diff options
author | Austin Seipp <aseipp@pobox.com> | 2014-04-06 14:18:12 -0500 |
---|---|---|
committer | Austin Seipp <aseipp@pobox.com> | 2014-04-11 22:43:51 -0500 |
commit | 172dc1336f108ee81b0f5f8b9be3d27706b1c032 (patch) | |
tree | b9d98f3710365ea9fdc6e57ae00f9ef1cdac2a95 /nixos/modules/config | |
parent | cf24cf1184ad6fc62292b9668c836e5a1435902c (diff) | |
download | nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.gz nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.bz2 nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.lz nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.xz nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.zst nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.zip |
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'nixos/modules/config')
-rw-r--r-- | nixos/modules/config/sysctl.nix | 18 | ||||
-rw-r--r-- | nixos/modules/config/users-groups.nix | 2 |
2 files changed, 13 insertions, 7 deletions
diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index 8f9b31dccff..a910c699cc9 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -6,7 +6,7 @@ let sysctlOption = mkOptionType { name = "sysctl option value"; - check = x: isBool x || isString x || isInt x; + check = x: isBool x || isString x || isInt x || isNull x; merge = args: defs: (last defs).value; # FIXME: hacky way to allow overriding in configuration.nix. }; @@ -29,8 +29,9 @@ in <manvolnum>8</manvolnum></citerefentry>. Note that sysctl parameters names must be enclosed in quotes (e.g. <literal>"vm.swappiness"</literal> instead of - <literal>vm.swappiness</literal>). The value of each parameter - may be a string, integer or Boolean. + <literal>vm.swappiness</literal>). The value of each + parameter may be a string, integer, boolean, or null + (signifying the option will not appear at all). ''; }; @@ -39,7 +40,9 @@ in config = { environment.etc."sysctl.d/nixos.conf".text = - concatStrings (mapAttrsToList (n: v: "${n}=${if v == false then "0" else toString v}\n") config.boot.kernel.sysctl); + concatStrings (mapAttrsToList (n: v: + optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n" + ) config.boot.kernel.sysctl); systemd.services.systemd-sysctl = { description = "Apply Kernel Variables"; @@ -65,8 +68,9 @@ in # Hide kernel pointers (e.g. in /proc/modules) for unprivileged # users as these make it easier to exploit kernel vulnerabilities. - boot.kernel.sysctl."kernel.kptr_restrict" = 1; - + # + # Removed under grsecurity. + boot.kernel.sysctl."kernel.kptr_restrict" = + if config.security.grsecurity.enable then null else 1; }; - } diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 061f51ccda7..c27a94a22d5 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -392,6 +392,7 @@ in { home = "/root"; shell = cfg.defaultUserShell; group = "root"; + extraGroups = [ "grsecurity" ]; hashedPassword = mkDefault config.security.initialRootPassword; }; nobody = { @@ -420,6 +421,7 @@ in { nixbld.gid = ids.gids.nixbld; utmp.gid = ids.gids.utmp; adm.gid = ids.gids.adm; + grsecurity.gid = ids.gids.grsecurity; }; system.activationScripts.users = |