From 64efd184ed389527bcfbe2f71c312546431f0261 Mon Sep 17 00:00:00 2001 From: Austin Seipp Date: Sat, 12 Apr 2014 11:16:03 -0500 Subject: grsecurity: Fix GRKERNSEC_PROC restrictions Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit too strict. It doesn't allow a special group (e.g. the grsecurity group users) to access /proc information - this requires GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive. This was also not in line with the default automatic grsecurity configuration - it actually defaults to USERGROUP (although it has a default GID of 1001 instead of ours), not USER. This introduces a new option restrictProcWithGroup - enabled by default - which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off restrictProc by default and makes sure both cannot be enabled. Signed-off-by: Austin Seipp --- nixos/modules/security/grsecurity.nix | 42 ++++++++++++++++++++++++++--------- 1 file changed, 32 insertions(+), 10 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 1759413c5589..913a0afc4525 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -78,9 +78,14 @@ let GRKERNSEC y ${grsecMainConfig} - GRKERNSEC_PROC_USER ${boolToKernOpt cfg.config.restrictProc} - ${if !cfg.config.restrictProc then "" - else "GRKERNSEC_PROC_GID "+(toString cfg.config.unrestrictProcGid)} + ${if cfg.config.restrictProc then + "GRKERNSEC_PROC_USER y" + else + optionalString cfg.config.restrictProcWithGroup '' + GRKERNSEC_PROC_USERGROUP y + GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid} + '' + } GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl} GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} @@ -278,7 +283,7 @@ in restrictProc = mkOption { type = types.bool; - default = true; + default = false; description = '' If true, then set GRKERN_PROC_USER y. This restricts non-root users to only viewing @@ -287,18 +292,31 @@ in ''; }; + restrictProcWithGroup = mkOption { + type = types.bool; + default = true; + description = '' + If true, then set GRKERN_PROC_USERGROUP + y. This is similar to + restrictProc except it allows a special + group (specified by unrestrictProcGid) + to still access otherwise classified information in + /proc. + ''; + }; + unrestrictProcGid = mkOption { type = types.int; default = config.ids.gids.grsecurity; description = '' If set, specifies a GID which is exempt from /proc restrictions (set by - GRKERN_PROC_USER). By default, this is - set to the GID for grsecurity, a - predefined NixOS group, which the root - account is a member of. You may conveniently add other - users to this group if you need access to - /proc + GRKERN_PROC_USERGROUP). By default, + this is set to the GID for grsecurity, + a predefined NixOS group, which the + root account is a member of. You may + conveniently add other users to this group if you need + access to /proc ''; }; @@ -346,6 +364,10 @@ in { assertion = (cfg.testing -> !cfg.vserver); message = "The vserver patches are only supported in the stable kernel."; } + { assertion = (cfg.config.restrictProc -> !cfg.config.restrictProcWithGroup) || + (cfg.config.restrictProcWithGroup -> !cfg.config.restrictProc); + message = "You cannot enable both restrictProc and restrictProcWithGroup"; + } { assertion = config.boot.kernelPackages.kernel.features ? grsecurity && config.boot.kernelPackages.kernel.features.grsecurity; message = "grsecurity enabled, but kernel doesn't have grsec support"; -- cgit 1.4.1