diff options
author | Vladimír Čunát <vcunat@gmail.com> | 2017-09-03 10:51:11 +0200 |
---|---|---|
committer | Vladimír Čunát <vcunat@gmail.com> | 2017-09-03 10:51:11 +0200 |
commit | 37242d98de844e26d5cf84734372218355a42b75 (patch) | |
tree | fe37eac82b1538a072ae416d32049d778750a2df /nixos | |
parent | 825c08e368947e775278a74d58d269bb38c60c8f (diff) | |
parent | 0529e4d90885b4e911162e8f8be077ae22322eba (diff) | |
download | nixlib-37242d98de844e26d5cf84734372218355a42b75.tar nixlib-37242d98de844e26d5cf84734372218355a42b75.tar.gz nixlib-37242d98de844e26d5cf84734372218355a42b75.tar.bz2 nixlib-37242d98de844e26d5cf84734372218355a42b75.tar.lz nixlib-37242d98de844e26d5cf84734372218355a42b75.tar.xz nixlib-37242d98de844e26d5cf84734372218355a42b75.tar.zst nixlib-37242d98de844e26d5cf84734372218355a42b75.zip |
Merge branch 'master' into staging
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1609.xml | 2 | ||||
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1709.xml | 9 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/rename.nix | 20 | ||||
-rw-r--r-- | nixos/modules/security/chromium-suid-sandbox.nix | 3 | ||||
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 169 | ||||
-rw-r--r-- | nixos/modules/security/grsecurity.xml | 385 | ||||
-rw-r--r-- | nixos/modules/services/continuous-integration/hydra/default.nix | 4 | ||||
-rw-r--r-- | nixos/modules/services/databases/postgresql.nix | 19 | ||||
-rw-r--r-- | nixos/modules/services/misc/gitlab.nix | 86 | ||||
-rw-r--r-- | nixos/modules/services/torrent/deluge.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/mate.nix | 5 | ||||
-rw-r--r-- | nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py | 29 | ||||
-rw-r--r-- | nixos/tests/hydra.nix | 32 |
14 files changed, 155 insertions, 611 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml index 3abafac97378..893f894f42fe 100644 --- a/nixos/doc/manual/release-notes/rl-1609.xml +++ b/nixos/doc/manual/release-notes/rl-1609.xml @@ -176,7 +176,7 @@ following incompatible changes:</para> streamlined. Desktop users should be able to simply set <programlisting>security.grsecurity.enable = true</programlisting> to get a reasonably secure system without having to sacrifice too much - functionality. See <xref linkend="sec-grsecurity" /> for documentation + functionality. </para></listitem> <listitem><para>Special filesystems, like <literal>/proc</literal>, diff --git a/nixos/doc/manual/release-notes/rl-1709.xml b/nixos/doc/manual/release-notes/rl-1709.xml index 88b28c291184..c275fe46d118 100644 --- a/nixos/doc/manual/release-notes/rl-1709.xml +++ b/nixos/doc/manual/release-notes/rl-1709.xml @@ -184,6 +184,15 @@ rmdir /var/lib/ipfs/.ipfs <literal>services.xserver.libinput.enable</literal>. </para> </listitem> + <listitem> + <para> + grsecurity/PaX support has been dropped, following upstream's + decision to cease free support. See + <link xlink:href="https://grsecurity.net/passing_the_baton.php"> + upstream's announcement</link> for more information. + No complete replacement for grsecurity/PaX is available presently. + </para> + </listitem> </itemizedlist> <para>Other notable improvements:</para> diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 641a9e6095e5..cc7aa519478e 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -121,7 +121,6 @@ ./security/chromium-suid-sandbox.nix ./security/dhparams.nix ./security/duosec.nix - ./security/grsecurity.nix ./security/hidepid.nix ./security/lock-kernel-modules.nix ./security/oath.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 6b33eeb6e4e7..fcf4c32d2778 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -124,26 +124,6 @@ with lib; (mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ]) (mkRemovedOptionModule [ "services" "iodined" "client" ] "") - # Grsecurity - (mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ] "") - (mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ] "") - # Unity3D (mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ]) diff --git a/nixos/modules/security/chromium-suid-sandbox.nix b/nixos/modules/security/chromium-suid-sandbox.nix index 0458ffb6c46c..be6acb3f1f53 100644 --- a/nixos/modules/security/chromium-suid-sandbox.nix +++ b/nixos/modules/security/chromium-suid-sandbox.nix @@ -19,9 +19,6 @@ in Also, if the URL chrome://sandbox tells you that "You are not adequately sandboxed!", turning this on might resolve the issue. - - Finally, if you have <option>security.grsecurity</option> enabled and you - use Chromium, you probably need this. ''; }; diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix deleted file mode 100644 index d23c7f2e86de..000000000000 --- a/nixos/modules/security/grsecurity.nix +++ /dev/null @@ -1,169 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; - -let - cfg = config.security.grsecurity; - grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock"; - - # Ascertain whether NixOS container support is required - containerSupportRequired = - config.boot.enableContainers && config.containers != {}; -in - -{ - meta = { - maintainers = with maintainers; [ ]; - doc = ./grsecurity.xml; - }; - - options.security.grsecurity = { - - enable = mkOption { - type = types.bool; - default = false; - description = '' - Enable grsecurity/PaX. - ''; - }; - - lockTunables = mkOption { - type = types.bool; - default = true; - description = '' - Whether to automatically lock grsecurity tunables - (<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>). Disable - this to allow runtime configuration of grsecurity features. Activate - the <literal>grsec-lock</literal> service unit to prevent further - configuration until the next reboot. - ''; - }; - - disableEfiRuntimeServices = mkOption { - type = types.bool; - default = true; - description = '' - Whether to disable access to EFI runtime services. Enabling EFI runtime - services creates a venue for code injection attacks on the kernel and - should be disabled if at all possible. Changing this option enters into - effect upon reboot. - ''; - }; - - }; - - config = mkIf cfg.enable { - - boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos; - - boot.kernelParams = [ "grsec_sysfs_restrict=0" ] - ++ optional cfg.disableEfiRuntimeServices "noefi"; - - nixpkgs.config.grsecurity = true; - - # Install PaX related utillities into the system profile. - environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ]; - - # Install rules for the grsec device node - services.udev.packages = [ pkgs.gradm ]; - - # This service unit is responsible for locking the grsecurity tunables. The - # unit is always defined, but only activated on bootup if lockTunables is - # toggled. When lockTunables is toggled, failure to activate the unit will - # enter emergency mode. The intent is to make it difficult to silently - # enter multi-user mode without having locked the tunables. Some effort is - # made to ensure that starting the unit is an idempotent operation. - systemd.services.grsec-lock = { - description = "Lock grsecurity tunables"; - - wantedBy = optional cfg.lockTunables "multi-user.target"; - - wants = [ "local-fs.target" "systemd-sysctl.service" ]; - after = [ "local-fs.target" "systemd-sysctl.service" ]; - conflicts = [ "shutdown.target" ]; - - restartIfChanged = false; - - script = '' - if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then - echo -n 1 > ${grsecLockPath} - fi - ''; - - unitConfig = { - ConditionPathIsReadWrite = grsecLockPath; - DefaultDependencies = false; - } // optionalAttrs cfg.lockTunables { - OnFailure = "emergency.target"; - }; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - }; - - # Configure system tunables - boot.kernel.sysctl = { - # Read-only under grsecurity - "kernel.kptr_restrict" = mkForce null; - - # All grsec tunables default to off, those not enabled below are - # *disabled*. We use mkDefault to allow expert users to override - # our choices, but use mkForce where tunables would outright - # conflict with other settings. - - # Enable all chroot restrictions by default (overwritten as - # necessary below) - "kernel.grsecurity.chroot_caps" = mkDefault 1; - "kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1; - "kernel.grsecurity.chroot_deny_chmod" = mkDefault 1; - "kernel.grsecurity.chroot_deny_chroot" = mkDefault 1; - "kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1; - "kernel.grsecurity.chroot_deny_mknod" = mkDefault 1; - "kernel.grsecurity.chroot_deny_mount" = mkDefault 1; - "kernel.grsecurity.chroot_deny_pivot" = mkDefault 1; - "kernel.grsecurity.chroot_deny_shmat" = mkDefault 1; - "kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1; - "kernel.grsecurity.chroot_deny_unix" = mkDefault 1; - "kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1; - "kernel.grsecurity.chroot_findtask" = mkDefault 1; - "kernel.grsecurity.chroot_restrict_nice" = mkDefault 1; - - # Enable various grsec protections - "kernel.grsecurity.consistent_setxid" = mkDefault 1; - "kernel.grsecurity.deter_bruteforce" = mkDefault 1; - "kernel.grsecurity.fifo_restrictions" = mkDefault 1; - "kernel.grsecurity.harden_ipc" = mkDefault 1; - "kernel.grsecurity.harden_ptrace" = mkDefault 1; - "kernel.grsecurity.harden_tty" = mkDefault 1; - "kernel.grsecurity.ip_blackhole" = mkDefault 1; - "kernel.grsecurity.linking_restrictions" = mkDefault 1; - "kernel.grsecurity.ptrace_readexec" = mkDefault 1; - - # Enable auditing - "kernel.grsecurity.audit_ptrace" = mkDefault 1; - "kernel.grsecurity.forkfail_logging" = mkDefault 1; - "kernel.grsecurity.rwxmap_logging" = mkDefault 1; - "kernel.grsecurity.signal_logging" = mkDefault 1; - "kernel.grsecurity.timechange_logging" = mkDefault 1; - } // optionalAttrs config.nix.useSandbox { - # chroot(2) restrictions that conflict with sandboxed Nix builds - "kernel.grsecurity.chroot_caps" = mkForce 0; - "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; - "kernel.grsecurity.chroot_deny_chroot" = mkForce 0; - "kernel.grsecurity.chroot_deny_mount" = mkForce 0; - "kernel.grsecurity.chroot_deny_pivot" = mkForce 0; - } // optionalAttrs containerSupportRequired { - # chroot(2) restrictions that conflict with NixOS lightweight containers - "kernel.grsecurity.chroot_caps" = mkForce 0; - "kernel.grsecurity.chroot_deny_chmod" = mkForce 0; - "kernel.grsecurity.chroot_deny_mount" = mkForce 0; - "kernel.grsecurity.chroot_restrict_nice" = mkForce 0; - # Disable privileged IO by default, unless X is enabled - } // optionalAttrs (!config.services.xserver.enable) { - "kernel.grsecurity.disable_priv_io" = mkDefault 1; - }; - - }; -} diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml deleted file mode 100644 index 0a884b3f9b55..000000000000 --- a/nixos/modules/security/grsecurity.xml +++ /dev/null @@ -1,385 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-grsecurity"> - - <title>Grsecurity/PaX</title> - - <para> - Grsecurity/PaX is a set of patches against the Linux kernel that - implements an extensive suite of - <link xlink:href="https://grsecurity.net/features.php">features</link> - designed to increase the difficulty of exploiting kernel and - application bugs. - </para> - - <para> - The NixOS grsecurity/PaX module is designed with casual users in mind and is - intended to be compatible with normal desktop usage, without - <emphasis>unnecessarily</emphasis> compromising security. The - following sections describe the configuration and administration of - a grsecurity/PaX enabled NixOS system. For more comprehensive - coverage, please refer to the - <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity">grsecurity wikibook</link> - and the - <link xlink:href="https://wiki.archlinux.org/index.php/Grsecurity">Arch - Linux wiki page on grsecurity</link>. - - <warning><para>Upstream has ceased free support for grsecurity/PaX. See - <link xlink:href="https://grsecurity.net/passing_the_baton.php"> - the announcement</link> for more information. Consequently, NixOS - support for grsecurity/PaX also must cease. Enabling this module will - result in a build error.</para></warning> - <note><para>We standardise on a desktop oriented configuration primarily due - to lack of resources. The grsecurity/PaX configuration state space is huge - and each configuration requires quite a bit of testing to ensure that the - resulting packages work as advertised. Defining additional package sets - would likely result in a large number of functionally broken packages, to - nobody's benefit.</para></note> - </para> - - <sect1 xml:id="sec-grsec-enable"><title>Enabling grsecurity/PaX</title> - - <para> - To make use of grsecurity/PaX on NixOS, add the following to your - <filename>configuration.nix</filename>: - <programlisting> - security.grsecurity.enable = true; - </programlisting> - followed by - <programlisting> - # nixos-rebuild boot - # reboot - </programlisting> - <note><para> - Enabling the grsecurity module overrides - <option>boot.kernelPackages</option>, to reduce the risk of - misconfiguration. <xref linkend="sec-grsec-custom-kernel" /> - describes how to use a custom kernel package set. - </para></note> - - For most users, further configuration should be unnecessary. All users - are encouraged to look over <xref linkend="sec-grsec-security" /> before - using the system, however. If you experience problems, please refer to - <xref linkend="sec-grsec-issues" />. - </para> - - <para> - Once booted into the new system, you can optionally use - <command>paxtest</command> to exercise various PaX features: - <screen><![CDATA[ - # nix-shell -p paxtest --command 'paxtest blackhat' - Executable anonymous mapping : Killed - Executable bss : Killed - # ... remaining output truncated for brevity - ]]></screen> - </para> - - </sect1> - - <sect1 xml:id="sec-grsec-declarative-tuning"><title>Declarative tuning</title> - - <para> - The default configuration mode is strictly declarative. Some features - simply cannot be changed at all after boot, while others are locked once the - system is up and running. Moreover, changes to the configuration enter - into effect only upon booting into the new system. - </para> - - <para> - The NixOS module exposes a limited number of options for tuning the behavior - of grsecurity/PaX. These are options thought to be of particular interest - to most users. For experts, further tuning is possible via - <option>boot.kernelParams</option> (see - <xref linkend="sec-grsec-kernel-params" />) and - <option>boot.kernel.sysctl."kernel.grsecurity.*"</option> (the wikibook - contains an <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Sysctl_Options"> - exhaustive listing of grsecurity sysctl tunables</link>). - </para> - - </sect1> - - <sect1 xml:id="sec-grsec-manual-tuning"><title>Manual tuning</title> - - <para> - To permit manual tuning of grsecurity runtime parameters, set: - <programlisting> - security.grsecurity.lockTunables = false; - </programlisting> - Once booted into this system, grsecurity features that have a corresponding - sysctl tunable can be changed without rebooting, either by switching into - a new system profile or via the <command>sysctl</command> utility. - </para> - - <para> - To lock all grsecurity tunables until the next boot, do: - <screen> - # systemctl start grsec-lock - </screen> - </para> - - </sect1> - - <sect1 xml:id="sec-grsec-security"><title>Security considerations</title> - - <para> - The NixOS kernel is built using upstream's recommended settings for a - desktop deployment that generally favours security over performance. This - section details deviations from upstream's recommendations that may - compromise security. - - <warning><para>There may be additional problems not covered here!</para> - </warning> - </para> - - <itemizedlist> - - <listitem><para> - The following hardening features are disabled in the NixOS kernel: - <itemizedlist> - <listitem><para>Kernel symbol hiding: rendered useless by redistributing - kernel objects.</para></listitem> - - <listitem><para>Randomization of kernel structures: rendered useless by - redistributing kernel objects.</para></listitem> - - <listitem><para>TCP simultaneous OPEN connection is permitted: breaking - strict TCP conformance is inappropriate for a general purpose kernel. - The trade-off is that an attacker may be able to deny outgoing - connections if they are able to guess the source port allocated by your - OS for that connection <emphasis>and</emphasis> also manage to initiate - a TCP simultaneous OPEN on that port before the connection is actually - established.</para></listitem> - - <listitem><para>Trusted path execution: a desirable feature, but - requires some more work to operate smoothly on NixOS.</para></listitem> - </itemizedlist> - </para></listitem> - - <listitem><para> - The NixOS module conditionally weakens <command>chroot</command> - restrictions to accommodate NixOS lightweight containers and sandboxed Nix - builds. This can be problematic if the deployment also runs privileged - network facing processes that <emphasis>rely</emphasis> on - <command>chroot</command> for isolation. - </para></listitem> - - <listitem><para> - The NixOS kernel is patched to allow usermode helpers from anywhere in the - Nix store. A usermode helper is an executable called by the kernel in - certain circumstances, e.g., <command>modprobe</command>. Vanilla - grsecurity only allows usermode helpers from paths typically owned by the - super user. The NixOS kernel allows an attacker to inject malicious code - into the Nix store which could then be executed by the kernel as a - usermode helper. - </para></listitem> - - <listitem><para> - The following features are disabled because they overlap with - vanilla kernel mechanisms: - - <itemizedlist> - <listitem><para><filename class="directory">/proc</filename> hardening: - use <option>security.hideProcessInformation</option> instead. This - trades weaker protection for greater compatibility. - </para></listitem> - - <listitem><para><command>dmesg</command> restrictions: - use <option>boot.kernel.sysctl."kernel.dmesg_restrict"</option> instead - </para></listitem> - </itemizedlist> - </para></listitem> - - </itemizedlist> - - </sect1> - - <sect1 xml:id="sec-grsec-custom-kernel"><title>Using a custom grsecurity/PaX kernel</title> - - <para> - The NixOS kernel is likely to be either too permissive or too restrictive - for many deployment scenarios. In addition to producing a kernel more - suitable for a particular deployment, a custom kernel may improve security - by depriving an attacker the ability to study the kernel object code, adding - yet more guesswork to successfully carry out certain exploits. - </para> - - <para> - To build a custom kernel using upstream's recommended settings for server - deployments, while still using the NixOS module: - <programlisting> - nixpkgs.config.packageOverrides = super: { - linux_grsec_nixos = super.linux_grsec_nixos.override { - extraConfig = '' - GRKERNSEC_CONFIG_AUTO y - GRKERNSEC_CONFIG_SERVER y - GRKERNSEC_CONFIG_SECURITY y - ''; - }; - }; - </programlisting> - </para> - - <para> - The grsecurity/PaX wikibook provides an exhaustive listing of - <link xlink:href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">kernel configuration options</link>. - </para> - - <para> - The NixOS module makes several assumptions about the kernel and so - may be incompatible with your customised kernel. Currently, the only way - to work around these incompatibilities is to eschew the NixOS - module. - </para> - - <para> - If not using the NixOS module, a custom grsecurity package set can - be specified inline instead, as in - <programlisting> - boot.kernelPackages = - let - kernel = pkgs.linux_grsec_nixos.override { - extraConfig = /* as above */; - }; - self = pkgs.linuxPackagesFor kernel self; - in self; - </programlisting> - </para> - - </sect1> - - <sect1 xml:id="sec-grsec-pax-flags"><title>Per-executable PaX flags</title> - - <para> - Manual tuning of per-file PaX flags for executables in the Nix store is - impossible on a properly configured system. If a package in Nixpkgs fails - due to PaX, that is a bug in the package recipe and should be reported to - the maintainer (including relevant <command>dmesg</command> output). - </para> - - <para> - For executables installed outside of the Nix store, PaX flags can be set - using the <command>paxctl</command> utility: - <programlisting> - paxctl -czem <replaceable>foo</replaceable> - </programlisting> - - <warning> - <para><command>paxctl</command> overwrites files in-place.</para> - </warning> - - Equivalently, on file systems that support extended attributes: - <programlisting> - setfattr -n user.pax.flags -v em <replaceable>foo</replaceable> - </programlisting> - - <!-- TODO: PaX flags via RBAC policy --> - </para> - - </sect1> - - <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title> - - <itemizedlist> - <listitem><para>User namespaces require <literal>CAP_SYS_ADMIN</literal>: - consequently, unprivileged namespaces are unsupported. Applications that - rely on namespaces for sandboxing must use a privileged helper. For chromium - there is <option>security.chromiumSuidSandbox.enable</option>.</para></listitem> - - <listitem><para>Access to EFI runtime services is disabled by default: - this plugs a potential code injection attack vector; use - <option>security.grsecurity.disableEfiRuntimeServices</option> to override - this behavior.</para></listitem> - - <listitem><para>User initiated autoloading of modules (e.g., when - using fuse or loop devices) is disallowed; either load requisite modules - as root or add them to <option>boot.kernelModules</option>.</para></listitem> - - <listitem><para>Virtualization: KVM is the preferred virtualization - solution. Xen, Virtualbox, and VMWare are - <emphasis>unsupported</emphasis> and most likely require a custom kernel. - </para></listitem> - - <listitem><para> - Attaching <command>gdb</command> to a running process is disallowed by - default: unprivileged users can only ptrace processes that are children of - the ptracing process. To relax this restriction, set - <programlisting> - boot.kernel.sysctl."kernel.grsecurity.harden_ptrace" = 0; - </programlisting> - </para></listitem> - - <listitem><para> - Overflows in boot critical code (e.g., the root filesystem module) can - render the system unbootable. Work around by setting - <programlisting> - boot.kernelParams = [ "pax_size_overflow_report_only" ]; - </programlisting> - </para></listitem> - - <listitem><para> - The <citerefentry><refentrytitle>modify_ldt - </refentrytitle><manvolnum>2</manvolnum></citerefentry> syscall is disabled - by default. This restriction can interfere with programs designed to run - legacy 16-bit or segmented 32-bit code. To support applications that rely - on this syscall, set - <programlisting> - boot.kernel.sysctl."kernel.modify_ldt" = 1; - </programlisting> - </para></listitem> - - <listitem><para> - The gitlab service (<xref linkend="module-services-gitlab" />) - requires a variant of the <literal>ruby</literal> interpreter - built without `mprotect()` hardening, as in - <programlisting> - services.gitlab.packages.gitlab = pkgs.gitlab.override { - ruby = pkgs.ruby.overrideAttrs (attrs: { - postFixup = "paxmark m $out/bin/ruby"; - }); - }; - </programlisting> - </para></listitem> - - </itemizedlist> - - </sect1> - - <sect1 xml:id="sec-grsec-kernel-params"><title>Grsecurity/PaX kernel parameters</title> - - <para> - The NixOS kernel supports the following kernel command line parameters: - <itemizedlist> - <listitem><para> - <literal>pax_nouderef</literal>: disable UDEREF (separate kernel and - user address spaces). - </para></listitem> - - <listitem><para> - <literal>pax_weakuderef</literal>: enable a faster but - weaker variant of UDEREF on 64-bit processors with PCID support - (check <code>grep pcid /proc/cpuinfo</code>). - </para></listitem> - - <listitem><para> - <literal>pax_sanitize_slab={off|fast|full}</literal>: control kernel - slab object sanitization. Defaults to <literal>fast</literal> - </para></listitem> - - <listitem><para> - <literal>pax_size_overflow_report_only</literal>: log size overflow - violations but leave the violating task running - </para></listitem> - - <listitem><para> - <literal>grsec_sysfs_restrict=[0|1]</literal>: toggle sysfs - restrictions. The NixOS module sets this to <literal>0</literal> - for systemd compatibility - </para></listitem> - </itemizedlist> - </para> - - </sect1> - -</chapter> diff --git a/nixos/modules/services/continuous-integration/hydra/default.nix b/nixos/modules/services/continuous-integration/hydra/default.nix index fcc0f58637c4..43fec5ff5bb2 100644 --- a/nixos/modules/services/continuous-integration/hydra/default.nix +++ b/nixos/modules/services/continuous-integration/hydra/default.nix @@ -270,8 +270,8 @@ in ${optionalString haveLocalDB '' if ! [ -e ${baseDir}/.db-created ]; then - ${config.services.postgresql.package}/bin/createuser hydra - ${config.services.postgresql.package}/bin/createdb -O hydra hydra + ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createuser hydra + ${pkgs.sudo}/bin/sudo -u ${config.services.postgresql.superUser} ${config.services.postgresql.package}/bin/createdb -O hydra hydra touch ${baseDir}/.db-created fi ''} diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index d06e03a52978..1bbab3296005 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -38,9 +38,6 @@ let pre84 = versionOlder (builtins.parseDrvName postgresql.name).version "8.4"; - # NixOS traditionally used `root` as superuser, most other distros use `postgres`. From 17.09 - # we also try to follow this standard - superuser = (if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root"); in @@ -151,6 +148,16 @@ in Contents of the <filename>recovery.conf</filename> file. ''; }; + superUser = mkOption { + type = types.str; + default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root"; + internal = true; + description = '' + NixOS traditionally used `root` as superuser, most other distros use `postgres`. + From 17.09 we also try to follow this standard. Internal since changing this value + would lead to breakage while setting up databases. + ''; + }; }; }; @@ -215,7 +222,7 @@ in '' # Initialise the database. if ! test -e ${cfg.dataDir}/PG_VERSION; then - initdb -U ${superuser} + initdb -U ${cfg.superUser} # See postStart! touch "${cfg.dataDir}/.first_startup" fi @@ -247,14 +254,14 @@ in # Wait for PostgreSQL to be ready to accept connections. postStart = '' - while ! ${pkgs.sudo}/bin/sudo -u ${superuser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do + while ! ${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql --port=${toString cfg.port} -d postgres -c "" 2> /dev/null; do if ! kill -0 "$MAINPID"; then exit 1; fi sleep 0.1 done if test -e "${cfg.dataDir}/.first_startup"; then ${optionalString (cfg.initialScript != null) '' - ${pkgs.sudo}/bin/sudo -u ${superuser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres + ${pkgs.sudo}/bin/sudo -u ${cfg.superUser} psql -f "${cfg.initialScript}" --port=${toString cfg.port} -d postgres ''} rm -f "${cfg.dataDir}/.first_startup" fi diff --git a/nixos/modules/services/misc/gitlab.nix b/nixos/modules/services/misc/gitlab.nix index ccc1854d2548..fcb7aaa62716 100644 --- a/nixos/modules/services/misc/gitlab.nix +++ b/nixos/modules/services/misc/gitlab.nix @@ -10,10 +10,12 @@ let ruby = cfg.packages.gitlab.ruby; bundler = pkgs.bundler; - gemHome = "${cfg.packages.gitlab.env}/${ruby.gemPath}"; + gemHome = "${cfg.packages.gitlab.ruby-env}/${ruby.gemPath}"; gitlabSocket = "${cfg.statePath}/tmp/sockets/gitlab.socket"; + gitalySocket = "${cfg.statePath}/tmp/sockets/gitaly.socket"; pathUrlQuote = url: replaceStrings ["/"] ["%2F"] url; + pgSuperUser = config.services.postgresql.superUser; databaseYml = '' production: @@ -25,6 +27,17 @@ let encoding: utf8 ''; + gitalyToml = pkgs.writeText "gitaly.toml" '' + socket_path = "${lib.escape ["\""] gitalySocket}" + # prometheus metrics + + ${concatStringsSep "\n" (attrValues (mapAttrs (k: v: '' + [[storage]] + name = "${lib.escape ["\""] k}" + path = "${lib.escape ["\""] v.path}" + '') gitlabConfig.production.repositories.storages))} + ''; + gitlabShellYml = '' user: ${cfg.user} gitlab_url: "http+unix://${pathUrlQuote gitlabSocket}" @@ -46,6 +59,7 @@ let secret_key_base: ${cfg.secrets.secret} otp_key_base: ${cfg.secrets.otp} db_key_base: ${cfg.secrets.db} + jws_private_key: ${builtins.toJSON cfg.secrets.jws} ''; gitlabConfig = { @@ -69,7 +83,8 @@ let container_registry = true; }; }; - repositories.storages.default = "${cfg.statePath}/repositories"; + repositories.storages.default.path = "${cfg.statePath}/repositories"; + repositories.storages.default.gitaly_address = "unix:${gitalySocket}"; artifacts.enabled = true; lfs.enabled = true; gravatar.enabled = true; @@ -105,9 +120,9 @@ let GITLAB_UPLOADS_PATH = "${cfg.statePath}/uploads"; GITLAB_LOG_PATH = "${cfg.statePath}/log"; GITLAB_SHELL_PATH = "${cfg.packages.gitlab-shell}"; - GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/shell/config.yml"; + GITLAB_SHELL_CONFIG_PATH = "${cfg.statePath}/home/config.yml"; GITLAB_SHELL_SECRET_PATH = "${cfg.statePath}/config/gitlab_shell_secret"; - GITLAB_SHELL_HOOKS_PATH = "${cfg.statePath}/shell/hooks"; + GITLAB_SHELL_HOOKS_PATH = "${cfg.statePath}/home/hooks"; RAILS_ENV = "production"; }; @@ -115,15 +130,15 @@ let gitlab-rake = pkgs.stdenv.mkDerivation rec { name = "gitlab-rake"; - buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.env pkgs.makeWrapper ]; + buildInputs = [ cfg.packages.gitlab cfg.packages.gitlab.ruby-env pkgs.makeWrapper ]; phases = "installPhase fixupPhase"; buildPhase = ""; installPhase = '' mkdir -p $out/bin - makeWrapper ${cfg.packages.gitlab.env}/bin/bundle $out/bin/gitlab-bundle \ + makeWrapper ${cfg.packages.gitlab.ruby-env}/bin/bundle $out/bin/gitlab-bundle \ ${concatStrings (mapAttrsToList (name: value: "--set ${name} '${value}' ") gitlabEnv)} \ --set GITLAB_CONFIG_PATH '${cfg.statePath}/config' \ - --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip config.services.postgresql.package ]}:$PATH' \ + --set PATH '${lib.makeBinPath [ pkgs.nodejs pkgs.gzip pkgs.git pkgs.gnutar config.services.postgresql.package ]}:$PATH' \ --set RAKEOPT '-f ${cfg.packages.gitlab}/share/gitlab/Rakefile' \ --run 'cd ${cfg.packages.gitlab}/share/gitlab' makeWrapper $out/bin/gitlab-bundle $out/bin/gitlab-rake \ @@ -182,6 +197,13 @@ in { description = "Reference to the gitlab-workhorse package"; }; + packages.gitaly = mkOption { + type = types.package; + default = pkgs.gitaly; + defaultText = "pkgs.gitaly"; + description = "Reference to the gitaly package"; + }; + statePath = mkOption { type = types.str; default = "/var/gitlab/state"; @@ -359,6 +381,19 @@ in { ''; }; + secrets.jws = mkOption { + type = types.str; + description = '' + The secret is used to encrypt session keys. If you change or lose + this key, users will be disconnected. + + Make sure the secret is an RSA private key in PEM format. You can + generate one with + + openssl genrsa 2048openssl genpkey -algorithm RSA -out - -pkeyopt rsa_keygen_bits:2048 + ''; + }; + extraConfig = mkOption { type = types.attrs; default = {}; @@ -428,7 +463,24 @@ in { TimeoutSec = "300"; Restart = "on-failure"; WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; - ExecStart="${cfg.packages.gitlab.env}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\""; + ExecStart="${cfg.packages.gitlab.ruby-env}/bin/bundle exec \"sidekiq -C \"${cfg.packages.gitlab}/share/gitlab/config/sidekiq_queues.yml\" -e production -P ${cfg.statePath}/tmp/sidekiq.pid\""; + }; + }; + + systemd.services.gitaly = { + after = [ "network.target" "gitlab.service" ]; + wantedBy = [ "multi-user.target" ]; + environment.HOME = gitlabEnv.HOME; + path = with pkgs; [ gitAndTools.git ]; + serviceConfig = { + #PermissionsStartOnly = true; # preStart must be run as root + Type = "simple"; + User = cfg.user; + Group = cfg.group; + TimeoutSec = "300"; + Restart = "on-failure"; + WorkingDirectory = gitlabEnv.HOME; + ExecStart = "${cfg.packages.gitaly}/bin/gitaly ${gitalyToml}"; }; }; @@ -477,6 +529,7 @@ in { gitAndTools.git openssh nodejs + procps ]; preStart = '' mkdir -p ${cfg.backupPath} @@ -486,12 +539,11 @@ in { mkdir -p ${gitlabConfig.production.shared.path}/lfs-objects mkdir -p ${gitlabConfig.production.shared.path}/pages mkdir -p ${cfg.statePath}/log - mkdir -p ${cfg.statePath}/shell mkdir -p ${cfg.statePath}/tmp/pids mkdir -p ${cfg.statePath}/tmp/sockets - rm -rf ${cfg.statePath}/config ${cfg.statePath}/shell/hooks - mkdir -p ${cfg.statePath}/config ${cfg.statePath}/shell + rm -rf ${cfg.statePath}/config ${cfg.statePath}/home/hooks + mkdir -p ${cfg.statePath}/config tr -dc A-Za-z0-9 < /dev/urandom | head -c 32 > ${cfg.statePath}/config/gitlab_shell_secret @@ -507,7 +559,6 @@ in { mkdir -p ${gitlabEnv.HOME}/.ssh touch ${gitlabEnv.HOME}/.ssh/authorized_keys chown -R ${cfg.user}:${cfg.group} ${gitlabEnv.HOME}/ - chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME}/ cp -rf ${cfg.packages.gitlab}/share/gitlab/config.dist/* ${cfg.statePath}/config ${optionalString cfg.smtp.enable '' @@ -532,14 +583,14 @@ in { if [ "${cfg.databaseHost}" = "127.0.0.1" ]; then if ! test -e "${cfg.statePath}/db-created"; then - psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE NOCREATEUSER ENCRYPTED PASSWORD '${cfg.databasePassword}'" - ${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName} || true + ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql postgres -c "CREATE ROLE ${cfg.databaseUsername} WITH LOGIN NOCREATEDB NOCREATEROLE ENCRYPTED PASSWORD '${cfg.databasePassword}'" + ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} ${config.services.postgresql.package}/bin/createdb --owner ${cfg.databaseUsername} ${cfg.databaseName} touch "${cfg.statePath}/db-created" fi fi # enable required pg_trgm extension for gitlab - psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm" + ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} psql gitlab -c "CREATE EXTENSION IF NOT EXISTS pg_trgm" # Always do the db migrations just to be sure the database is up-to-date ${gitlab-rake}/bin/gitlab-rake db:migrate RAILS_ENV=production @@ -555,7 +606,8 @@ in { # Change permissions in the last step because some of the # intermediary scripts like to create directories as root. chown -R ${cfg.user}:${cfg.group} ${cfg.statePath} - chmod -R u+rwX,go-rwx+X ${cfg.statePath} + chmod -R ug+rwX,o-rwx+X ${cfg.statePath} + chmod -R u+rwX,go-rwx+X ${gitlabEnv.HOME} ''; serviceConfig = { @@ -566,7 +618,7 @@ in { TimeoutSec = "300"; Restart = "on-failure"; WorkingDirectory = "${cfg.packages.gitlab}/share/gitlab"; - ExecStart = "${cfg.packages.gitlab.env}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\""; + ExecStart = "${cfg.packages.gitlab.ruby-env}/bin/bundle exec \"unicorn -c ${cfg.statePath}/config/unicorn.rb -E production\""; }; }; diff --git a/nixos/modules/services/torrent/deluge.nix b/nixos/modules/services/torrent/deluge.nix index 1ea6bf88d7ae..ec1e97f4125e 100644 --- a/nixos/modules/services/torrent/deluge.nix +++ b/nixos/modules/services/torrent/deluge.nix @@ -57,7 +57,7 @@ in { after = [ "network.target" ]; description = "Deluge BitTorrent WebUI"; wantedBy = [ "multi-user.target" ]; - path = [ pkgs.pythonPackages.deluge ]; + path = [ pkgs.deluge ]; serviceConfig.ExecStart = "${pkgs.deluge}/bin/deluge --ui web"; serviceConfig.User = "deluge"; serviceConfig.Group = "deluge"; diff --git a/nixos/modules/services/x11/desktop-managers/mate.nix b/nixos/modules/services/x11/desktop-managers/mate.nix index 1230d9cf534d..7a95ac6549d8 100644 --- a/nixos/modules/services/x11/desktop-managers/mate.nix +++ b/nixos/modules/services/x11/desktop-managers/mate.nix @@ -60,10 +60,7 @@ in ''; }; - environment.systemPackages = [ - pkgs.hicolor_icon_theme - pkgs.mate.mate-icon-theme - ] ++ + environment.systemPackages = pkgs.mate.basePackages ++ (removePackagesByName pkgs.mate.extraPackages diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py index 779005c0df52..3333569c36be 100644 --- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py +++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py @@ -12,6 +12,9 @@ import warnings import ctypes libc = ctypes.CDLL("libc.so.6") import re +import datetime +import glob +import os.path def copy_if_not_exists(source, dest): if not os.path.exists(dest): @@ -24,7 +27,7 @@ def system_dir(profile, generation): return "/nix/var/nix/profiles/system-%d-link" % (generation) BOOT_ENTRY = """title NixOS{profile} -version Generation {generation} +version Generation {generation} {description} linux {kernel} initrd {initrd} options {kernel_params} @@ -54,6 +57,26 @@ def copy_from_profile(profile, generation, name, dry_run=False): copy_if_not_exists(store_file_path, "@efiSysMountPoint@%s" % (efi_file_path)) return efi_file_path +def describe_generation(generation_dir): + try: + with open("%s/nixos-version" % generation_dir) as f: + nixos_version = f.read() + except IOError: + nixos_version = "Unknown" + + kernel_dir = os.path.dirname(os.path.realpath("%s/kernel" % generation_dir)) + module_dir = glob.glob("%s/lib/modules/*" % kernel_dir)[0] + kernel_version = os.path.basename(module_dir) + + build_time = int(os.path.getctime(generation_dir)) + build_date = datetime.datetime.fromtimestamp(build_time).strftime('%F') + + description = "NixOS {}, Linux Kernel {}, Built on {}".format( + nixos_version, kernel_version, build_date + ) + + return description + def write_entry(profile, generation, machine_id): kernel = copy_from_profile(profile, generation, "kernel") initrd = copy_from_profile(profile, generation, "initrd") @@ -69,6 +92,7 @@ def write_entry(profile, generation, machine_id): generation_dir = os.readlink(system_dir(profile, generation)) tmp_path = "%s.tmp" % (entry_file) kernel_params = "systemConfig=%s init=%s/init " % (generation_dir, generation_dir) + with open("%s/kernel-params" % (generation_dir)) as params_file: kernel_params = kernel_params + params_file.read() with open(tmp_path, 'w') as f: @@ -76,7 +100,8 @@ def write_entry(profile, generation, machine_id): generation=generation, kernel=kernel, initrd=initrd, - kernel_params=kernel_params)) + kernel_params=kernel_params, + description=describe_generation(generation_dir))) if machine_id is not None: f.write("machine-id %s\n" % machine_id) os.rename(tmp_path, entry_file) diff --git a/nixos/tests/hydra.nix b/nixos/tests/hydra.nix new file mode 100644 index 000000000000..6abd7a5ad300 --- /dev/null +++ b/nixos/tests/hydra.nix @@ -0,0 +1,32 @@ +import ./make-test.nix ({ pkgs, ...} : { + name = "hydra-init-localdb"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ pstn ]; + }; + + machine = + { config, pkgs, ... }: + + { + services.hydra = { + enable = true; + + #Hydra needs those settings to start up, so we add something not harmfull. + hydraURL = "example.com"; + notificationSender = "example@example.com"; + }; + }; + + testScript = + '' + # let the system boot up + $machine->waitForUnit("multi-user.target"); + # test whether the database is running + $machine->succeed("systemctl status postgresql.service"); + # test whether the actual hydra daemons are running + $machine->succeed("systemctl status hydra-queue-runner.service"); + $machine->succeed("systemctl status hydra-init.service"); + $machine->succeed("systemctl status hydra-evaluator.service"); + $machine->succeed("systemctl status hydra-send-stats.service"); + ''; +}) |