grsecurity: enable module hardening

nixos/modules/security/grsecurity.xml

@@ -153,10 +153,6 @@
 
         <listitem><para>Trusted path execution: a desirable feature, but
         requires some more work to operate smoothly on NixOS.</para></listitem>
-
-        <listitem><para>Module hardening: would break user initiated module
-        loading. Might enable this at some point, depending on the potential
-        breakage.</para></listitem>
       </itemizedlist>
     </para></listitem>
 
@@ -292,6 +288,10 @@
     <option>security.grsecurity.disableEfiRuntimeServices</option> to override
     this behavior.</para></listitem>
 
+    <listitem><para>User initiated autoloading of modules (e.g., when
+    using fuse or loop devices) is disallowed; either load requisite modules
+    as root or add them to<option>boot.kernelModules</option>.</para></listitem>
+
     <listitem><para>Virtualization: KVM is the preferred virtualization
     solution. Xen, Virtualbox, and VMWare are
     <emphasis>unsupported</emphasis> and most likely require a custom kernel.

pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix

@@ -31,6 +31,8 @@ PAX_KERNEXEC_PLUGIN_METHOD_BTS y
 GRKERNSEC_IO y
 GRKERNSEC_SYSFS_RESTRICT y
 
+GRKERNSEC_MODHARDEN y
+
 # Disable protections rendered useless by redistribution
 GRKERNSEC_HIDESYM n
 GRKERNSEC_RANDSTRUCT n
@@ -51,9 +53,6 @@ GRKERNSEC_FORKFAIL y
 # Wishlist: support trusted path execution
 GRKERNSEC_TPE n
 
-# Wishlist: enable this, but breaks user initiated module loading
-GRKERNSEC_MODHARDEN n
-
 GRKERNSEC_SYSCTL y
 GRKERNSEC_SYSCTL_DISTRO y
 # Assume that appropriate sysctls are toggled once the system is up