diff options
author | Austin Seipp <aseipp@pobox.com> | 2014-04-06 14:18:12 -0500 |
---|---|---|
committer | Austin Seipp <aseipp@pobox.com> | 2014-04-11 22:43:51 -0500 |
commit | 172dc1336f108ee81b0f5f8b9be3d27706b1c032 (patch) | |
tree | b9d98f3710365ea9fdc6e57ae00f9ef1cdac2a95 /nixos/modules/security | |
parent | cf24cf1184ad6fc62292b9668c836e5a1435902c (diff) | |
download | nixlib-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar nixlib-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.gz nixlib-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.bz2 nixlib-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.lz nixlib-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.xz nixlib-172dc1336f108ee81b0f5f8b9be3d27706b1c032.tar.zst nixlib-172dc1336f108ee81b0f5f8b9be3d27706b1c032.zip |
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 421 |
1 files changed, 421 insertions, 0 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix new file mode 100644 index 000000000000..1759413c5589 --- /dev/null +++ b/nixos/modules/security/grsecurity.nix @@ -0,0 +1,421 @@ +{ config, pkgs, ... }: + +with pkgs.lib; + +let + cfg = config.security.grsecurity; + + mkKernel = kernel: patch: + assert patch.kversion == kernel.version; + { inherit kernel patch; + inherit (patch) grversion revision; + }; + + stable-patch = with pkgs.kernelPatches; + if cfg.vserver then grsecurity_vserver else grsecurity_stable; + stableKernel = mkKernel pkgs.linux_3_2 stable-patch; + testKernel = mkKernel pkgs.linux_3_13 pkgs.kernelPatches.grsecurity_unstable; + + ## -- grsecurity configuration ----------------------------------------------- + + grsecPrioCfg = + if cfg.config.priority == "security" then + "GRKERNSEC_CONFIG_PRIORITY_SECURITY y" + else + "GRKERNSEC_CONFIG_PRIORITY_PERF y"; + + grsecSystemCfg = + if cfg.config.system == "desktop" then + "GRKERNSEC_CONFIG_DESKTOP y" + else + "GRKERNSEC_CONFIG_SERVER y"; + + grsecVirtCfg = + if cfg.config.virtualisationConfig == "none" then + "GRKERNSEC_CONFIG_VIRT_NONE y" + else if cfg.config.virtualisationConfig == "host" then + "GRKERNSEC_CONFIG_VIRT_HOST y" + else + "GRKERNSEC_CONFIG_VIRT_GUEST y"; + + grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else + if cfg.config.hardwareVirtualisation == true then + "GRKERNSEC_CONFIG_VIRT_EPT y" + else + "GRKERNSEC_CONFIG_VIRT_SOFT y"; + + grsecVirtswCfg = + let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y"; + in + if cfg.config.virtualisationConfig == "none" then "" + else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN" + else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM" + else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE" + else virtCfg "VIRTUALBOX"; + + grsecMainConfig = if cfg.config.mode == "custom" then "" else '' + GRKERNSEC_CONFIG_AUTO y + ${grsecPrioCfg} + ${grsecSystemCfg} + ${grsecVirtCfg} + ${grsecHwvirtCfg} + ${grsecVirtswCfg} + ''; + + grsecConfig = + let boolToKernOpt = b: if b then "y" else "n"; + # Disable RANDSTRUCT under virtualbox, as it has some kind of + # breakage with the vbox guest drivers + randstruct = optionalString config.services.virtualbox.enable + "GRKERNSEC_RANDSTRUCT n"; + # Disable restricting links under the testing kernel, as something + # has changed causing it to fail miserably during boot. + restrictLinks = optionalString cfg.testing + "GRKERNSEC_LINK n"; + in '' + SECURITY_APPARMOR y + DEFAULT_SECURITY_APPARMOR y + GRKERNSEC y + ${grsecMainConfig} + + GRKERNSEC_PROC_USER ${boolToKernOpt cfg.config.restrictProc} + ${if !cfg.config.restrictProc then "" + else "GRKERNSEC_PROC_GID "+(toString cfg.config.unrestrictProcGid)} + + GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl} + GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} + GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} + ${randstruct} + ${restrictLinks} + + ${cfg.config.kernelExtraConfig} + ''; + + ## -- grsecurity kernel packages --------------------------------------------- + + localver = grkern: + "-grsec" + optionalString cfg.config.verboseVersion + "-${grkern.grversion}-${grkern.revision}"; + + grsecurityOverrider = args: grkern: { + # Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins) + # include libgmp headers, so we need these extra tweaks + buildInputs = args.buildInputs ++ [ pkgs.gmp ]; + preConfigure = '' + ${args.preConfigure or ""} + sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh + sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile + sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile + rm localversion-grsec + echo ${localver grkern} > localversion-grsec + ''; + }; + + mkGrsecPkg = grkern: + let kernelPkg = lowPrio (overrideDerivation (grkern.kernel.override (args: { + kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ]; + argsOverride = { + modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}"; + }; + extraConfig = grsecConfig; + })) (args: grsecurityOverrider args grkern)); + in pkgs.linuxPackagesFor kernelPkg (mkGrsecPkg grkern); + + grsecPackage = mkGrsecPkg (if cfg.stable then stableKernel else testKernel); +in +{ + options = { + security.grsecurity = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable grsecurity support. This enables advanced exploit + hardening for the Linux kernel, and adds support for + administrative Role-Based Acess Control (RBAC) via + <literal>gradm</literal>. It also includes traditional + utilities for PaX. + ''; + }; + + stable = mkOption { + type = types.bool; + default = false; + description = '' + Enable the stable grsecurity patch, based on Linux 3.2. + ''; + }; + + vserver = mkOption { + type = types.bool; + default = false; + description = '' + Enable the stable grsecurity/vserver patches, based on Linux 3.2. + ''; + }; + + testing = mkOption { + type = types.bool; + default = false; + description = '' + Enable the testing grsecurity patch, based on Linux 3.13. + ''; + }; + + config = { + mode = mkOption { + type = types.str; + default = "auto"; + example = "custom"; + description = '' + grsecurity configuration mode. This specifies whether + grsecurity is auto-configured or otherwise completely + manually configured. Can either by + <literal>custom</literal> or <literal>auto</literal>. + + <literal>auto</literal> is recommended. + ''; + }; + + priority = mkOption { + type = types.str; + default = "security"; + example = "performance"; + description = '' + grsecurity configuration priority. This specifies whether + the kernel configuration should emphasize speed or + security. Can either by <literal>security</literal> or + <literal>performance</literal>. + ''; + }; + + system = mkOption { + type = types.str; + default = ""; + example = "desktop"; + description = '' + grsecurity system configuration. This specifies whether + the kernel configuration should be suitable for a Desktop + or a Server. Can either by <literal>server</literal> or + <literal>desktop</literal>. + ''; + }; + + virtualisationConfig = mkOption { + type = types.str; + default = "none"; + example = "host"; + description = '' + grsecurity virtualisation configuration. This specifies + the virtualisation role of the machine - that is, whether + it will be a virtual machine guest, a virtual machine + host, or neither. Can be one of <literal>none</literal>, + <literal>host</literal>, or <literal>guest</literal>. + ''; + }; + + hardwareVirtualisation = mkOption { + type = types.nullOr types.bool; + default = null; + example = true; + description = '' + grsecurity hardware virtualisation configuration. Set to + <literal>true</literal> if your machine supports hardware + accelerated virtualisation. + ''; + }; + + virtualisationSoftware = mkOption { + type = types.str; + default = ""; + example = "kvm"; + description = '' + grsecurity virtualisation software. Set this to the + specified virtual machine technology if the machine is + running as a guest, or a host. + + Can be one of <literal>kvm</literal>, + <literal>xen</literal>, <literal>vmware</literal> or + <literal>virtualbox</literal>. + ''; + }; + + sysctl = mkOption { + type = types.bool; + default = false; + description = '' + If true, then set <literal>GRKERN_SYSCTL y</literal>. If + enabled then grsecurity can be controlled using sysctl + (and turned off). You are advised to *never* enable this, + but if you do, make sure to always set the sysctl + <literal>kernel.grsecurity.grsec_lock</literal> to + non-zero as soon as all sysctl options are set. *THIS IS + EXTREMELY IMPORTANT*! + + If disabled, this also turns off the + <literal>systemd-sysctl</literal> service. + ''; + }; + + denyChrootChmod = mkOption { + type = types.bool; + default = false; + description = '' + If true, then set <literal>GRKERN_CHROOT_CHMOD + y</literal>. If enabled, this denies processes inside a + chroot from setting the suid or sgid bits using + <literal>chmod</literal> or <literal>fchmod</literal>. + + By default this protection is disabled - it makes it + impossible to use Nix to build software on your system, + which is what most users want. + + If you are using NixOps to deploy your software to a + remote machine, you're encouraged to enable this as you + won't need to compile code. + ''; + }; + + restrictProc = mkOption { + type = types.bool; + default = true; + description = '' + If true, then set <literal>GRKERN_PROC_USER + y</literal>. This restricts non-root users to only viewing + their own processes and restricts network-related + information, kernel symbols, and module information. + ''; + }; + + unrestrictProcGid = mkOption { + type = types.int; + default = config.ids.gids.grsecurity; + description = '' + If set, specifies a GID which is exempt from + <literal>/proc</literal> restrictions (set by + <literal>GRKERN_PROC_USER</literal>). By default, this is + set to the GID for <literal>grsecurity</literal>, a + predefined NixOS group, which the <literal>root</literal> + account is a member of. You may conveniently add other + users to this group if you need access to + <literal>/proc</literal> + ''; + }; + + disableRBAC = mkOption { + type = types.bool; + default = false; + description = '' + If true, then set <literal>GRKERN_NO_RBAC + y</literal>. This disables the + <literal>/dev/grsec</literal> device, which in turn + disables the RBAC system (and <literal>gradm</literal>). + ''; + }; + + verboseVersion = mkOption { + type = types.bool; + default = false; + description = "Use verbose version in kernel localversion."; + }; + + kernelExtraConfig = mkOption { + type = types.str; + default = ""; + description = "Extra kernel configuration parameters."; + }; + }; + }; + }; + + config = mkIf cfg.enable { + assertions = + [ { assertion = cfg.stable || cfg.testing; + message = '' + If grsecurity is enabled, you must select either the + stable patch (with kernel 3.2), or the testing patch (with + kernel 3.13) to continue. + ''; + } + { assertion = (cfg.stable -> !cfg.testing) || (cfg.testing -> !cfg.stable); + message = '' + You must select either the stable or testing patch, not + both. + ''; + } + { assertion = (cfg.testing -> !cfg.vserver); + message = "The vserver patches are only supported in the stable kernel."; + } + { assertion = config.boot.kernelPackages.kernel.features ? grsecurity + && config.boot.kernelPackages.kernel.features.grsecurity; + message = "grsecurity enabled, but kernel doesn't have grsec support"; + } + { assertion = elem cfg.config.mode [ "auto" "custom" ]; + message = "grsecurity mode must either be 'auto' or 'custom'."; + } + { assertion = cfg.config.mode == "auto" -> elem cfg.config.system [ "desktop" "server" ]; + message = "when using auto grsec mode, system must be either 'desktop' or 'server'"; + } + { assertion = cfg.config.mode == "auto" -> elem cfg.config.priority [ "performance" "security" ]; + message = "when using auto grsec mode, priority must be 'performance' or 'security'."; + } + { assertion = cfg.config.mode == "auto" -> elem cfg.config.virtualisationConfig [ "host" "guest" "none" ]; + message = "when using auto grsec mode, 'virt' must be 'host', 'guest' or 'none'."; + } + { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) -> + cfg.config.hardwareVirtualisation != null; + message = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions"; + } + { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) -> + elem cfg.config.virtualisationSoftware [ "kvm" "xen" "virtualbox" "vmware" ]; + message = "virtualisation software must be 'kvm', 'xen', 'vmware' or 'virtualbox'"; + } + ]; + + systemd.services.grsec-lock = mkIf cfg.config.sysctl { + description = "grsecurity sysctl-lock Service"; + requires = [ "sysctl.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = "yes"; + script = '' + locked=`cat /proc/sys/kernel/grsecurity/grsec_lock` + if [ "$locked" == "0" ]; then + echo 1 > /proc/sys/kernel/grsecurity/grsec_lock + echo grsecurity sysctl lock - enabled + else + echo grsecurity sysctl lock already enabled - doing nothing + fi + ''; + }; + +# systemd.services.grsec-learn = { +# description = "grsecurity learning Service"; +# wantedBy = [ "local-fs.target" ]; +# serviceConfig = { +# Type = "oneshot"; +# RemainAfterExit = "yes"; +# ExecStart = "${pkgs.gradm}/sbin/gradm -VFL /etc/grsec/learning.logs"; +# ExecStop = "${pkgs.gradm}/sbin/gradm -D"; +# }; +# }; + + system.activationScripts.grsec = + '' + mkdir -p /etc/grsec + if [ ! -f /etc/grsec/learn_config ]; then + cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec + fi + if [ ! -f /etc/grsec/policy ]; then + cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec + fi + chmod -R 0600 /etc/grsec + ''; + + # Enable apparmor support, gradm udev rules, and utilities + security.apparmor.enable = true; + boot.kernelPackages = grsecPackage; + services.udev.packages = [ pkgs.gradm ]; + environment.systemPackages = [ pkgs.gradm pkgs.paxctl pkgs.pax-utils ]; + }; +} |