From 268eb4adb7e58833a11ba555aded6dd697e8233d Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sat, 2 Sep 2017 20:25:22 +0200 Subject: nixos: purge remaining grsecurity bits :( Fixes https://github.com/NixOS/nixpkgs/issues/28859 --- nixos/doc/manual/release-notes/rl-1609.xml | 2 +- nixos/modules/module-list.nix | 1 - nixos/modules/rename.nix | 20 -- nixos/modules/security/grsecurity.nix | 169 ------------- nixos/modules/security/grsecurity.xml | 385 ----------------------------- 5 files changed, 1 insertion(+), 576 deletions(-) delete mode 100644 nixos/modules/security/grsecurity.nix delete mode 100644 nixos/modules/security/grsecurity.xml (limited to 'nixos') diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml index 3abafac9737..893f894f42f 100644 --- a/nixos/doc/manual/release-notes/rl-1609.xml +++ b/nixos/doc/manual/release-notes/rl-1609.xml @@ -176,7 +176,7 @@ following incompatible changes: streamlined. Desktop users should be able to simply set security.grsecurity.enable = true to get a reasonably secure system without having to sacrifice too much - functionality. See for documentation + functionality. Special filesystems, like /proc, diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 641a9e6095e..cc7aa519478 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -121,7 +121,6 @@ ./security/chromium-suid-sandbox.nix ./security/dhparams.nix ./security/duosec.nix - ./security/grsecurity.nix ./security/hidepid.nix ./security/lock-kernel-modules.nix ./security/oath.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 6b33eeb6e4e..fcf4c32d277 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -124,26 +124,6 @@ with lib; (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) (mkRemovedOptionModule [ "services" "iodined" "client" ] "") - # Grsecurity - (mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ] "") - # Unity3D (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix deleted file mode 100644 index d23c7f2e86d..00000000000 --- a/nixos/modules/security/grsecurity.nix +++ /dev/null @@ -1,169 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.security.grsecurity; - grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock"; - - # Ascertain whether NixOS container support is required - containerSupportRequired = - config.boot.enableContainers && config.containers != {}; -in - -{ - meta = { - maintainers = with maintainers; [ ]; - doc = ./grsecurity.xml; - }; - - options.security.grsecurity = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable grsecurity/PaX. - ''; - }; - - lockTunables = mkOption { - type = types.bool; - default = true; - description = '' - Whether to automatically lock grsecurity tunables - (). Disable - this to allow runtime configuration of grsecurity features. Activate - the grsec-lock service unit to prevent further - configuration until the next reboot. - ''; - }; - - disableEfiRuntimeServices = mkOption { - type = types.bool; - default = true; - description = '' - Whether to disable access to EFI runtime services. Enabling EFI runtime - services creates a venue for code injection attacks on the kernel and - should be disabled if at all possible. Changing this option enters into - effect upon reboot. - ''; - }; - - }; - - config = mkIf cfg.enable { - - boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos; - - boot.kernelParams = [ "grsec_sysfs_restrict=0" ] - ++ optional cfg.disableEfiRuntimeServices "noefi"; - - nixpkgs.config.grsecurity = true; - - # Install PaX related utillities into the system profile. - environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ]; - - # Install rules for the grsec device node - services.udev.packages = [ pkgs.gradm ]; - - # This service unit is responsible for locking the grsecurity tunables. The - # unit is always defined, but only activated on bootup if lockTunables is - # toggled. When lockTunables is toggled, failure to activate the unit will - # enter emergency mode. The intent is to make it difficult to silently - # enter multi-user mode without having locked the tunables. Some effort is - # made to ensure that starting the unit is an idempotent operation. - systemd.services.grsec-lock = { - description = "Lock grsecurity tunables"; - - wantedBy = optional cfg.lockTunables "multi-user.target"; - - wants = [ "local-fs.target" "systemd-sysctl.service" ]; - after = [ "local-fs.target" "systemd-sysctl.service" ]; - conflicts = [ "shutdown.target" ]; - - restartIfChanged = false; - - script = '' - if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then - echo -n 1 > ${grsecLockPath} - fi - ''; - - unitConfig = { - ConditionPathIsReadWrite = grsecLockPath; - DefaultDependencies = false; - } // optionalAttrs cfg.lockTunables { - OnFailure = "emergency.target"; - }; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - }; - - # Configure system tunables - boot.kernel.sysctl = { - # Read-only under grsecurity - "kernel.kptr_restrict" = mkForce null; - - # All grsec tunables default to off, those not enabled below are - # *disabled*. We use mkDefault to allow expert users to override - # our choices, but use mkForce where tunables would outright - # conflict with other settings. - - # Enable all chroot restrictions by default (overwritten as - # necessary below) - "kernel.grsecurity.chroot_caps" = mkDefault 1; - "kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1; - "kernel.grsecurity.chroot_deny_chmod" = mkDefault 1; - "kernel.grsecurity.chroot_deny_chroot" = mkDefault 1; - "kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1; - "kernel.grsecurity.chroot_deny_mknod" = mkDefault 1; - "kernel.grsecurity.chroot_deny_mount" = mkDefault 1; - "kernel.grsecurity.chroot_deny_pivot" = mkDefault 1; - "kernel.grsecurity.chroot_deny_shmat" = mkDefault 1; - "kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1; - "kernel.grsecurity.chroot_deny_unix" = mkDefault 1; - "kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1; - "kernel.grsecurity.chroot_findtask" = mkDefault 1; - "kernel.grsecurity.chroot_restrict_nice" = mkDefault 1; - - # Enable various grsec protections - "kernel.grsecurity.consistent_setxid" = mkDefault 1; - "kernel.grsecurity.deter_bruteforce" = mkDefault 1; - "kernel.grsecurity.fifo_restrictions" = mkDefault 1; - "kernel.grsecurity.harden_ipc" = mkDefault 1; - "kernel.grsecurity.harden_ptrace" = mkDefault 1; - "kernel.grsecurity.harden_tty" = mkDefault 1; - "kernel.grsecurity.ip_blackhole" = mkDefault 1; - "kernel.grsecurity.linking_restrictions" = mkDefault 1; - "kernel.grsecurity.ptrace_readexec" = mkDefault 1; - - # Enable auditing - "kernel.grsecurity.audit_ptrace" = mkDefault 1; - "kernel.grsecurity.forkfail_logging" = mkDefault 1; - "kernel.grsecurity.rwxmap_logging" = mkDefault 1; - "kernel.grsecurity.signal_logging" = mkDefault 1; - "kernel.grsecurity.timechange_logging" = mkDefault 1; - } // optionalAttrs config.nix.useSandbox { - # chroot(2) restrictions that conflict with sandboxed Nix builds - "kernel.grsecurity.chroot_caps" = mkForce 0; - "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; - "kernel.grsecurity.chroot_deny_chroot" = mkForce 0; - "kernel.grsecurity.chroot_deny_mount" = mkForce 0; - "kernel.grsecurity.chroot_deny_pivot" = mkForce 0; - } // optionalAttrs containerSupportRequired { - # chroot(2) restrictions that conflict with NixOS lightweight containers - "kernel.grsecurity.chroot_caps" = mkForce 0; - "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; - "kernel.grsecurity.chroot_deny_mount" = mkForce 0; - "kernel.grsecurity.chroot_restrict_nice" = mkForce 0; - # Disable privileged IO by default, unless X is enabled - } // optionalAttrs (!config.services.xserver.enable) { - "kernel.grsecurity.disable_priv_io" = mkDefault 1; - }; - - }; -} diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml deleted file mode 100644 index 0a884b3f9b5..00000000000 --- a/nixos/modules/security/grsecurity.xml +++ /dev/null @@ -1,385 +0,0 @@ - - - Grsecurity/PaX - - - Grsecurity/PaX is a set of patches against the Linux kernel that - implements an extensive suite of - features - designed to increase the difficulty of exploiting kernel and - application bugs. - - - - The NixOS grsecurity/PaX module is designed with casual users in mind and is - intended to be compatible with normal desktop usage, without - unnecessarily compromising security. The - following sections describe the configuration and administration of - a grsecurity/PaX enabled NixOS system. For more comprehensive - coverage, please refer to the - grsecurity wikibook - and the - Arch - Linux wiki page on grsecurity. - - Upstream has ceased free support for grsecurity/PaX. See - - the announcement for more information. Consequently, NixOS - support for grsecurity/PaX also must cease. Enabling this module will - result in a build error. - We standardise on a desktop oriented configuration primarily due - to lack of resources. The grsecurity/PaX configuration state space is huge - and each configuration requires quite a bit of testing to ensure that the - resulting packages work as advertised. Defining additional package sets - would likely result in a large number of functionally broken packages, to - nobody's benefit. - - - Enabling grsecurity/PaX - - - To make use of grsecurity/PaX on NixOS, add the following to your - configuration.nix: - - security.grsecurity.enable = true; - - followed by - - # nixos-rebuild boot - # reboot - - - Enabling the grsecurity module overrides - , to reduce the risk of - misconfiguration. - describes how to use a custom kernel package set. - - - For most users, further configuration should be unnecessary. All users - are encouraged to look over before - using the system, however. If you experience problems, please refer to - . - - - - Once booted into the new system, you can optionally use - paxtest to exercise various PaX features: - - - - - - Declarative tuning - - - The default configuration mode is strictly declarative. Some features - simply cannot be changed at all after boot, while others are locked once the - system is up and running. Moreover, changes to the configuration enter - into effect only upon booting into the new system. - - - - The NixOS module exposes a limited number of options for tuning the behavior - of grsecurity/PaX. These are options thought to be of particular interest - to most users. For experts, further tuning is possible via - (see - ) and - (the wikibook - contains an - exhaustive listing of grsecurity sysctl tunables). - - - - - Manual tuning - - - To permit manual tuning of grsecurity runtime parameters, set: - - security.grsecurity.lockTunables = false; - - Once booted into this system, grsecurity features that have a corresponding - sysctl tunable can be changed without rebooting, either by switching into - a new system profile or via the sysctl utility. - - - - To lock all grsecurity tunables until the next boot, do: - - # systemctl start grsec-lock - - - - - - Security considerations - - - The NixOS kernel is built using upstream's recommended settings for a - desktop deployment that generally favours security over performance. This - section details deviations from upstream's recommendations that may - compromise security. - - There may be additional problems not covered here! - - - - - - - The following hardening features are disabled in the NixOS kernel: - - Kernel symbol hiding: rendered useless by redistributing - kernel objects. - - Randomization of kernel structures: rendered useless by - redistributing kernel objects. - - TCP simultaneous OPEN connection is permitted: breaking - strict TCP conformance is inappropriate for a general purpose kernel. - The trade-off is that an attacker may be able to deny outgoing - connections if they are able to guess the source port allocated by your - OS for that connection and also manage to initiate - a TCP simultaneous OPEN on that port before the connection is actually - established. - - Trusted path execution: a desirable feature, but - requires some more work to operate smoothly on NixOS. - - - - - The NixOS module conditionally weakens chroot - restrictions to accommodate NixOS lightweight containers and sandboxed Nix - builds. This can be problematic if the deployment also runs privileged - network facing processes that rely on - chroot for isolation. - - - - The NixOS kernel is patched to allow usermode helpers from anywhere in the - Nix store. A usermode helper is an executable called by the kernel in - certain circumstances, e.g., modprobe. Vanilla - grsecurity only allows usermode helpers from paths typically owned by the - super user. The NixOS kernel allows an attacker to inject malicious code - into the Nix store which could then be executed by the kernel as a - usermode helper. - - - - The following features are disabled because they overlap with - vanilla kernel mechanisms: - - - /proc hardening: - use instead. This - trades weaker protection for greater compatibility. - - - dmesg restrictions: - use instead - - - - - - - - - Using a custom grsecurity/PaX kernel - - - The NixOS kernel is likely to be either too permissive or too restrictive - for many deployment scenarios. In addition to producing a kernel more - suitable for a particular deployment, a custom kernel may improve security - by depriving an attacker the ability to study the kernel object code, adding - yet more guesswork to successfully carry out certain exploits. - - - - To build a custom kernel using upstream's recommended settings for server - deployments, while still using the NixOS module: - - nixpkgs.config.packageOverrides = super: { - linux_grsec_nixos = super.linux_grsec_nixos.override { - extraConfig = '' - GRKERNSEC_CONFIG_AUTO y - GRKERNSEC_CONFIG_SERVER y - GRKERNSEC_CONFIG_SECURITY y - ''; - }; - }; - - - - - The grsecurity/PaX wikibook provides an exhaustive listing of - kernel configuration options. - - - - The NixOS module makes several assumptions about the kernel and so - may be incompatible with your customised kernel. Currently, the only way - to work around these incompatibilities is to eschew the NixOS - module. - - - - If not using the NixOS module, a custom grsecurity package set can - be specified inline instead, as in - - boot.kernelPackages = - let - kernel = pkgs.linux_grsec_nixos.override { - extraConfig = /* as above */; - }; - self = pkgs.linuxPackagesFor kernel self; - in self; - - - - - - Per-executable PaX flags - - - Manual tuning of per-file PaX flags for executables in the Nix store is - impossible on a properly configured system. If a package in Nixpkgs fails - due to PaX, that is a bug in the package recipe and should be reported to - the maintainer (including relevant dmesg output). - - - - For executables installed outside of the Nix store, PaX flags can be set - using the paxctl utility: - - paxctl -czem foo - - - - paxctl overwrites files in-place. - - - Equivalently, on file systems that support extended attributes: - - setfattr -n user.pax.flags -v em foo - - - - - - - - Issues and work-arounds - - - User namespaces require CAP_SYS_ADMIN: - consequently, unprivileged namespaces are unsupported. Applications that - rely on namespaces for sandboxing must use a privileged helper. For chromium - there is . - - Access to EFI runtime services is disabled by default: - this plugs a potential code injection attack vector; use - to override - this behavior. - - User initiated autoloading of modules (e.g., when - using fuse or loop devices) is disallowed; either load requisite modules - as root or add them to . - - Virtualization: KVM is the preferred virtualization - solution. Xen, Virtualbox, and VMWare are - unsupported and most likely require a custom kernel. - - - - Attaching gdb to a running process is disallowed by - default: unprivileged users can only ptrace processes that are children of - the ptracing process. To relax this restriction, set - - boot.kernel.sysctl."kernel.grsecurity.harden_ptrace" = 0; - - - - - Overflows in boot critical code (e.g., the root filesystem module) can - render the system unbootable. Work around by setting - - boot.kernelParams = [ "pax_size_overflow_report_only" ]; - - - - - The modify_ldt - 2 syscall is disabled - by default. This restriction can interfere with programs designed to run - legacy 16-bit or segmented 32-bit code. To support applications that rely - on this syscall, set - - boot.kernel.sysctl."kernel.modify_ldt" = 1; - - - - - The gitlab service () - requires a variant of the ruby interpreter - built without `mprotect()` hardening, as in - - services.gitlab.packages.gitlab = pkgs.gitlab.override { - ruby = pkgs.ruby.overrideAttrs (attrs: { - postFixup = "paxmark m $out/bin/ruby"; - }); - }; - - - - - - - - Grsecurity/PaX kernel parameters - - - The NixOS kernel supports the following kernel command line parameters: - - - pax_nouderef: disable UDEREF (separate kernel and - user address spaces). - - - - pax_weakuderef: enable a faster but - weaker variant of UDEREF on 64-bit processors with PCID support - (check grep pcid /proc/cpuinfo). - - - - pax_sanitize_slab={off|fast|full}: control kernel - slab object sanitization. Defaults to fast - - - - pax_size_overflow_report_only: log size overflow - violations but leave the violating task running - - - - grsec_sysfs_restrict=[0|1]: toggle sysfs - restrictions. The NixOS module sets this to 0 - for systemd compatibility - - - - - - - -- cgit 1.4.1