summary refs log tree commit diff
path: root/nixos/modules/security
diff options
context:
space:
mode:
authorVladimír Čunát <vcunat@gmail.com>2016-04-01 10:06:01 +0200
committerVladimír Čunát <vcunat@gmail.com>2016-04-01 10:06:01 +0200
commitab15a62c68bf7bf3b02e3bab00d121cc1426733c (patch)
tree398a82403b04bfa0bae8cadf1c5a64cf83145965 /nixos/modules/security
parentc643ccaa8c91f78b8c89eb87589886b8906d5b38 (diff)
parenta26357eefe017964448b5bb464163646b927a267 (diff)
downloadnixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar
nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar.gz
nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar.bz2
nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar.lz
nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar.xz
nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar.zst
nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.zip
Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
Diffstat (limited to 'nixos/modules/security')
-rw-r--r--nixos/modules/security/grsecurity.nix29
1 files changed, 7 insertions, 22 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 40942644868a..236206026c3f 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -26,19 +26,11 @@ in
         '';
       };
 
-      stable = mkOption {
-        type = types.bool;
-        default = false;
-        description = ''
-          Enable the stable grsecurity patch, based on Linux 3.14.
-        '';
-      };
-
-      testing = mkOption {
-        type = types.bool;
-        default = false;
+      kernelPatch = mkOption {
+        type = types.attrs;
+        example = lib.literalExample "pkgs.kernelPatches.grsecurity_4_1";
         description = ''
-          Enable the testing grsecurity patch, based on Linux 4.0.
+          Grsecurity patch to use.
         '';
       };
 
@@ -219,16 +211,7 @@ in
 
   config = mkIf cfg.enable {
     assertions =
-      [ { assertion = cfg.stable || cfg.testing;
-          message   = ''
-            If grsecurity is enabled, you must select either the
-            stable patch (with kernel 3.14), or the testing patch (with
-            kernel 4.0) to continue.
-          '';
-        }
-        { assertion = !(cfg.stable && cfg.testing);
-          message   = "Select either one of the stable or testing patch";
-        }
+      [
         { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) ||
                       (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc);
           message   = "You cannot enable both restrictProc and restrictProcWithGroup";
@@ -247,6 +230,8 @@ in
         }
       ];
 
+    security.grsecurity.kernelPatch = lib.mkDefault pkgs.kernelPatches.grsecurity_latest;
+
     systemd.services.grsec-lock = mkIf cfg.config.sysctl {
       description     = "grsecurity sysctl-lock Service";
       requires        = [ "systemd-sysctl.service" ];
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-17 11:44:53 +0000