diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2016-10-02 18:35:43 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-10-02 19:25:58 +0200 |
| commit | 9a9237e0aa9a834604ec0ce5c2ef3483654a0314 (patch) | |
| tree | 12d2dfe494df8857aaa3d488a433c3b8dad52911 /pkgs/os-specific | |
| parent | 1bb7b44cd7970780170f1c4bb4bba8d91f5e06d7 (diff) | |
| download | nixlib-9a9237e0aa9a834604ec0ce5c2ef3483654a0314.tar nixlib-9a9237e0aa9a834604ec0ce5c2ef3483654a0314.tar.gz nixlib-9a9237e0aa9a834604ec0ce5c2ef3483654a0314.tar.bz2 nixlib-9a9237e0aa9a834604ec0ce5c2ef3483654a0314.tar.lz nixlib-9a9237e0aa9a834604ec0ce5c2ef3483654a0314.tar.xz nixlib-9a9237e0aa9a834604ec0ce5c2ef3483654a0314.tar.zst nixlib-9a9237e0aa9a834604ec0ce5c2ef3483654a0314.zip | |
grsecurity: revamp nixos kernel config
Cleanup: - Restructure & add some commentary - Remove redundant option specs given the auto config constraints (some are left in for documentation purposes) Changes: - GRKERNSEC_CONFIG_VIRT_HOST -> GUEST The former deselects paravirtualization and friends - PAX_LATENT_ENTROPY n -> y (implied by auto) - GRKERNSEC_ACL_HIDEKERN y -> n Possibly useless with redistribution
Diffstat (limited to 'pkgs/os-specific')
| -rw-r--r-- | pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix | 43 |
1 files changed, 30 insertions, 13 deletions
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix index f2bb5f994174..2193dabd0bc4 100644 --- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix +++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix @@ -3,39 +3,56 @@ with stdenv.lib; '' +# Auto configuration with these constraints will enable most of the +# important features (RAP, UDEREF, ASLR, memory sanitization). GRKERNSEC_CONFIG_AUTO y GRKERNSEC_CONFIG_DESKTOP y -GRKERNSEC_CONFIG_VIRT_HOST y +GRKERNSEC_CONFIG_PRIORITY_SECURITY y + +# We specify virt guest rather than host here, the latter deselects e.g., +# paravirtualization. +GRKERNSEC_CONFIG_VIRT_GUEST y +# Note: assumes platform supports CPU-level virtualization (so no pentium 4) GRKERNSEC_CONFIG_VIRT_EPT y GRKERNSEC_CONFIG_VIRT_KVM y -GRKERNSEC_CONFIG_PRIORITY_SECURITY y +# PaX control PAX_SOFTMODE y - PAX_PT_PAX_FLAGS y PAX_XATTR_PAX_FLAGS y PAX_EI_PAX n -GRKERNSEC_PROC_GID 0 +# The bts instrumentation method is compatible with binary only modules. +# +# Note: if platform supports SMEP, we could do without this +PAX_KERNEXEC_PLUGIN_METHOD_BTS y -PAX_LATENT_ENTROPY n +# Additional grsec hardening not implied by auto constraints +GRKERNSEC_IO y +# Disable protections rendered useless by redistribution GRKERNSEC_HIDESYM n GRKERNSEC_RANDSTRUCT n -GRKERNSEC_PROC n -GRKERNSEC_SYSFS_RESTRICT n -GRKERNSEC_KMEM n -GRKERNSEC_MODHARDEN n -GRKERNSEC_NO_SIMULT_CONNECT n -PAX_KERNEXEC_PLUGIN_METHOD_BTS y +# Disable protections covered by vanilla mechanisms +GRKERNSEC_DMESG n +GRKERNSEC_KMEM n +GRKERNSEC_PROC n -GRKERNSEC_ACL_HIDEKERN y -GRKERNSEC_IO y +# Disable protections that are inappropriate for a general-purpose kernel +GRKERNSEC_NO_SIMULT_CONNECT n +# Enable additional audititing +GRKERNSEC_AUDIT_MOUNT y GRKERNSEC_AUDIT_PTRACE y GRKERNSEC_FORKFAIL y +# Wishlist: support trusted path execution +GRKERNSEC_TPE n + +# Wishlist: enable this, but breaks user initiated module loading +GRKERNSEC_MODHARDEN n + GRKERNSEC_SYSCTL y GRKERNSEC_SYSCTL_DISTRO y GRKERNSEC_SYSCTL_ON y |