diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-05-04 02:20:49 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-05-04 03:53:24 +0200 |
commit | da767356f275785950c9847428b60be2d6753943 (patch) | |
tree | 5b285a69404860917ce2dfd7769f90bc5bf47014 | |
parent | c5451206ab3d2b2e4442b9e59e6b1fd978a9d57f (diff) | |
download | nixlib-da767356f275785950c9847428b60be2d6753943.tar nixlib-da767356f275785950c9847428b60be2d6753943.tar.gz nixlib-da767356f275785950c9847428b60be2d6753943.tar.bz2 nixlib-da767356f275785950c9847428b60be2d6753943.tar.lz nixlib-da767356f275785950c9847428b60be2d6753943.tar.xz nixlib-da767356f275785950c9847428b60be2d6753943.tar.zst nixlib-da767356f275785950c9847428b60be2d6753943.zip |
grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some legitimate use cases, notably WebRTC [1], but it's nice to provide the option for deployments where those features are unneeded anyway. This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937 [1]: http://article.gmane.org/gmane.linux.documentation/9425
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 17 | ||||
-rw-r--r-- | pkgs/build-support/grsecurity/default.nix | 2 |
2 files changed, 19 insertions, 0 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 11668162808f..12401f044a7f 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -194,6 +194,23 @@ in ''; }; + disableSimultConnect = mkOption { + type = types.bool; + default = false; + description = '' + Disable TCP simultaneous connect. The TCP simultaneous connect + feature allows two clients to connect without either of them + entering the listening state. This feature of the TCP specification + is claimed to enable an attacker to deny the target access to a given + server by guessing the source port the target would use to make the + connection. + + This option is OFF by default because TCP simultaneous connect has + some legitimate uses. Enable this option if you know what this TCP + feature is for and know that you do not need it. + ''; + }; + verboseVersion = mkOption { type = types.bool; default = false; diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix index 0ba270366671..d8042d652732 100644 --- a/pkgs/build-support/grsecurity/default.nix +++ b/pkgs/build-support/grsecurity/default.nix @@ -14,6 +14,7 @@ let restrictProcWithGroup = true; unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid disableRBAC = false; + disableSimultConnect = false; verboseVersion = false; kernelExtraConfig = ""; } // grsecOptions.config; @@ -107,6 +108,7 @@ let GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB} GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} + GRKERNSEC_NO_SIMULT_CONNECT ${boolToKernOpt cfg.config.disableSimultConnect} ${cfg.config.kernelExtraConfig} ''; |