grsecurity: optionally disable features for redistributed kernels

1 files changed, 7 insertions, 0 deletions

diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
index d8042d652732..e06c02a294f6 100644
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@@ -15,6 +15,7 @@ let
       unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid
       disableRBAC = false;
       disableSimultConnect = false;
+      redistKernel = true;
       verboseVersion = false;
       kernelExtraConfig = "";
     } // grsecOptions.config;
@@ -91,6 +92,12 @@ let
         GRKERNSEC y
         ${grsecMainConfig}
 
+        # Disable features rendered useless by redistributing the kernel
+        ${optionalString cfg.config.redistKernel ''
+          GRKERNSEC_RANDSTRUCT n
+          GRKERNSEC_HIDESYM n
+          ''}
+
         # The paxmarks mechanism relies on ELF header markings, but the default
         # grsecurity configuration only enables xattr markings
         PAX_PT_PAX_FLAGS y