diff options
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/duosec.nix | 12 | ||||
| -rw-r--r-- | nixos/modules/security/grsecurity.nix | 33 | ||||
| -rw-r--r-- | nixos/modules/security/grsecurity.xml | 8 |
3 files changed, 14 insertions, 39 deletions
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 0e3a54325cad..97e2d39dc076 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -73,7 +73,7 @@ in }; failmode = mkOption { - type = types.str; + type = types.enum [ "safe" "enum" ]; default = "safe"; description = '' On service or configuration errors that prevent Duo @@ -115,7 +115,7 @@ in }; prompts = mkOption { - type = types.int; + type = types.enum [ 1 2 3 ]; default = 3; description = '' If a user fails to authenticate with a second factor, Duo @@ -181,13 +181,7 @@ in config = mkIf (cfg.ssh.enable || cfg.pam.enable) { assertions = - [ { assertion = cfg.failmode == "safe" || cfg.failmode == "secure"; - message = "Invalid value for failmode (must be safe or secure)."; - } - { assertion = cfg.prompts == 1 || cfg.prompts == 2 || cfg.prompts == 3; - message = "Invalid value for prompts (must be 1, 2, or 3)."; - } - { assertion = !cfg.pam.enable; + [ { assertion = !cfg.pam.enable; message = "PAM support is currently not implemented."; } ]; diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 53c2ace784ef..ea245ecc5b6a 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -6,14 +6,6 @@ let cfg = config.security.grsecurity; grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock"; - # Ascertain whether ZFS is required for booting the system; grsecurity is - # currently incompatible with ZFS, rendering the system unbootable. - zfsNeededForBoot = filter - (fs: (fs.neededForBoot - || elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ]) - && fs.fsType == "zfs") - config.system.build.fileSystems != []; - # Ascertain whether NixOS container support is required containerSupportRequired = config.boot.enableContainers && config.containers != {}; @@ -27,7 +19,14 @@ in options.security.grsecurity = { - enable = mkEnableOption "grsecurity/PaX"; + enable = mkOption { + type = types.bool; + example = true; + default = false; + description = '' + Enable grsecurity/PaX. + ''; + }; lockTunables = mkOption { type = types.bool; @@ -58,20 +57,10 @@ in config = mkIf cfg.enable { - # Allow the user to select a different package set, subject to the stated - # required kernel config boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos; boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi"; - system.requiredKernelConfig = with config.lib.kernelConfig; - [ (isEnabled "GRKERNSEC") - (isEnabled "PAX") - (isYes "GRKERNSEC_SYSCTL") - (isYes "GRKERNSEC_SYSCTL_DISTRO") - (isNo "GRKERNSEC_NO_RBAC") - ]; - nixpkgs.config.grsecurity = true; # Install PaX related utillities into the system profile. @@ -135,11 +124,5 @@ in "kernel.grsecurity.chroot_caps" = mkForce 0; }; - assertions = [ - { assertion = !zfsNeededForBoot; - message = "grsecurity is currently incompatible with ZFS"; - } - ]; - }; } diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml index 37314bdba8a5..6f9884336b1e 100644 --- a/nixos/modules/security/grsecurity.xml +++ b/nixos/modules/security/grsecurity.xml @@ -225,11 +225,9 @@ </para> <para> - The NixOS module makes several assumptions about the kernel and so may be - incompatible with your customised kernel. Most of these assumptions are - encoded as assertions — mismatches should ideally result in a build - failure. Currently, the only way to work around incompatibilities is to - eschew the NixOS module and do all configuration yourself. + The NixOS module makes several assumptions about the kernel and so + may be incompatible with your customised kernel. Currently, the only way + to work around incompatibilities is to eschew the NixOS module. </para> </sect1> |