diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-12-05 19:02:10 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-12-06 01:22:53 +0100 |
commit | 8c1f5afdf3570c18da7d40bc767115f1254253c5 (patch) | |
tree | 6c5b6a39d93fe8e202fee1924dc671ae43a28ec8 /nixos/modules/security | |
parent | 601b47ab94e3aeb976d8eb9818b7f97f79edab58 (diff) | |
download | nixpkgs-8c1f5afdf3570c18da7d40bc767115f1254253c5.tar nixpkgs-8c1f5afdf3570c18da7d40bc767115f1254253c5.tar.gz nixpkgs-8c1f5afdf3570c18da7d40bc767115f1254253c5.tar.bz2 nixpkgs-8c1f5afdf3570c18da7d40bc767115f1254253c5.tar.lz nixpkgs-8c1f5afdf3570c18da7d40bc767115f1254253c5.tar.xz nixpkgs-8c1f5afdf3570c18da7d40bc767115f1254253c5.tar.zst nixpkgs-8c1f5afdf3570c18da7d40bc767115f1254253c5.zip |
grsecurity: delay toggling of sysctls until system is up
We generally trust init, so there's little point in having these enabled during early bootup; it accomplishes little except fill our logs with spam.
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 47 |
1 files changed, 45 insertions, 2 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 92afb74956e..6838dbd111b 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -109,19 +109,62 @@ in boot.kernel.sysctl = { # Read-only under grsecurity "kernel.kptr_restrict" = mkForce null; + + # All grsec tunables default to off, those not enabled below are + # *disabled*. We use mkDefault to allow expert users to override + # our choices, but use mkForce where tunables would outright + # conflict with other settings. + + # Enable all chroot restrictions by default (overwritten as + # necessary below) + "kernel.grsecurity.chroot_caps" = mkDefault 1; + "kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1; + "kernel.grsecurity.chroot_deny_chmod" = mkDefault 1; + "kernel.grsecurity.chroot_deny_chroot" = mkDefault 1; + "kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1; + "kernel.grsecurity.chroot_deny_mknod" = mkDefault 1; + "kernel.grsecurity.chroot_deny_mount" = mkDefault 1; + "kernel.grsecurity.chroot_deny_pivot" = mkDefault 1; + "kernel.grsecurity.chroot_deny_shmat" = mkDefault 1; + "kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1; + "kernel.grsecurity.chroot_deny_unix" = mkDefault 1; + "kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1; + "kernel.grsecurity.chroot_findtask" = mkDefault 1; + "kernel.grsecurity.chroot_restrict_nice" = mkDefault 1; + + # Enable various grsec protections + "kernel.grsecurity.consistent_setxid" = mkDefault 1; + "kernel.grsecurity.deter_bruteforce" = mkDefault 1; + "kernel.grsecurity.fifo_restrictions" = mkDefault 1; + "kernel.grsecurity.harden_ipc" = mkDefault 1; + "kernel.grsecurity.harden_ptrace" = mkDefault 1; + "kernel.grsecurity.harden_tty" = mkDefault 1; + "kernel.grsecurity.ip_blackhole" = mkDefault 1; + "kernel.grsecurity.linking_restrictions" = mkDefault 1; + "kernel.grsecurity.ptrace_readexec" = mkDefault 1; + + # Enable auditing + "kernel.grsecurity.audit_ptrace" = mkDefault 1; + "kernel.grsecurity.forkfail_logging" = mkDefault 1; + "kernel.grsecurity.rwxmap_logging" = mkDefault 1; + "kernel.grsecurity.signal_logging" = mkDefault 1; + "kernel.grsecurity.timechange_logging" = mkDefault 1; } // optionalAttrs config.nix.useSandbox { # chroot(2) restrictions that conflict with sandboxed Nix builds "kernel.grsecurity.chroot_caps" = mkForce 0; + "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; "kernel.grsecurity.chroot_deny_chroot" = mkForce 0; "kernel.grsecurity.chroot_deny_mount" = mkForce 0; "kernel.grsecurity.chroot_deny_pivot" = mkForce 0; - "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; } // optionalAttrs containerSupportRequired { # chroot(2) restrictions that conflict with NixOS lightweight containers + "kernel.grsecurity.chroot_caps" = mkForce 0; "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; "kernel.grsecurity.chroot_deny_mount" = mkForce 0; "kernel.grsecurity.chroot_restrict_nice" = mkForce 0; - "kernel.grsecurity.chroot_caps" = mkForce 0; + # Disable privileged IO by default, unless X is enabled + } // optionalAttrs (!config.services.xserver.enable) { + "kernel.grsecurity.disable_priv_io" = mkDefault 1; }; }; |