summary refs log tree commit diff
path: root/nixos/modules/config
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/config')
-rw-r--r--nixos/modules/config/sysctl.nix18
-rw-r--r--nixos/modules/config/users-groups.nix2
2 files changed, 13 insertions, 7 deletions
diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix
index 8f9b31dccff..a910c699cc9 100644
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@@ -6,7 +6,7 @@ let
 
   sysctlOption = mkOptionType {
     name = "sysctl option value";
-    check = x: isBool x || isString x || isInt x;
+    check = x: isBool x || isString x || isInt x || isNull x;
     merge = args: defs: (last defs).value; # FIXME: hacky way to allow overriding in configuration.nix.
   };
 
@@ -29,8 +29,9 @@ in
         <manvolnum>8</manvolnum></citerefentry>.  Note that sysctl
         parameters names must be enclosed in quotes
         (e.g. <literal>"vm.swappiness"</literal> instead of
-        <literal>vm.swappiness</literal>).  The value of each parameter
-        may be a string, integer or Boolean.
+        <literal>vm.swappiness</literal>).  The value of each
+        parameter may be a string, integer, boolean, or null
+        (signifying the option will not appear at all).
       '';
     };
 
@@ -39,7 +40,9 @@ in
   config = {
 
     environment.etc."sysctl.d/nixos.conf".text =
-      concatStrings (mapAttrsToList (n: v: "${n}=${if v == false then "0" else toString v}\n") config.boot.kernel.sysctl);
+      concatStrings (mapAttrsToList (n: v:
+        optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
+      ) config.boot.kernel.sysctl);
 
     systemd.services.systemd-sysctl =
       { description = "Apply Kernel Variables";
@@ -65,8 +68,9 @@ in
 
     # Hide kernel pointers (e.g. in /proc/modules) for unprivileged
     # users as these make it easier to exploit kernel vulnerabilities.
-    boot.kernel.sysctl."kernel.kptr_restrict" = 1;
-
+    #
+    # Removed under grsecurity.
+    boot.kernel.sysctl."kernel.kptr_restrict" =
+      if config.security.grsecurity.enable then null else 1;
   };
-
 }
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index 061f51ccda7..c27a94a22d5 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -392,6 +392,7 @@ in {
         home = "/root";
         shell = cfg.defaultUserShell;
         group = "root";
+        extraGroups = [ "grsecurity" ];
         hashedPassword = mkDefault config.security.initialRootPassword;
       };
       nobody = {
@@ -420,6 +421,7 @@ in {
       nixbld.gid = ids.gids.nixbld;
       utmp.gid = ids.gids.utmp;
       adm.gid = ids.gids.adm;
+      grsecurity.gid = ids.gids.grsecurity;
     };
 
     system.activationScripts.users =
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-15 07:54:50 +0000