diff options
Diffstat (limited to 'pkgs/build-support/grsecurity/default.nix')
| -rw-r--r-- | pkgs/build-support/grsecurity/default.nix | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix index e66b348d082..e82792be033 100644 --- a/pkgs/build-support/grsecurity/default.nix +++ b/pkgs/build-support/grsecurity/default.nix @@ -10,6 +10,7 @@ let mode = "auto"; sysctl = false; denyChrootChmod = false; + denyUSB = false; restrictProc = false; restrictProcWithGroup = true; unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid @@ -32,7 +33,7 @@ let grKernel = if cfg.stable then mkKernel pkgs.linux_3_14 stable-patch - else mkKernel pkgs.linux_3_15 test-patch; + else mkKernel pkgs.linux_3_19 test-patch; ## -- grsecurity configuration --------------------------------------------- @@ -49,14 +50,14 @@ let "GRKERNSEC_CONFIG_SERVER y"; grsecVirtCfg = - if cfg.config.virtualisationConfig == "none" then + if cfg.config.virtualisationConfig == null then "GRKERNSEC_CONFIG_VIRT_NONE y" else if cfg.config.virtualisationConfig == "host" then "GRKERNSEC_CONFIG_VIRT_HOST y" else "GRKERNSEC_CONFIG_VIRT_GUEST y"; - grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else + grsecHwvirtCfg = if cfg.config.virtualisationConfig == null then "" else if cfg.config.hardwareVirtualisation == true then "GRKERNSEC_CONFIG_VIRT_EPT y" else @@ -65,7 +66,7 @@ let grsecVirtswCfg = let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y"; in - if cfg.config.virtualisationConfig == "none" then "" + if cfg.config.virtualisationConfig == null then "" else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN" else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM" else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE" @@ -84,7 +85,7 @@ let let boolToKernOpt = b: if b then "y" else "n"; # Disable RANDSTRUCT under virtualbox, as it has some kind of # breakage with the vbox guest drivers - #randstruct = optionalString config.services.virtualbox.enable + #randstruct = optionalString config.services.virtualboxGuest.enable # "GRKERNSEC_RANDSTRUCT n"; # Disable restricting links under the testing kernel, as something @@ -106,6 +107,7 @@ let GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl} GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} + GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB} GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} ${restrictLinks} |