summary refs log tree commit diff
diff options
context:
space:
mode:
authorJoachim Fasting <joachifm@fastmail.fm>2016-05-04 02:20:49 +0200
committerJoachim Fasting <joachifm@fastmail.fm>2016-05-04 03:53:24 +0200
commitda767356f275785950c9847428b60be2d6753943 (patch)
tree5b285a69404860917ce2dfd7769f90bc5bf47014
parentc5451206ab3d2b2e4442b9e59e6b1fd978a9d57f (diff)
downloadnixlib-da767356f275785950c9847428b60be2d6753943.tar
nixlib-da767356f275785950c9847428b60be2d6753943.tar.gz
nixlib-da767356f275785950c9847428b60be2d6753943.tar.bz2
nixlib-da767356f275785950c9847428b60be2d6753943.tar.lz
nixlib-da767356f275785950c9847428b60be2d6753943.tar.xz
nixlib-da767356f275785950c9847428b60be2d6753943.tar.zst
nixlib-da767356f275785950c9847428b60be2d6753943.zip
grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425
Diffstat
-rw-r--r--nixos/modules/security/grsecurity.nix17
-rw-r--r--pkgs/build-support/grsecurity/default.nix2
2 files changed, 19 insertions, 0 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 11668162808f..12401f044a7f 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -194,6 +194,23 @@ in
           '';
         };
 
+        disableSimultConnect = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Disable TCP simultaneous connect.  The TCP simultaneous connect
+            feature allows two clients to connect without either of them
+            entering the listening state.  This feature of the TCP specification
+            is claimed to enable an attacker to deny the target access to a given
+            server by guessing the source port the target would use to make the
+            connection.
+
+            This option is OFF by default because TCP simultaneous connect has
+            some legitimate uses.  Enable this option if you know what this TCP
+            feature is for and know that you do not need it.
+          '';
+        };
+
         verboseVersion = mkOption {
           type = types.bool;
           default = false;
diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
index 0ba270366671..d8042d652732 100644
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@@ -14,6 +14,7 @@ let
       restrictProcWithGroup = true;
       unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid
       disableRBAC = false;
+      disableSimultConnect = false;
       verboseVersion = false;
       kernelExtraConfig = "";
     } // grsecOptions.config;
@@ -107,6 +108,7 @@ let
         GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
         GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
         GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
+        GRKERNSEC_NO_SIMULT_CONNECT ${boolToKernOpt cfg.config.disableSimultConnect}
 
         ${cfg.config.kernelExtraConfig}
       '';
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-11 08:56:53 +0000