| Commit message (Collapse) | Author | Age |
| |
|
|\
| |
| | |
manual: automatically generate modules documentation
|
| | |
|
|\ \
| | |
| | | |
lib: add toposort, nixos: use toposort for fileSystems to properly support bind and move mounts
|
| | |
| | |
| | |
| | | |
And use new `config.system.build.fileSystems` property everywhere.
|
|/ / |
|
| |
| |
| |
| |
| |
| | |
As with 9ca3504a798291fbd7c49fcfeec8b64daa2022ad
Closes https://github.com/NixOS/nixpkgs/issues/17714
|
|/
|
|
|
|
|
|
|
| |
While useless, some builds may dabble with setuid bits (e.g.,
util-linux), which breaks under grsec. In the interest of user
friendliness, we once again compromise by disabling an otherwise useful
feature ...
Closes https://github.com/NixOS/nixpkgs/issues/17501
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Closes #17460
Changed the wrapper derivation to produce a second output containing the sandbox.
Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store).
This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it.
Does not trigger a Chromium rebuild.
cc @cleverca22 @joachifm @jasom
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enabling EFI runtime services provides a venue for injecting code into
the kernel.
When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services. The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).
This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Only set tunables required for container support if there are any containers.
|
|
|
|
|
| |
It is better to make this conditional on whether the configuration contains a
known size overflow that could prevent the system from booting.
|
|\
| |
| | |
Escape all shell arguments uniformly
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new module is specifically adapted to the NixOS Grsecurity/PaX
kernel. The module declares the required kernel configurations and
so *should* be somewhat compatible with custom Grsecurity kernels.
The module exposes only a limited number of options, minimising the need
for user intervention beyond enabling the module. For experts,
Grsecurity/PaX behavior may be configured via `boot.kernelParams` and
`boot.kernel.sysctl`.
The module assumes the user knows what she's doing (esp. if she decides
to modify configuration values not directly exposed by the module).
Administration of Grsecurity's role based access control system is yet
to be implemented.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The motivation is using sudo in chroot nix builds, a somewhat
special edge case I have and pulling system path into chroot
yields to some very nasty bug like
https://github.com/NixOS/nixpkgs/issues/15581
Previously:
$ cat /var/setuid-wrappers/sudo.real
/nix/store/3sm04dzh0994r86xqxy52jjc0lqnkn65-system-path/bin/sudo
After the change:
$ cat /var/setuid-wrappers/sudo.real
/nix/store/4g9sxbzy8maxf1v217ikp69c0c3q12as-sudo-1.8.15/bin/sudo
|
| |
|
|
|
|
|
|
|
|
|
| |
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293
This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
|
|
|
|
| |
After 7382afac40c23841e5d6a491bd4a9412d766ecab
|
|
|
|
|
|
|
|
|
|
| |
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.
This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937
[1]: http://article.gmane.org/gmane.linux.documentation/9425
|
|
|
|
|
| |
Requirement without ordering implies parallel execution; it is crucial
that sysctl tunables are finalized before the lock is engaged, however.
|
|
|
|
|
| |
Unit descriptions should be capitalized, and timer units don't have
to describe that they're timers.
|
|\ |
|
| |\ |
|
| | |\ |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- Now `pkg.outputUnspecified = true` but this attribute is missing in
every output, so we can recognize whether the user chose or not.
If (s)he didn't choose, we put `pkg.bin or pkg.out or pkg` into
`systemPackages`.
- `outputsToLink` is replaced by `extraOutputsToLink`.
We add extra outputs *regardless* of whether the user chose anything.
It's mainly meant for outputs with docs and debug symbols.
- Note that as a result, some libraries will disappear from system path.
|
| |\ \ \
| | |_|/
| |/| |
| | | |
| | | | |
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
|
| |\ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
|
| |\ \ \ \ |
|
| |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | | |
Let's get rid of those merge conflicts.
|
| | | | | | | |
|
| | |_|_|_|/
| |/| | | | |
|
| |\ \ \ \ \ |
|
| |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
TODO: there was more significant refactoring of qtbase and plasma 5.5
on master, and I'm deferring pointing to correct outputs to later.
|
| | | | | | | | |
|
| |\ \ \ \ \ \ \ |
|
| | | | | | | | | |
|
| | | | | | | | | |
|
| | | | | | | | | |
|
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
This way the binary gets stripped & rpath-shrinked etc. as usual.
We'd seem to get a runtime reference to gcc otherwise.
|
| |\ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Many non-conflict problems weren't (fully) resolved in this commit yet.
|
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Done mostly without any verification.
I didn't bother with libc}/include, as the path is still correct.
|
| |_|_|_|_|_|_|_|/
|/| | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
This module adds an option `security.hideProcessInformation` that, when
enabled, restricts access to process information such as command-line
arguments to the process owner. The module adds a static group "proc"
whose members are exempt from process information hiding.
Ideally, this feature would be implemented by simply adding the
appropriate mount options to `fileSystems."/proc".fsOptions`, but this
was found to not work in vmtests. To ensure that process information
hiding is enforced, we use a systemd service unit that remounts `/proc`
after `systemd-remount-fs.service` has completed.
To verify the correctness of the feature, simple tests were added to
nixos/tests/misc: the test ensures that unprivileged users cannot see
process information owned by another user, while members of "proc" CAN.
Thanks to @abbradar for feedback and suggestions.
|