diff options
Diffstat (limited to 'nixos/modules/security/grsecurity.nix')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 35 |
1 files changed, 14 insertions, 21 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 35974f6890e6..b116d8bfef28 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -112,9 +112,6 @@ in <literal>kernel.grsecurity.grsec_lock</literal> to non-zero as soon as all sysctl options are set. *THIS IS EXTREMELY IMPORTANT*! - - If disabled, this also turns off the - <literal>systemd-sysctl</literal> service. ''; }; @@ -229,11 +226,8 @@ in kernel 3.19) to continue. ''; } - { assertion = (cfg.stable -> !cfg.testing) || (cfg.testing -> !cfg.stable); - message = '' - You must select either the stable or testing patch, not - both. - ''; + { assertion = !(cfg.stable && cfg.testing); + message = "Select either one of the stable or testing patch"; } { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) || (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc); @@ -282,22 +276,21 @@ in # }; # }; - system.activationScripts.grsec = - '' - mkdir -p /etc/grsec - if [ ! -f /etc/grsec/learn_config ]; then - cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec - fi - if [ ! -f /etc/grsec/policy ]; then - cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec - fi - chmod -R 0600 /etc/grsec - ''; + system.activationScripts = lib.optionalAttrs (!cfg.config.disableRBAC) { grsec = '' + mkdir -p /etc/grsec + if [ ! -f /etc/grsec/learn_config ]; then + cp ${pkgs.gradm}/etc/grsec/learn_config /etc/grsec + fi + if [ ! -f /etc/grsec/policy ]; then + cp ${pkgs.gradm}/etc/grsec/policy /etc/grsec + fi + chmod -R 0600 /etc/grsec + ''; }; # Enable AppArmor, gradm udev rules, and utilities security.apparmor.enable = true; boot.kernelPackages = customGrsecPkg; - services.udev.packages = [ pkgs.gradm ]; - environment.systemPackages = [ pkgs.gradm pkgs.paxctl pkgs.pax-utils ]; + services.udev.packages = lib.optional (!cfg.config.disableRBAC) pkgs.gradm; + environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils ] ++ lib.optional (!cfg.config.disableRBAC) pkgs.gradm; }; } |