diff options
author | Austin Seipp <aseipp@pobox.com> | 2014-04-06 14:18:12 -0500 |
---|---|---|
committer | Austin Seipp <aseipp@pobox.com> | 2014-04-11 22:43:51 -0500 |
commit | 172dc1336f108ee81b0f5f8b9be3d27706b1c032 (patch) | |
tree | b9d98f3710365ea9fdc6e57ae00f9ef1cdac2a95 /pkgs/os-specific/linux/kernel/patches.nix | |
parent | cf24cf1184ad6fc62292b9668c836e5a1435902c (diff) | |
download | nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.gz nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.bz2 nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.lz nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.xz nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.zst nixpkgs-172dc1336f108ee81b0f5f8b9be3d27706b1c032.zip |
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'pkgs/os-specific/linux/kernel/patches.nix')
-rw-r--r-- | pkgs/os-specific/linux/kernel/patches.nix | 51 |
1 files changed, 31 insertions, 20 deletions
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 8e3cb5f7aaa..267e5657e6c 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -18,6 +18,18 @@ let }; }; + grsecPatch = { grversion ? "3.0", kversion, revision, branch, sha256 }: + { name = "grsecurity-${grversion}-${kversion}"; + inherit grversion kversion revision; + patch = fetchurl { + url = "http://grsecurity.net/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch"; + inherit sha256; + }; + features.grsecurity = true; + # The grsec kernel patchset includes AppArmor patches + features.apparmor = true; + }; + makeAppArmorPatch = {apparmor, version}: stdenv.mkDerivation { name = "apparmor-${version}.patch"; @@ -26,6 +38,7 @@ let cat ${apparmor}/kernel-patches/${version}/* > $out ''; }; + in rec { @@ -71,31 +84,29 @@ rec { sha256 = "00b1rqgd4yr206dxp4mcymr56ymbjcjfa4m82pxw73khj032qw3j"; }; + grsecurity_stable = grsecPatch + { kversion = "3.2.57"; + revision = "201404111812"; + branch = "stable"; + sha256 = "1kp2f5g5jdl6r833fm5l2sgf7qsjddl2br7mislc37iqgwzjmhlx"; + }; - grsecurity_3_0_3_2_57 = - { name = "grsecurity-3.0-3.2.57"; - patch = fetchurl { - url = http://grsecurity.net/stable/grsecurity-3.0-3.2.57-201404091758.patch; - sha256 = "07rswg6vqyak9ccan954izx1fr0c6c6fn8whlzl0787dabpai3i3"; - }; - features.grsecurity = true; - # The grsec kernel patch seems to include the apparmor patches as of 3.0-3.2.57 - features.apparmor = true; + grsecurity_vserver = grsecPatch + { kversion = "3.2.57"; + revision = "vs2.3.2.16-201404111814"; + branch = "vserver"; + sha256 = "025kxk4j8kx7v5gmpafls67747l39ssfmzh0drg0hyg2yc0hjk2c"; }; - grsecurity_3_0_3_13_9 = - { name = "grsecurity-3.0-3.13.9"; - patch = fetchurl { - url = http://grsecurity.net/test/grsecurity-3.0-3.13.9-201404062127.patch; - sha256 = "0kwqgw2a44wqhwjwws63ww15apb8jki372iccq7h1w5vi551sl0m"; - }; - features.grsecurity = true; - # The grsec kernel patch seems to include the apparmor patches as of 3.0-3.13.9 - features.apparmor = true; + grsecurity_unstable = grsecPatch + { kversion = "3.13.9"; + revision = "201404111815"; + branch = "test"; + sha256 = "1ikqvi0hv32m5rgxa8dpqr5v84hx7bnjfr6c1bvsfqikc818isvy"; }; - grsec_path = - { name = "grsec-path"; + grsec_fix_path = + { name = "grsec-fix-path"; patch = ./grsec-path.patch; }; } |