public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/security/grsecurity.nix

146 lines
4.7 KiB
Nix
Raw Normal View History

nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
{ config, pkgs, lib, ... }:
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem.
2014-04-14 16:26:48 +02:00
with lib;
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
let
Fix fallout from 4f27ad14 Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-18 07:38:13 -05:00
cfg = config.security.grsecurity;
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
# Ascertain whether ZFS is required for booting the system; grsecurity is
# currently incompatible with ZFS, rendering the system unbootable.
zfsNeededForBoot = filter
(fs: (fs.neededForBoot
|| elem fs.mountPoint [ "/" "/nix" "/nix/store" "/var" "/var/log" "/var/lib" "/etc" ])
&& fs.fsType == "zfs")
nixos: apply toposort to fileSystems to support bind and move mounts And use new `config.system.build.fileSystems` property everywhere.
2015-11-25 19:09:09 +00:00
config.system.build.fileSystems != [];
grsecurity module: smarter container support Only set tunables required for container support if there are any containers.
2016-07-14 16:00:17 +02:00
# Ascertain whether NixOS container support is required
containerSupportRequired =
config.boot.enableContainers && config.containers != {};
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
in
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
{
nixos manual: move chapter on grsecurity to auto-generated module docs
2016-08-29 18:10:38 +02:00
meta = {
maintainers = with maintainers; [ joachifm ];
doc = ./grsecurity.xml;
};
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
options.security.grsecurity = {
grsecurity module: grsecurity is not capitalized mid-sentence
2016-07-14 17:43:43 +02:00
enable = mkEnableOption "grsecurity/PaX";
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
lockTunables = mkOption {
type = types.bool;
example = false;
default = true;
description = ''
Whether to automatically lock grsecurity tunables
(<option>boot.kernel.sysctl."kernel.grsecurity.*"</option>). Disable
grsecurity module: tweak lockTunables option description
2016-07-14 17:44:05 +02:00
this to allow runtime configuration of grsecurity features. Activate
the <literal>grsec-lock</literal> service unit to prevent further
configuration until the next reboot.
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
'';
};
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
grsecurity module: disable EFI runtime services by default Enabling EFI runtime services provides a venue for injecting code into the kernel. When grsecurity is enabled, we close this by default by disabling access to EFI runtime services. The upshot of this is that /sys/firmware/efi/efivars will be unavailable by default (and attempts to mount it will fail). This is not strictly a grsecurity related option, it could be made into a general option, but it seems to be of particular interest to grsecurity users (for non-grsecurity users, there are other, more immediate kernel injection attack dangers to contend with anyway).
2016-08-01 15:36:03 +02:00
disableEfiRuntimeServices = mkOption {
type = types.bool;
example = false;
default = true;
description = ''
Whether to disable access to EFI runtime services. Enabling EFI runtime
services creates a venue for code injection attacks on the kernel and
should be disabled if at all possible. Changing this option enters into
effect upon reboot.
'';
};
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
};
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
config = mkIf cfg.enable {
grsecurity: add option to disable chroot caps restriction The chroot caps restriction disallows chroot'ed processes from running any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See e.g., https://github.com/NixOS/nixpkgs/issues/15293 This significantly weakens chroot protections, but to break nixos-rebuild out of the box is too severe.
2016-05-08 08:32:28 +02:00
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
# Allow the user to select a different package set, subject to the stated
# required kernel config
boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos;
grsecurity: add option to disable chroot caps restriction The chroot caps restriction disallows chroot'ed processes from running any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See e.g., https://github.com/NixOS/nixpkgs/issues/15293 This significantly weakens chroot protections, but to break nixos-rebuild out of the box is too severe.
2016-05-08 08:32:28 +02:00
grsecurity module: disable EFI runtime services by default Enabling EFI runtime services provides a venue for injecting code into the kernel. When grsecurity is enabled, we close this by default by disabling access to EFI runtime services. The upshot of this is that /sys/firmware/efi/efivars will be unavailable by default (and attempts to mount it will fail). This is not strictly a grsecurity related option, it could be made into a general option, but it seems to be of particular interest to grsecurity users (for non-grsecurity users, there are other, more immediate kernel injection attack dangers to contend with anyway).
2016-08-01 15:36:03 +02:00
boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
system.requiredKernelConfig = with config.lib.kernelConfig;
[ (isEnabled "GRKERNSEC")
(isEnabled "PAX")
(isYES "GRKERNSEC_SYSCTL")
(isYES "GRKERNSEC_SYSCTL_DISTRO")
grsecurity module: assert RBAC support in kernel
2016-07-17 21:30:16 +02:00
(isNO "GRKERNSEC_NO_RBAC")
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
];
grsecurity: Add `denyUSB` option to grsec NixOS module The option had been added to the grsec build-support code, but it hadn't been added to the grsec module. After this commit, grsec module users will be able to change the default value. It also serves to document that this option exists and that NixOS will disable it by default.
2015-01-19 18:11:54 +01:00
grsecurity module: set nixpkgs.config.grsecurity = true
2016-09-04 19:22:00 +02:00
nixpkgs.config.grsecurity = true;
grsecurity module: add gradm to system path
2016-07-17 21:14:24 +02:00
# Install PaX related utillities into the system profile.
environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ];
grsecurity: Add `denyUSB` option to grsec NixOS module The option had been added to the grsec build-support code, but it hadn't been added to the grsec module. After this commit, grsec module users will be able to change the default value. It also serves to document that this option exists and that NixOS will disable it by default.
2015-01-19 18:11:54 +01:00
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
# Install rules for the grsec device node
services.udev.packages = [ pkgs.gradm ];
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
grsecurity module: grsecurity is not capitalized mid-sentence
2016-07-14 17:43:43 +02:00
# This service unit is responsible for locking the grsecurity tunables. The
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
# unit is always defined, but only activated on bootup if lockTunables is
# toggled. When lockTunables is toggled, failure to activate the unit will
# enter emergency mode. The intent is to make it difficult to silently
# enter multi-user mode without having locked the tunables. Some effort is
# made to ensure that starting the unit is an idempotent operation.
systemd.services.grsec-lock = {
description = "Lock grsecurity tunables";
grsecurity: Fix GRKERNSEC_PROC restrictions Previously we were setting GRKERNSEC_PROC_USER y, which was a little bit too strict. It doesn't allow a special group (e.g. the grsecurity group users) to access /proc information - this requires GRKERNSEC_PROC_USERGROUP y, and the two are mutually exclusive. This was also not in line with the default automatic grsecurity configuration - it actually defaults to USERGROUP (although it has a default GID of 1001 instead of ours), not USER. This introduces a new option restrictProcWithGroup - enabled by default - which turns on GRKERNSEC_PROC_USERGROUP instead. It also turns off restrictProc by default and makes sure both cannot be enabled. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-12 11:16:03 -05:00
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
wantedBy = optional cfg.lockTunables "multi-user.target";
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
wants = [ "local-fs.target" "systemd-sysctl.service" ];
after = [ "local-fs.target" "systemd-sysctl.service" ];
conflicts = [ "shutdown.target" ];
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
restartIfChanged = false;
grsecurity: support disabling TCP simultaneous connect Defaults to OFF because disabling TCP simultaneous connect breaks some legitimate use cases, notably WebRTC [1], but it's nice to provide the option for deployments where those features are unneeded anyway. This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937 [1]: http://article.gmane.org/gmane.linux.documentation/9425
2016-05-04 02:20:49 +02:00
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
script = ''
if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then
echo -n 1 > ${grsecLockPath}
fi
'';
grsecurity: support disabling TCP simultaneous connect Defaults to OFF because disabling TCP simultaneous connect breaks some legitimate use cases, notably WebRTC [1], but it's nice to provide the option for deployments where those features are unneeded anyway. This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937 [1]: http://article.gmane.org/gmane.linux.documentation/9425
2016-05-04 02:20:49 +02:00
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
unitConfig = {
ConditionPathIsReadWrite = grsecLockPath;
DefaultDependencies = false;
} // optionalAttrs cfg.lockTunables {
OnFailure = "emergency.target";
};
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
};
};
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
# Configure system tunables
boot.kernel.sysctl = {
grsecurity module: correct internal note
2016-08-01 15:56:09 +02:00
# Read-only under grsecurity
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
"kernel.kptr_restrict" = mkForce null;
} // optionalAttrs config.nix.useSandbox {
# chroot(2) restrictions that conflict with sandboxed Nix builds
"kernel.grsecurity.chroot_caps" = mkForce 0;
"kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
"kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
grsecurity module: permit chmod +s in sandboxed builds While useless, some builds may dabble with setuid bits (e.g., util-linux), which breaks under grsec. In the interest of user friendliness, we once again compromise by disabling an otherwise useful feature ... Closes https://github.com/NixOS/nixpkgs/issues/17501
2016-08-15 19:55:12 +02:00
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
grsecurity module: smarter container support Only set tunables required for container support if there are any containers.
2016-07-14 16:00:17 +02:00
} // optionalAttrs containerSupportRequired {
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
# chroot(2) restrictions that conflict with NixOS lightweight containers
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
"kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
grsecurity module: systemd-nspawn requires cap_sys_admin As with 9ca3504a798291fbd7c49fcfeec8b64daa2022ad Closes https://github.com/NixOS/nixpkgs/issues/17714
2016-08-15 20:01:12 +02:00
"kernel.grsecurity.chroot_caps" = mkForce 0;
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
};
nixos: rewrite the grsecurity module The new module is specifically adapted to the NixOS Grsecurity/PaX kernel. The module declares the required kernel configurations and so *should* be somewhat compatible with custom Grsecurity kernels. The module exposes only a limited number of options, minimising the need for user intervention beyond enabling the module. For experts, Grsecurity/PaX behavior may be configured via `boot.kernelParams` and `boot.kernel.sysctl`. The module assumes the user knows what she's doing (esp. if she decides to modify configuration values not directly exposed by the module). Administration of Grsecurity's role based access control system is yet to be implemented.
2016-06-09 20:12:31 +02:00
assertions = [
{ assertion = !zfsNeededForBoot;
message = "grsecurity is currently incompatible with ZFS";
}
];
nixos: add grsecurity module (#1875) This module implements a significant refactoring in grsecurity configuration for NixOS, making it far more usable by default and much easier to configure. - New security.grsecurity NixOS attributes. - All grsec kernels supported - Allows default 'auto' grsec configuration, or custom config - Supports custom kernel options through kernelExtraConfig - Defaults to high-security - user must choose kernel, server/desktop mode, and any virtualisation software. That's all. - kptr_restrict is fixed under grsecurity (it's unwriteable) - grsecurity patch creation is now significantly abstracted - only need revision, version, and SHA1 - kernel version requirements are asserted for sanity - built kernels can have the uname specify the exact grsec version for development or bug reports. Off by default (requires `security.grsecurity.config.verboseVersion = true;`) - grsecurity sysctl support - By default, disabled. - For people who enable it, NixOS deploys a 'grsec-lock' systemd service which runs at startup. You are expected to configure sysctl through NixOS like you regularly would, which will occur before the service is started. As a result, changing sysctl settings requires a reboot. - New default group: 'grsecurity' - Root is a member by default - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID, making it possible to easily add users to this group for /proc access - AppArmor is now automatically enabled where it wasn't before, despite implying features.apparmor = true The most trivial example of enabling grsecurity in your kernel is by specifying: security.grsecurity.enable = true; security.grsecurity.testing = true; # testing 3.13 kernel security.grsecurity.config.system = "desktop"; # or "server" This specifies absolutely no virtualisation support. In general, you probably at least want KVM host support, which is a little more work. So: security.grsecurity.enable = true; security.grsecurity.stable = true; # enable stable 3.2 kernel security.grsecurity.config = { system = "server"; priority = "security"; virtualisationConfig = "host"; virtualisationSoftware = "kvm"; hardwareVirtualisation = true; } This module has primarily been tested on Hetzner EX40 & VQ7 servers using NixOps. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 14:18:12 -05:00
};
}
Reference in New Issue Copy Permalink