diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2016-06-09 20:12:31 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-06-14 03:38:12 +0200 |
| commit | 0677cc61c8fae0b699a9be837c897b8d7b6d837c (patch) | |
| tree | fe955cc6f155f98ded38ad8872d3b78b08464223 /nixos/modules/rename.nix | |
| parent | 75b9a7beac4529fcff9e452e5e88f6ddfb4567f6 (diff) | |
| download | nixpkgs-0677cc61c8fae0b699a9be837c897b8d7b6d837c.tar nixpkgs-0677cc61c8fae0b699a9be837c897b8d7b6d837c.tar.gz nixpkgs-0677cc61c8fae0b699a9be837c897b8d7b6d837c.tar.bz2 nixpkgs-0677cc61c8fae0b699a9be837c897b8d7b6d837c.tar.lz nixpkgs-0677cc61c8fae0b699a9be837c897b8d7b6d837c.tar.xz nixpkgs-0677cc61c8fae0b699a9be837c897b8d7b6d837c.tar.zst nixpkgs-0677cc61c8fae0b699a9be837c897b8d7b6d837c.zip | |
nixos: rewrite the grsecurity module
The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
Diffstat (limited to 'nixos/modules/rename.nix')
| -rw-r--r-- | nixos/modules/rename.nix | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 3440261c396..634f91a275d 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -114,6 +114,26 @@ with lib; (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) (mkRemovedOptionModule [ "services" "iodined" "client" ]) + # Grsecurity + (mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ]) + (mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ]) + # Options that are obsolete and have no replacement. (mkRemovedOptionModule [ "boot" "initrd" "luks" "enable" ]) (mkRemovedOptionModule [ "programs" "bash" "enable" ]) |