grsecurity: Fix GRKERNSEC_PROC restrictions

Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit
too strict. It doesn't allow a special group (e.g. the grsecurity group
users) to access /proc information - this requires
GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive.

This was also not in line with the default automatic grsecurity
configuration - it actually defaults to USERGROUP (although it has a
default GID of 1001 instead of ours), not USER.

This introduces a new option restrictProcWithGroup - enabled by default
- which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off
restrictProc by default and makes sure both cannot be enabled.

Signed-off-by: Austin Seipp <aseipp@pobox.com>

1 files changed, 32 insertions, 10 deletions

diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 1759413c5589..913a0afc4525 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -78,9 +78,14 @@ let
       GRKERNSEC y
       ${grsecMainConfig}
 
-      GRKERNSEC_PROC_USER ${boolToKernOpt cfg.config.restrictProc}
-      ${if !cfg.config.restrictProc then ""
-        else "GRKERNSEC_PROC_GID "+(toString cfg.config.unrestrictProcGid)}
+      ${if cfg.config.restrictProc then
+          "GRKERNSEC_PROC_USER y"
+        else
+          optionalString cfg.config.restrictProcWithGroup ''
+            GRKERNSEC_PROC_USERGROUP y
+            GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid}
+          ''
+      }
 
       GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
       GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
@@ -278,7 +283,7 @@ in
 
         restrictProc = mkOption {
           type = types.bool;
-          default = true;
+          default = false;
           description = ''
             If true, then set <literal>GRKERN_PROC_USER
             y</literal>. This restricts non-root users to only viewing
@@ -287,18 +292,31 @@ in
           '';
         };
 
+        restrictProcWithGroup = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            If true, then set <literal>GRKERN_PROC_USERGROUP
+            y</literal>. This is similar to
+            <literal>restrictProc</literal> except it allows a special
+            group (specified by <literal>unrestrictProcGid</literal>)
+            to still access otherwise classified information in
+            <literal>/proc</literal>.
+          '';
+        };
+
         unrestrictProcGid = mkOption {
           type = types.int;
           default = config.ids.gids.grsecurity;
           description = ''
             If set, specifies a GID which is exempt from
             <literal>/proc</literal> restrictions (set by
-            <literal>GRKERN_PROC_USER</literal>). By default, this is
-            set to the GID for <literal>grsecurity</literal>, a
-            predefined NixOS group, which the <literal>root</literal>
-            account is a member of. You may conveniently add other
-            users to this group if you need access to
-            <literal>/proc</literal>
+            <literal>GRKERN_PROC_USERGROUP</literal>). By default,
+            this is set to the GID for <literal>grsecurity</literal>,
+            a predefined NixOS group, which the
+            <literal>root</literal> account is a member of. You may
+            conveniently add other users to this group if you need
+            access to <literal>/proc</literal>
           '';
         };
 
@@ -346,6 +364,10 @@ in
         { assertion = (cfg.testing -> !cfg.vserver);
           message   = "The vserver patches are only supported in the stable kernel.";
         }
+        { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) ||
+                      (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc);
+          message   = "You cannot enable both restrictProc and restrictProcWithGroup";
+        }
         { assertion = config.boot.kernelPackages.kernel.features ? grsecurity
                    && config.boot.kernelPackages.kernel.features.grsecurity;
           message = "grsecurity enabled, but kernel doesn't have grsec support";