeyer a27f35993d
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00
Parnell Springmeyer cca2e11556
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00
Parnell Springmeyer 9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Graham Christensen 96d767de62
pam_oath: require OATH and pam_unix credentials to be valid 2017-02-12 18:27:11 -05:00
Joachim Fasting 0c31286f75
grsecurity docs: some polish
Fix minor formatting issues, excessive punctuation, and also some
improved wording.
2017-02-03 18:47:07 +01:00
Parnell Springmeyer 128bdac94f
Conditionally logging debug messages based on the WRAPPER_DEBUG env var being set (or not) 2017-01-30 12:59:29 -06:00
Parnell Springmeyer d8ecd5eb0d
Switching to individually generated derivations 2017-01-30 12:26:56 -06:00
Parnell Springmeyer 264db4e309
Set merge + mkIf always surprises me 2017-01-29 17:10:32 -06:00
Parnell Springmeyer f2f3f1479e
Derp, wrong path name 2017-01-29 16:54:27 -06:00
Parnell Springmeyer 0f728de67e
More migration cleanup + todos for cleanup 2017-01-29 16:52:23 -06:00
Parnell Springmeyer 4856b42ab6
Gotta provide sane defaults! This is what I get for 5AM coding 2017-01-29 16:47:14 -06:00
Parnell Springmeyer cfe4351c33
I'm clearly very tired 2017-01-29 05:39:54 -06:00
Parnell Springmeyer 1cc500ea8e
Syntax wibble 2017-01-29 05:34:50 -06:00
Parnell Springmeyer 628e6a83d0
More derp 2017-01-29 05:33:56 -06:00
Parnell Springmeyer 70b8167d4a
A few more tweaks 2017-01-29 05:05:30 -06:00
Parnell Springmeyer 4aa0923009
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00
Parnell Springmeyer af3b9a3d46
More wibbles? 2017-01-29 01:41:39 -06:00
Parnell Springmeyer 48564d1ae5
Another wibble 2017-01-29 01:31:33 -06:00
Parnell Springmeyer 5077699605
Derp derp 2017-01-29 01:27:11 -06:00
Parnell Springmeyer 0707a3eaa2
Qualify with lib 2017-01-29 01:23:10 -06:00
Parnell Springmeyer 8e159b9d1e
Qualify mkOption with lib 2017-01-29 01:22:47 -06:00
Parnell Springmeyer 70ec24093c
Removing dead code 2017-01-29 01:22:19 -06:00
Parnell Springmeyer 82de4c0fad
setcap-wrapper: Syntax wibble 2017-01-29 01:20:02 -06:00
Parnell Springmeyer 7680a40a37
setcap-wrapper: Syntax wibble 2017-01-29 01:16:04 -06:00
Parnell Springmeyer 2f113ee90a
setcap-wrapper: Minor refactor 2017-01-29 01:08:36 -06:00
Parnell Springmeyer 3fe7b1a4c9
setcap-wrapper: Addressing more PR feedback, unifying drvs, and cleaning up a bit 2017-01-29 01:07:12 -06:00
Parnell Springmeyer e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer 9de070e620
Setuid wrapper should not be constrained to a specific linux kernel version 2017-01-26 09:39:37 -08:00
Parnell Springmeyer 01e6b82f3f
Removing dead code 2017-01-26 09:20:15 -08:00
Parnell Springmeyer 189a0c2579
Wrap with quotes as-per GCC's recommendation 2017-01-26 02:07:36 -08:00
Parnell Springmeyer c30cf645f8
Make setting of the wrapper macros a compile-time error 2017-01-26 02:06:24 -08:00
Parnell Springmeyer a26a796d5c
Merging against master - updating smokingpig, rebase was going to be messy 2017-01-26 02:00:04 -08:00
Parnell Springmeyer ad8fde5e5d
Andddd more derp 2017-01-26 01:33:25 -08:00
Parnell Springmeyer ce36b58e21
Derp 2017-01-26 01:31:49 -08:00
Parnell Springmeyer f64b06a3e0
Hmmm 2017-01-26 01:13:19 -08:00
Parnell Springmeyer fd974085bf
It's clearly quite late 2017-01-26 01:04:12 -08:00
Parnell Springmeyer 61fe8de40c
Silly, should just have one activation script 2017-01-26 01:03:18 -08:00
Parnell Springmeyer 48a0c5a3a7
More fixing 2017-01-26 01:00:46 -08:00
Parnell Springmeyer 21368c4c67
Hmm, unnecessary 2017-01-26 00:58:44 -08:00
Parnell Springmeyer a4f905afc2
Enhhh I think compile time macros are gross 2017-01-26 00:41:00 -08:00
Parnell Springmeyer 785684f6c2
Ahhh, my compile-time macros confused me...of course they did... 2017-01-26 00:39:17 -08:00
Parnell Springmeyer 1ad541171e
Hmm 2017-01-26 00:36:35 -08:00
Parnell Springmeyer e8bec4c75f
Implicit declared function... 2017-01-26 00:35:01 -08:00
Parnell Springmeyer a20e65724b
Fixing 2017-01-26 00:32:59 -08:00
Parnell Springmeyer 025555d7f1
More fixes and improvements 2017-01-26 00:05:40 -08:00
Parnell Springmeyer bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Franz Pletz 516760a6fb
nixos/acme: add random delay to timer
This way we behave like good citizens and won't overload Let's Encrypt
with lots of cert renewal requests at the same time.
2017-01-25 19:15:04 +01:00
Jörg Thalheim 30a554acfb
apparmor: support for lxc profiles 2017-01-10 23:01:03 +01:00
teh a878365b77 nixos docs: update for Nginx + ACME (#21320)
Closes #20698.
2017-01-09 06:39:10 +01:00
Alexander Kahl 61d125b842 sssd: init at 1.14.2
perlPackages.TextWrapI18N: init at 0.06
perlPackages.Po4a: init at 0.47
jade: init at 1.2.1
ding-libs: init at 0.6.0

Switch nscd to no-caching mode if SSSD is enabled.

abbradar: disable jade parallel building.

Closes #21150
2017-01-04 03:07:20 +03:00
Joachim Fasting f39d13cd3e
grsecurity doc: describe work-around for gitlab
Fixes https://github.com/NixOS/nixpkgs/issues/20959
2016-12-08 11:59:57 +01:00
Joachim Fasting 984d9ebb56
hidepid: polkit and systemd-logind compatibility
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948
2016-12-07 01:12:05 +01:00
Joachim Fasting 0e765c72e5
grsecurity: enable module hardening 2016-12-06 01:23:58 +01:00
Joachim Fasting 31d79afbe5
grsecurity docs: note that pax_sanitize_slab defaults to fast 2016-12-06 01:23:51 +01:00
Joachim Fasting 071fbcda24
grsecurity: enable optional sysfs restrictions
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
2016-12-06 01:23:36 +01:00
Joachim Fasting 8c1f5afdf3
grsecurity: delay toggling of sysctls until system is up
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
2016-12-06 01:22:53 +01:00
Domen Kožar 75f131da02 acme: ensure nginx challenges directory is writeable 2016-11-29 15:56:01 +01:00
Joachim Fasting e99228db30
grsecurity module: force a known good kernel package set
Previously, we would only set a default value, on the theory that
`boot.kernelPackages` could be used to sanely configure a custom grsec
kernel.  Regrettably, this is not the case and users who expect e.g.,
`boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up
with a non-grsec kernel (this problem has come up twice on the bug
tracker recently).

With this patch, `security.grsecurity.enable = true` implies
`boot.kernelPackages = linuxPackages_grsec_nixos` and any customization
must be done via package override or by eschewing the module.
2016-11-28 12:11:04 +01:00
Joachim Fasting 2eb6ec1bc4
grsecurity module: remove code pertaining to zfs
I don't know if it still the case that zfs fails to boot; either way,
that's the user's responsibility to contend with.
2016-11-20 23:01:22 +01:00
Joachim Fasting 98935c7103
grsecurity module: remove requiredKernelConfig
Using a custom package set with the NixOS module is no longer
something I wish to support.  It's still *possible* but not
advertised.  Secondly, the requiredKernelConfig didn't really
do anything (setting kernelPackages to a non-grsec kernel would
just silently let the user boot into a non-grsec setup ...).
2016-11-20 23:00:41 +01:00
Joachim Fasting 5ad8a56d16
grsecurity module: remove use of mkEnableOption 2016-11-20 23:00:24 +01:00
Eric Sagnes 9513ab45aa duosec module: use enum 2016-11-16 22:36:05 +09:00
Eric Sagnes e5b7975fe3 acme module: certs option loaOf -> attrsOf 2016-11-16 16:28:27 +09:00
Timofei Kushnir faa6f9b6b3 grsecurity: fix 'isYes' and 'isNo' 2016-10-29 14:26:06 +03:00
Domen Kožar 41c490b75e acme: we do want to support ipv4 afterall 2016-10-21 13:25:11 +02:00
Domen Kožar d8f21b3ca3 acme: provide full nginx example
(cherry picked from commit 2af7382f76)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-10-21 13:19:04 +02:00
Alexander Ried d91365d714 audit module: only enable service if kernel has audit (#19569) 2016-10-15 16:03:41 +02:00
Franz Pletz 0d59fc1169
cacerts: refactor, add blacklist option
Previously, the list of CA certificates was generated with a perl script
which is included in curl. As this script is not very flexible, this commit
refactors the expression to use the python script that Debian uses to
generate their CA certificates from Mozilla's trust store in NSS.

Additionally, an option was added to the cacerts derivation and the
`security.pki` module to blacklist specific CAs.
2016-10-09 02:00:18 +02:00
Ricardo M. Correia 1623476904 nixos.acme: make timer persistent
This makes sure that if the system was powered off when the timer was
supposed to trigger, it will run the next time the system boots up.
2016-10-03 19:31:42 +02:00
Joachim Fasting 98e2b90cf3
grsecurity doc: note that module autoload hardening is disabled 2016-10-02 19:25:58 +02:00
Joachim Fasting 1bb7b44cd7
grsecurity: make GRKERNSEC y and PAX y implicit
These options should always be specified. Note, an implication of this
change is that not specifying any grsec/PaX options results in a build
failure.
2016-10-02 19:25:58 +02:00
Joachim F 7e80c42b0e Merge pull request #18511 from ericsagnes/feat/remove-optionSet
modules: optionSet -> submodule
2016-10-01 17:57:45 +02:00
Shea Levy 3f02cbbcaf Merge branch 'rngd-wantedBy' of git://github.com/srp/nixpkgs-1 2016-09-19 19:06:51 -04:00
Scott R. Parish a560223119 rngd: update modalias to match cpu type
It looks like the cpu type part of modalias might have changed, my
systems (4.4.20 and 4.7.2) show something like the following:

```
cpu:type:x86,ven0000fam0006mod003F:feature:,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,002B,0034,003B,003D,0068,006F,0070,0072,0074,0075,0076,007D,0080,0081,0089,008C,008D,0091,0093,0094,0095,0096,0097,0098,0099,009A,009B,009C,009D,009E,009F,00C0,00C5,0120,0123,0125,0127,0128,0129,012A,0140
```

Update the rngd modalias rule to match this so udev properly has
systemd start rngd.
2016-09-17 18:36:57 -07:00
Thomas Tuegel 9300b4903f
Revert "nixos/pam: clean up generated files (no functional change) (#18580)"
This reverts commit 1010271c63.
This reverts commit e85e51d41f.

The first commit causes multiple regressions. The second commit tries to
fix the regressions, but does not catch all of them. There are multiple
failing tests, one of which is blocking a package update. That is not
acceptable for a cosmetic patch.
2016-09-17 16:39:49 -05:00
aszlig e85e51d41f
nixos/pam: Fix wrong string concatenation
Regression introduced by 1010271c63.

This caused the line after using the loginuid module to be concatenated
with the next line without a newline.

In turn this has caused a lot of the NixOS VM tests to either run very
slowly (because of constantly hitting PAM errors) or simply fail.

I have tested this only with one of the failing NixOS tests.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-09-16 15:36:31 +02:00
Joachim Fasting 527b3dc1df
hidepid module: detailed description to external doc 2016-09-15 15:36:03 +02:00
Bjørn Forsman 1010271c63 nixos/pam: clean up generated files (no functional change) (#18580)
The generated files in /etc/pam.d/ typically have a lot of empty lines
in them, due to how the generated Nix strings are joined together;
optional elements that are excluded still produce a newline. This patch
changes how the files are generated to create more compact,
human-friendly output files.

The change is basically this, repeated:

-  ''
-    ${optionalString use_ldap
-        "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
-  ''
+  optionalString use_ldap ''
+    account sufficient ${pam_ldap}/lib/security/pam_ldap.so
+  ''
2016-09-14 11:56:07 +01:00
Roger Qiu de0737aed5 sudo: Allow root to use sudo to switch groups 2016-09-13 23:15:56 +10:00
Eric Sagnes fff4a9ee01 pam module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Eric Sagnes 3acf336f15 acme module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Franz Pletz 9190dbcc0e Merge pull request #18366 from groxxda/acme-loop
security.acme: require networking for client, remove loop without fallbackHost
2016-09-06 23:02:07 +02:00
Alexander Ried 7f98dca782 security.acme: the client really needs networking
Actually this can be improved since the client only needs network
connectivity if it needs to renew the certificate.
2016-09-06 17:47:00 +02:00
Eelco Dolstra 98102ebd92 Enable the runuser command from util-linux
Fixes #14701.
2016-09-06 17:23:27 +02:00
Joachim Fasting 269f739ded
grsecurity module: set nixpkgs.config.grsecurity = true 2016-09-05 00:56:17 +02:00
Domen Kožar 393e646e4f setuid-wrappers: correctly umount the tmpfs 2016-09-04 17:56:00 +02:00
Karn Kallio 8d977ead38
setuid-wrappers : Prepare permissions for running wrappers
The new setuid-wrappers in /run cannot be executed by users due to:

1) the temporary directory does not allow access
2) the /run is mounted nosuid
2016-09-04 03:19:32 +02:00
Parnell Springmeyer d60581d4d6 Resolving that silly bad argument error. 2016-09-01 19:26:54 -05:00
Parnell Springmeyer c686da8655 Updatig the chromium-suid-sandbox module 2016-09-01 19:26:30 -05:00
Parnell Springmeyer 98c058a1ee Adapting everything for the merged permissions wrappers work. 2016-09-01 19:21:06 -05:00
Parnell Springmeyer 390ab0b3ef everything?: Updating every package that depended on the old setuidPrograms configuration. 2016-09-01 19:17:43 -05:00
Parnell Springmeyer 79e81aa31b security: Removing the old wrappers and replacing with 'permissions-wrappers' 2016-09-01 19:15:56 -05:00
Parnell Springmeyer c16647ec29 security: switching to linuxHeaders so we always stay current with the selected kernel. 2016-09-01 19:15:56 -05:00
Parnell Springmeyer 2efb60c8e9 security: tweaking the setcap-wrapper example to be more relevant 2016-09-01 19:15:56 -05:00
Parnell Springmeyer 1c0f672f7a security: update setcap-wrappers dir to match the system-level dir we're creating on init 2016-09-01 19:15:56 -05:00
Parnell Springmeyer b3d63f8191 security: whitespace wibble 2016-09-01 19:13:54 -05:00
Parnell Springmeyer bfc3956376 security: adding setcap-wrapper functionality 2016-09-01 19:13:54 -05:00
Domen Kožar a6670c1a0b Fixes #18124: atomically replace /var/setuid-wrappers/ (#18186)
Before this commit updating /var/setuid-wrappers/ folder introduced
a small window where NixOS activation scripts could be terminated
and resulted into empty /var/setuid-wrappers/ folder.

That's very unfortunate because one might lose sudo binary.

Instead we use two atomic operations mv and ln (as described in
https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/)
to achieve atomicity.

Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints
were removed in installation scripts and in boot process.

Tested:

- upgrade /var/setuid-wrappers/ from folder to a symlink
- make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
2016-09-01 20:57:51 +02:00
Tuomas Tynkkynen 8c4aeb1780 Merge staging into master
Brings in:
    - changed output order for multiple outputs:
      https://github.com/NixOS/nixpkgs/pull/14766
    - audit disabled by default
      https://github.com/NixOS/nixpkgs/pull/17916

 Conflicts:
	pkgs/development/libraries/openldap/default.nix
2016-09-01 13:27:27 +03:00
Tuomas Tynkkynen 16b3e26da4 audit: Disable by default
Because in its default enabled state it it causes a global performance
hit on all system calls (https://fedorahosted.org/fesco/ticket/1311) and
unwanted spam in dmesg, in particular when using Chromium
(https://github.com/NixOS/nixpkgs/issues/13710).
2016-08-31 23:15:41 +03:00
Tuomas Tynkkynen 5eff0b990c audit service: Explicitly call auditctl to disable everything
Otherwise, journald might be starting auditing.
Some reading:
    - https://fedorahosted.org/fesco/ticket/1311
    - https://github.com/systemd/systemd/issues/959
    - 64f83d3087
2016-08-31 23:15:32 +03:00
Domen Kožar d8d75ddec6 Revert "setuid-wrappers: Update wrapper dir atomically."
This reverts commit ee535056ce.

It doesn't work yet.
2016-08-31 16:25:18 +02:00
Nikolay Amiantov 4499a505ed hidepid service: use new boot.specialFileSystems 2016-08-31 17:16:41 +03:00
Shea Levy ee535056ce setuid-wrappers: Update wrapper dir atomically.
Fixes #18124.
2016-08-31 08:00:57 -04:00
Nikolay Amiantov 509733a343 Merge pull request #17822 from abbradar/systemd-mounts
nixos filesystems: unify special filesystems handling
2016-08-30 22:42:19 +04:00
Joachim Fasting dab32a1fa6
nixos manual: move chapter on grsecurity to auto-generated module docs 2016-08-29 23:48:12 +02:00
Domen Kožar e01e92f12f Merge pull request #15025 from ericsagnes/modules/manual
manual: automatically generate modules documentation
2016-08-28 13:57:34 +02:00
Nikolay Amiantov 6efcfe03ae nixos filesystems: unify early filesystems handling
A new internal config option `fileSystems.<name>.early` is added to indicate
that the filesystem needs to be loaded very early (i.e. in initrd). They are
transformed to a shell script in `system.build.earlyMountScript` with calls to
an undefined `specialMount` function, which is expected to be caller-specific.
This option is used by stage-1, stage-2 and activation script to set up and
remount those filesystems.  Options for them are updated according to systemd
defaults.
2016-08-27 13:38:20 +03:00
Nikolay Amiantov 3f70fcd4c1 Merge pull request #11484 from oxij/nixos-toposort-filesystems
lib: add toposort, nixos: use toposort for fileSystems to properly support bind and move mounts
2016-08-27 14:34:55 +04:00
Markus Mueller e04c3506eb ldap: Add option for login PAM integration 2016-08-23 21:12:51 +02:00
Jan Malakhovski 65d26c4dc1 nixos: apply toposort to fileSystems to support bind and move mounts
And use new `config.system.build.fileSystems` property everywhere.
2016-08-23 18:14:05 +00:00
Joachim Fasting 050b7eec16
grsecurity module: systemd-nspawn requires cap_sys_admin
As with 9ca3504a798291fbd7c49fcfeec8b64daa2022ad

Closes https://github.com/NixOS/nixpkgs/issues/17714
2016-08-15 20:36:47 +02:00
Joachim Fasting 7fd99066c4
grsecurity module: permit chmod +s in sandboxed builds
While useless, some builds may dabble with setuid bits (e.g.,
util-linux), which breaks under grsec.  In the interest of user
friendliness, we once again compromise by disabling an otherwise useful
feature ...

Closes https://github.com/NixOS/nixpkgs/issues/17501
2016-08-15 20:36:47 +02:00
Eric Sagnes 4cdfeb78f9 modules: move meta at top level 2016-08-11 00:29:48 +09:00
Nikolay Amiantov b2413e48ae chromium-suid-sandbox module: fix description 2016-08-08 10:17:31 +03:00
obadz 66d5edf654 chromium: add nixos module security.chromiumSuidSandbox
Closes #17460

Changed the wrapper derivation to produce a second output containing the sandbox.
Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store).
This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it.

Does not trigger a Chromium rebuild.

cc @cleverca22 @joachifm @jasom
2016-08-06 10:27:47 +01:00
Joachim Fasting 43fc394a5c
grsecurity module: disable EFI runtime services by default
Enabling EFI runtime services provides a venue for injecting code into
the kernel.

When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services.  The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).

This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
2016-08-02 10:24:49 +02:00
Joachim Fasting d1572d06fe
grsecurity module: correct internal note 2016-08-01 16:27:14 +02:00
Joachim Fasting 96542a1b00
grsecurity module: assert RBAC support in kernel 2016-07-24 12:54:07 +02:00
Joachim Fasting 5ece58ed66
grsecurity module: add gradm to system path 2016-07-24 12:54:07 +02:00
Joachim Fasting 59c9a88a6b
grsecurity module: tweak lockTunables option description 2016-07-16 11:11:35 +02:00
Joachim Fasting cef7150bc7
grsecurity module: grsecurity is not capitalized mid-sentence 2016-07-16 11:11:35 +02:00
Joachim Fasting 94824303be
grsecurity module: smarter container support
Only set tunables required for container support if there are any containers.
2016-07-16 11:11:35 +02:00
Joachim Fasting c606b9876f
grsecurity module: enforce size overflows by default
It is better to make this conditional on whether the configuration contains a
known size overflow that could prevent the system from booting.
2016-07-16 11:11:35 +02:00
zimbatm b0f8416c5c Merge pull request #16180 from zimbatm/shell-escaping
Escape all shell arguments uniformly
2016-06-19 23:27:52 +01:00
Joachim Fasting 0677cc61c8
nixos: rewrite the grsecurity module
The new module is specifically adapted to the NixOS Grsecurity/PaX
kernel.  The module declares the required kernel configurations and
so *should* be somewhat compatible with custom Grsecurity kernels.

The module exposes only a limited number of options, minimising the need
for user intervention beyond enabling the module. For experts,
Grsecurity/PaX behavior may be configured via `boot.kernelParams` and
`boot.kernel.sysctl`.

The module assumes the user knows what she's doing (esp. if she decides
to modify configuration values not directly exposed by the module).

Administration of Grsecurity's role based access control system is yet
to be implemented.
2016-06-14 03:38:12 +02:00
zimbatm 28fa4a2f03 Escape all shell arguments uniformly 2016-06-12 18:11:37 +01:00
Bob van der Linden 4e6697dcb6 acme: added option security.acme.preliminarySelfsigned (#15562) 2016-06-01 11:39:46 +01:00
Domen Kožar 16535d4a71 setuid-wrappers: remove config.system.path from the closure
The motivation is using sudo in chroot nix builds, a somewhat
special edge case I have and pulling system path into chroot
yields to some very nasty bug like
https://github.com/NixOS/nixpkgs/issues/15581

Previously:

$ cat /var/setuid-wrappers/sudo.real
/nix/store/3sm04dzh0994r86xqxy52jjc0lqnkn65-system-path/bin/sudo

After the change:

$ cat /var/setuid-wrappers/sudo.real
/nix/store/4g9sxbzy8maxf1v217ikp69c0c3q12as-sudo-1.8.15/bin/sudo
2016-05-23 13:47:23 +01:00
Rok Garbas 03b115f8e0 nixos/i3lock-color: added to pam 2016-05-15 07:47:31 +02:00
Joachim Fasting d4d7bfe07b
grsecurity: add option to disable chroot caps restriction
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293

This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
2016-05-10 16:17:08 +02:00
Joachim Fasting c5d1bff2b6
apparmor-suid module: fix libcap lib output reference
After 7382afac40
2016-05-07 21:48:29 +02:00
Joachim Fasting da767356f2
grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425
2016-05-04 03:53:24 +02:00
Joachim Fasting 60a27781d6
grsecurity module: fix grsec-lock unit ordering
Requirement without ordering implies parallel execution; it is crucial
that sysctl tunables are finalized before the lock is engaged, however.
2016-05-02 11:28:24 +02:00
Eelco Dolstra 0c5e837b66 acme.nix: Fix unit descriptions
Unit descriptions should be capitalized, and timer units don't have
to describe that they're timers.
2016-04-18 14:20:49 +02:00
Vladimír Čunát 39ebb01d6e Merge branch 'staging', containing closure-size #7701 2016-04-13 09:25:28 +02:00
Joachim Fasting cef2814a4f nixos: add optional process information hiding
This module adds an option `security.hideProcessInformation` that, when
enabled, restricts access to process information such as command-line
arguments to the process owner.  The module adds a static group "proc"
whose members are exempt from process information hiding.

Ideally, this feature would be implemented by simply adding the
appropriate mount options to `fileSystems."/proc".fsOptions`, but this
was found to not work in vmtests. To ensure that process information
hiding is enforced, we use a systemd service unit that remounts `/proc`
after `systemd-remount-fs.service` has completed.

To verify the correctness of the feature, simple tests were added to
nixos/tests/misc: the test ensures that unprivileged users cannot see
process information owned by another user, while members of "proc" CAN.

Thanks to @abbradar for feedback and suggestions.
2016-04-10 12:27:06 +02:00
Vladimír Čunát 710573ce6d Merge #12653: rework default outputs 2016-04-07 16:00:09 +02:00
Vladimír Čunát ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Vladimír Čunát d6b46ecb30 Merge branch 'closure-size' into p/default-outputs 2016-03-14 11:27:15 +01:00
Domen Kožar 77ae55308c fix installer tests #13559 2016-03-12 20:19:40 +00:00
Vladimír Čunát 09af15654f Merge master into closure-size
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00