about summary refs log tree commit diff
path: root/nixos/modules/security/grsecurity.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/security/grsecurity.nix')
-rw-r--r--nixos/modules/security/grsecurity.nix33
1 files changed, 8 insertions, 25 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 53c2ace784ef..ea245ecc5b6a 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -6,14 +6,6 @@ let
   cfg = config.security.grsecurity;
   grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
 
-  # Ascertain whether ZFS is required for booting the system; grsecurity is
-  # currently incompatible with ZFS, rendering the system unbootable.
-  zfsNeededForBoot = filter
-    (fs: (fs.neededForBoot
-          || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ])
-          && fs.fsType == "zfs")
-    config.system.build.fileSystems != [];
-
   # Ascertain whether NixOS container support is required
   containerSupportRequired =
     config.boot.enableContainers && config.containers != {};
@@ -27,7 +19,14 @@ in
 
   options.security.grsecurity = {
 
-    enable = mkEnableOption "grsecurity/PaX";
+    enable = mkOption {
+      type = types.bool;
+      example = true;
+      default = false;
+      description = ''
+        Enable grsecurity/PaX.
+      '';
+    };
 
     lockTunables = mkOption {
       type = types.bool;
@@ -58,20 +57,10 @@ in
 
   config = mkIf cfg.enable {
 
-    # Allow the user to select a different package set, subject to the stated
-    # required kernel config
     boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos;
 
     boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
 
-    system.requiredKernelConfig = with config.lib.kernelConfig;
-      [ (isEnabled "GRKERNSEC")
-        (isEnabled "PAX")
-        (isYes "GRKERNSEC_SYSCTL")
-        (isYes "GRKERNSEC_SYSCTL_DISTRO")
-        (isNo "GRKERNSEC_NO_RBAC")
-      ];
-
     nixpkgs.config.grsecurity = true;
 
     # Install PaX related utillities into the system profile.
@@ -135,11 +124,5 @@ in
       "kernel.grsecurity.chroot_caps" = mkForce 0;
     };
 
-    assertions = [
-      { assertion = !zfsNeededForBoot;
-        message = "grsecurity is currently incompatible with ZFS";
-      }
-    ];
-
   };
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-12 18:48:40 +0000