diff options
author | Arseniy Seroka <jagajaga@users.noreply.github.com> | 2015-04-03 16:03:49 +0300 |
---|---|---|
committer | Arseniy Seroka <jagajaga@users.noreply.github.com> | 2015-04-03 16:03:49 +0300 |
commit | 8592c6c004a9cc549ba4031ced474442c0ea3284 (patch) | |
tree | c0875dfc5a342a395ce52e54de422da9256d79a4 /nixos/modules/security | |
parent | bdc1ab3db6eb43fa7a4959b2668ab717fd135286 (diff) | |
parent | ba93a75724b9671208d7e48789bc9d71a9da648b (diff) | |
download | nixlib-8592c6c004a9cc549ba4031ced474442c0ea3284.tar nixlib-8592c6c004a9cc549ba4031ced474442c0ea3284.tar.gz nixlib-8592c6c004a9cc549ba4031ced474442c0ea3284.tar.bz2 nixlib-8592c6c004a9cc549ba4031ced474442c0ea3284.tar.lz nixlib-8592c6c004a9cc549ba4031ced474442c0ea3284.tar.xz nixlib-8592c6c004a9cc549ba4031ced474442c0ea3284.tar.zst nixlib-8592c6c004a9cc549ba4031ced474442c0ea3284.zip |
Merge pull request #7150 from joachifm/grsec-types
grsecurity module: use types.enum
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 65 |
1 files changed, 17 insertions, 48 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 8cd400933487..35974f6890e6 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -44,53 +44,41 @@ in config = { mode = mkOption { - type = types.str; + type = types.enum [ "auto" "custom" ]; default = "auto"; - example = "custom"; description = '' grsecurity configuration mode. This specifies whether grsecurity is auto-configured or otherwise completely - manually configured. Can either be - <literal>custom</literal> or <literal>auto</literal>. - - <literal>auto</literal> is recommended. + manually configured. ''; }; priority = mkOption { - type = types.str; + type = types.enum [ "security" "performance" ]; default = "security"; - example = "performance"; description = '' grsecurity configuration priority. This specifies whether the kernel configuration should emphasize speed or - security. Can either be <literal>security</literal> or - <literal>performance</literal>. + security. ''; }; system = mkOption { - type = types.str; - default = ""; - example = "desktop"; + type = types.enum [ "desktop" "server" ]; + default = "desktop"; description = '' - grsecurity system configuration. This specifies whether - the kernel configuration should be suitable for a Desktop - or a Server. Can either be <literal>server</literal> or - <literal>desktop</literal>. + grsecurity system configuration. ''; }; virtualisationConfig = mkOption { - type = types.str; - default = "none"; - example = "host"; + type = types.nullOr (types.enum [ "host" "guest" ]); + default = null; description = '' grsecurity virtualisation configuration. This specifies the virtualisation role of the machine - that is, whether it will be a virtual machine guest, a virtual machine - host, or neither. Can be one of <literal>none</literal>, - <literal>host</literal>, or <literal>guest</literal>. + host, or neither. ''; }; @@ -106,17 +94,10 @@ in }; virtualisationSoftware = mkOption { - type = types.str; - default = ""; - example = "kvm"; + type = types.nullOr (types.enum [ "kvm" "xen" "vmware" "virtualbox" ]); + default = null; description = '' - grsecurity virtualisation software. Set this to the - specified virtual machine technology if the machine is - running as a guest, or a host. - - Can be one of <literal>kvm</literal>, - <literal>xen</literal>, <literal>vmware</literal> or - <literal>virtualbox</literal>. + Configure grsecurity for use with this virtualisation software. ''; }; @@ -262,25 +243,13 @@ in && config.boot.kernelPackages.kernel.features.grsecurity; message = "grsecurity enabled, but kernel doesn't have grsec support"; } - { assertion = elem cfg.config.mode [ "auto" "custom" ]; - message = "grsecurity mode must either be 'auto' or 'custom'."; - } - { assertion = cfg.config.mode == "auto" -> elem cfg.config.system [ "desktop" "server" ]; - message = "when using auto grsec mode, system must be either 'desktop' or 'server'"; - } - { assertion = cfg.config.mode == "auto" -> elem cfg.config.priority [ "performance" "security" ]; - message = "when using auto grsec mode, priority must be 'performance' or 'security'."; - } - { assertion = cfg.config.mode == "auto" -> elem cfg.config.virtualisationConfig [ "host" "guest" "none" ]; - message = "when using auto grsec mode, 'virt' must be 'host', 'guest' or 'none'."; - } - { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) -> + { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) -> cfg.config.hardwareVirtualisation != null; message = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions"; } - { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) -> - elem cfg.config.virtualisationSoftware [ "kvm" "xen" "virtualbox" "vmware" ]; - message = "virtualisation software must be 'kvm', 'xen', 'vmware' or 'virtualbox'"; + { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) -> + cfg.config.virtualisationSoftware != null; + message = "grsecurity configured for virtualisation but no virtualisation software specified"; } ]; |