diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2016-04-01 10:06:01 +0200 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2016-04-01 10:06:01 +0200 |
commit | ab15a62c68bf7bf3b02e3bab00d121cc1426733c (patch) | |
tree | 398a82403b04bfa0bae8cadf1c5a64cf83145965 /nixos/modules/security | |
parent | c643ccaa8c91f78b8c89eb87589886b8906d5b38 (diff) | |
parent | a26357eefe017964448b5bb464163646b927a267 (diff) | |
download | nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar.gz nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar.bz2 nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar.lz nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar.xz nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.tar.zst nixlib-ab15a62c68bf7bf3b02e3bab00d121cc1426733c.zip |
Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed than just resolution of merge conflicts.
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 29 |
1 files changed, 7 insertions, 22 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 40942644868a..236206026c3f 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -26,19 +26,11 @@ in ''; }; - stable = mkOption { - type = types.bool; - default = false; - description = '' - Enable the stable grsecurity patch, based on Linux 3.14. - ''; - }; - - testing = mkOption { - type = types.bool; - default = false; + kernelPatch = mkOption { + type = types.attrs; + example = lib.literalExample "pkgs.kernelPatches.grsecurity_4_1"; description = '' - Enable the testing grsecurity patch, based on Linux 4.0. + Grsecurity patch to use. ''; }; @@ -219,16 +211,7 @@ in config = mkIf cfg.enable { assertions = - [ { assertion = cfg.stable || cfg.testing; - message = '' - If grsecurity is enabled, you must select either the - stable patch (with kernel 3.14), or the testing patch (with - kernel 4.0) to continue. - ''; - } - { assertion = !(cfg.stable && cfg.testing); - message = "Select either one of the stable or testing patch"; - } + [ { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) || (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc); message = "You cannot enable both restrictProc and restrictProcWithGroup"; @@ -247,6 +230,8 @@ in } ]; + security.grsecurity.kernelPatch = lib.mkDefault pkgs.kernelPatches.grsecurity_latest; + systemd.services.grsec-lock = mkIf cfg.config.sysctl { description = "grsecurity sysctl-lock Service"; requires = [ "systemd-sysctl.service" ]; |