nixos: add grsecurity module (#1875)

This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>

1 files changed, 421 insertions, 0 deletions

diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
new file mode 100644
index 000000000000..1759413c5589
--- /dev/null
+++ b/nixos/modules/security/grsecurity.nix
@@ -0,0 +1,421 @@
+{ config, pkgs, ... }:
+
+with pkgs.lib;
+
+let
+  cfg = config.security.grsecurity;
+
+  mkKernel = kernel: patch:
+    assert patch.kversion == kernel.version;
+      { inherit kernel patch;
+        inherit (patch) grversion revision;
+      };
+
+  stable-patch = with pkgs.kernelPatches;
+    if cfg.vserver then grsecurity_vserver else grsecurity_stable;
+  stableKernel = mkKernel pkgs.linux_3_2  stable-patch;
+  testKernel   = mkKernel pkgs.linux_3_13 pkgs.kernelPatches.grsecurity_unstable;
+
+  ## -- grsecurity configuration -----------------------------------------------
+
+  grsecPrioCfg =
+    if cfg.config.priority == "security" then
+      "GRKERNSEC_CONFIG_PRIORITY_SECURITY y"
+    else
+      "GRKERNSEC_CONFIG_PRIORITY_PERF y";
+
+  grsecSystemCfg =
+    if cfg.config.system == "desktop" then
+      "GRKERNSEC_CONFIG_DESKTOP y"
+    else
+      "GRKERNSEC_CONFIG_SERVER y";
+
+  grsecVirtCfg =
+    if cfg.config.virtualisationConfig == "none" then
+      "GRKERNSEC_CONFIG_VIRT_NONE y"
+    else if cfg.config.virtualisationConfig == "host" then
+      "GRKERNSEC_CONFIG_VIRT_HOST y"
+    else
+      "GRKERNSEC_CONFIG_VIRT_GUEST y";
+
+  grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else
+    if cfg.config.hardwareVirtualisation == true then
+      "GRKERNSEC_CONFIG_VIRT_EPT y"
+    else
+      "GRKERNSEC_CONFIG_VIRT_SOFT y";
+
+  grsecVirtswCfg =
+    let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
+    in
+      if cfg.config.virtualisationConfig == "none" then ""
+      else if cfg.config.virtualisationSoftware == "xen"    then virtCfg "XEN"
+      else if cfg.config.virtualisationSoftware == "kvm"    then virtCfg "KVM"
+      else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"
+      else                                                       virtCfg "VIRTUALBOX";
+
+  grsecMainConfig = if cfg.config.mode == "custom" then "" else ''
+    GRKERNSEC_CONFIG_AUTO y
+    ${grsecPrioCfg}
+    ${grsecSystemCfg}
+    ${grsecVirtCfg}
+    ${grsecHwvirtCfg}
+    ${grsecVirtswCfg}
+  '';
+
+  grsecConfig =
+    let boolToKernOpt = b: if b then "y" else "n";
+        # Disable RANDSTRUCT under virtualbox, as it has some kind of
+        # breakage with the vbox guest drivers
+        randstruct = optionalString config.services.virtualbox.enable
+          "GRKERNSEC_RANDSTRUCT n";
+        # Disable restricting links under the testing kernel, as something
+        # has changed causing it to fail miserably during boot.
+        restrictLinks = optionalString cfg.testing
+          "GRKERNSEC_LINK n";
+    in ''
+      SECURITY_APPARMOR y
+      DEFAULT_SECURITY_APPARMOR y
+      GRKERNSEC y
+      ${grsecMainConfig}
+
+      GRKERNSEC_PROC_USER ${boolToKernOpt cfg.config.restrictProc}
+      ${if !cfg.config.restrictProc then ""
+        else "GRKERNSEC_PROC_GID "+(toString cfg.config.unrestrictProcGid)}
+
+      GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
+      GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
+      GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
+      ${randstruct}
+      ${restrictLinks}
+
+      ${cfg.config.kernelExtraConfig}
+    '';
+
+  ## -- grsecurity kernel packages ---------------------------------------------
+
+  localver = grkern:
+    "-grsec" + optionalString cfg.config.verboseVersion
+       "-${grkern.grversion}-${grkern.revision}";
+
+  grsecurityOverrider = args: grkern: {
+    # Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins)
+    # include libgmp headers, so we need these extra tweaks
+    buildInputs = args.buildInputs ++ [ pkgs.gmp ];
+    preConfigure = ''
+      ${args.preConfigure or ""}
+      sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh
+      sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
+      sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
+      rm localversion-grsec
+      echo ${localver grkern} > localversion-grsec
+    '';
+  };
+
+  mkGrsecPkg = grkern:
+    let kernelPkg = lowPrio (overrideDerivation (grkern.kernel.override (args: {
+          kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ];
+          argsOverride = {
+            modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
+          };
+          extraConfig = grsecConfig;
+        })) (args: grsecurityOverrider args grkern));
+    in pkgs.linuxPackagesFor kernelPkg (mkGrsecPkg grkern);
+
+  grsecPackage = mkGrsecPkg (if cfg.stable then stableKernel else testKernel);
+in
+{
+  options = {
+    security.grsecurity = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable grsecurity support. This enables advanced exploit
+          hardening for the Linux kernel, and adds support for
+          administrative Role-Based Acess Control (RBAC) via
+          <literal>gradm</literal>. It also includes traditional
+          utilities for PaX.
+        '';
+      };
+
+      stable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable the stable grsecurity patch, based on Linux 3.2.
+        '';
+      };
+
+      vserver = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable the stable grsecurity/vserver patches, based on Linux 3.2.
+        '';
+      };
+
+      testing = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Enable the testing grsecurity patch, based on Linux 3.13.
+        '';
+      };
+
+      config = {
+        mode = mkOption {
+          type = types.str;
+          default = "auto";
+          example = "custom";
+          description = ''
+            grsecurity configuration mode. This specifies whether
+            grsecurity is auto-configured or otherwise completely
+            manually configured. Can either by
+            <literal>custom</literal> or <literal>auto</literal>.
+
+            <literal>auto</literal> is recommended.
+          '';
+        };
+
+        priority = mkOption {
+          type = types.str;
+          default = "security";
+          example = "performance";
+          description = ''
+            grsecurity configuration priority. This specifies whether
+            the kernel configuration should emphasize speed or
+            security. Can either by <literal>security</literal> or
+            <literal>performance</literal>.
+          '';
+        };
+
+        system = mkOption {
+          type = types.str;
+          default = "";
+          example = "desktop";
+          description = ''
+            grsecurity system configuration. This specifies whether
+            the kernel configuration should be suitable for a Desktop
+            or a Server. Can either by <literal>server</literal> or
+            <literal>desktop</literal>.
+          '';
+        };
+
+        virtualisationConfig = mkOption {
+          type = types.str;
+          default = "none";
+          example = "host";
+          description = ''
+            grsecurity virtualisation configuration. This specifies
+            the virtualisation role of the machine - that is, whether
+            it will be a virtual machine guest, a virtual machine
+            host, or neither. Can be one of <literal>none</literal>,
+            <literal>host</literal>, or <literal>guest</literal>.
+          '';
+        };
+
+        hardwareVirtualisation = mkOption {
+          type = types.nullOr types.bool;
+          default = null;
+          example = true;
+          description = ''
+            grsecurity hardware virtualisation configuration. Set to
+            <literal>true</literal> if your machine supports hardware
+            accelerated virtualisation.
+          '';
+        };
+
+        virtualisationSoftware = mkOption {
+          type = types.str;
+          default = "";
+          example = "kvm";
+          description = ''
+            grsecurity virtualisation software. Set this to the
+            specified virtual machine technology if the machine is
+            running as a guest, or a host.
+
+            Can be one of <literal>kvm</literal>,
+            <literal>xen</literal>, <literal>vmware</literal> or
+            <literal>virtualbox</literal>.
+          '';
+        };
+
+        sysctl = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERN_SYSCTL y</literal>. If
+            enabled then grsecurity can be controlled using sysctl
+            (and turned off). You are advised to *never* enable this,
+            but if you do, make sure to always set the sysctl
+            <literal>kernel.grsecurity.grsec_lock</literal> to
+            non-zero as soon as all sysctl options are set. *THIS IS
+            EXTREMELY IMPORTANT*!
+
+            If disabled, this also turns off the
+            <literal>systemd-sysctl</literal> service.
+          '';
+        };
+
+        denyChrootChmod = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERN_CHROOT_CHMOD
+            y</literal>. If enabled, this denies processes inside a
+            chroot from setting the suid or sgid bits using
+            <literal>chmod</literal> or <literal>fchmod</literal>.
+
+            By default this protection is disabled - it makes it
+            impossible to use Nix to build software on your system,
+            which is what most users want.
+
+            If you are using NixOps to deploy your software to a
+            remote machine, you're encouraged to enable this as you
+            won't need to compile code.
+          '';
+        };
+
+        restrictProc = mkOption {
+          type = types.bool;
+          default = true;
+          description = ''
+            If true, then set <literal>GRKERN_PROC_USER
+            y</literal>. This restricts non-root users to only viewing
+            their own processes and restricts network-related
+            information, kernel symbols, and module information.
+          '';
+        };
+
+        unrestrictProcGid = mkOption {
+          type = types.int;
+          default = config.ids.gids.grsecurity;
+          description = ''
+            If set, specifies a GID which is exempt from
+            <literal>/proc</literal> restrictions (set by
+            <literal>GRKERN_PROC_USER</literal>). By default, this is
+            set to the GID for <literal>grsecurity</literal>, a
+            predefined NixOS group, which the <literal>root</literal>
+            account is a member of. You may conveniently add other
+            users to this group if you need access to
+            <literal>/proc</literal>
+          '';
+        };
+
+        disableRBAC = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERN_NO_RBAC
+            y</literal>. This disables the
+            <literal>/dev/grsec</literal> device, which in turn
+            disables the RBAC system (and <literal>gradm</literal>).
+          '';
+        };
+
+        verboseVersion = mkOption {
+          type = types.bool;
+          default = false;
+          description = "Use verbose version in kernel localversion.";
+        };
+
+        kernelExtraConfig = mkOption {
+          type = types.str;
+          default = "";
+          description = "Extra kernel configuration parameters.";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions =
+      [ { assertion = cfg.stable || cfg.testing;
+          message   = ''
+            If grsecurity is enabled, you must select either the
+            stable patch (with kernel 3.2), or the testing patch (with
+            kernel 3.13) to continue.
+          '';
+        }
+        { assertion = (cfg.stable -> !cfg.testing) || (cfg.testing -> !cfg.stable);
+          message   = ''
+            You must select either the stable or testing patch, not
+            both.
+          '';
+        }
+        { assertion = (cfg.testing -> !cfg.vserver);
+          message   = "The vserver patches are only supported in the stable kernel.";
+        }
+        { assertion = config.boot.kernelPackages.kernel.features ? grsecurity
+                   && config.boot.kernelPackages.kernel.features.grsecurity;
+          message = "grsecurity enabled, but kernel doesn't have grsec support";
+        }
+        { assertion = elem cfg.config.mode [ "auto" "custom" ];
+          message = "grsecurity mode must either be 'auto' or 'custom'.";
+        }
+        { assertion = cfg.config.mode == "auto" -> elem cfg.config.system [ "desktop" "server" ];
+          message = "when using auto grsec mode, system must be either 'desktop' or 'server'";
+        }
+        { assertion = cfg.config.mode == "auto" -> elem cfg.config.priority [ "performance" "security" ];
+          message = "when using auto grsec mode, priority must be 'performance' or 'security'.";
+        }
+        { assertion = cfg.config.mode == "auto" -> elem cfg.config.virtualisationConfig [ "host" "guest" "none" ];
+          message = "when using auto grsec mode, 'virt' must be 'host', 'guest' or 'none'.";
+        }
+        { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) ->
+              cfg.config.hardwareVirtualisation != null;
+          message   = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions";
+        }
+        { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) ->
+              elem cfg.config.virtualisationSoftware [ "kvm" "xen" "virtualbox" "vmware" ];
+          message   = "virtualisation software must be 'kvm', 'xen', 'vmware' or 'virtualbox'";
+        }
+      ];
+
+    systemd.services.grsec-lock = mkIf cfg.config.sysctl {
+      description     = "grsecurity sysctl-lock Service";
+      requires        = [ "sysctl.service" ];
+      wantedBy        = [ "multi-user.target" ];
+      serviceConfig.Type = "oneshot";
+      serviceConfig.RemainAfterExit = "yes";
+      script = ''
+        locked=`cat /proc/sys/kernel/grsecurity/grsec_lock`
+        if [ "$locked" == "0" ]; then
+            echo 1 > /proc/sys/kernel/grsecurity/grsec_lock
+            echo grsecurity sysctl lock - enabled
+        else
+            echo grsecurity sysctl lock already enabled - doing nothing
+        fi
+      '';
+    };
+
+#   systemd.services.grsec-learn = {
+#     description     = "grsecurity learning Service";
+#     wantedBy        = [ "local-fs.target" ];
+#     serviceConfig   = {
+#       Type = "oneshot";
+#       RemainAfterExit = "yes";
+#       ExecStart = "${pkgs.gradm}/sbin/gradm -VFL /etc/grsec/learning.logs";
+#       ExecStop  = "${pkgs.gradm}/sbin/gradm -D";
+#     };
+#   };
+
+    system.activationScripts.grsec =
+      ''
+        mkdir -p /etc/grsec
+        if [ ! -f /etc/grsec/learn_config ]; then
+          cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec
+        fi
+        if [ ! -f /etc/grsec/policy ]; then
+          cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec
+        fi
+        chmod -R 0600 /etc/grsec
+      '';
+
+    # Enable apparmor support, gradm udev rules, and utilities
+    security.apparmor.enable   = true;
+    boot.kernelPackages        = grsecPackage;
+    services.udev.packages     = [ pkgs.gradm ];
+    environment.systemPackages = [ pkgs.gradm pkgs.paxctl pkgs.pax-utils ];
+  };
+}