diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml
index 3abafac9737..893f894f42f 100644
--- a/nixos/doc/manual/release-notes/rl-1609.xml
+++ b/nixos/doc/manual/release-notes/rl-1609.xml
@@ -176,7 +176,7 @@ following incompatible changes:
streamlined. Desktop users should be able to simply set
security.grsecurity.enable = true to get
a reasonably secure system without having to sacrifice too much
- functionality. See for documentation
+ functionality.
Special filesystems, like /proc,
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 641a9e6095e..cc7aa519478 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -121,7 +121,6 @@
./security/chromium-suid-sandbox.nix
./security/dhparams.nix
./security/duosec.nix
- ./security/grsecurity.nix
./security/hidepid.nix
./security/lock-kernel-modules.nix
./security/oath.nix
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index 6b33eeb6e4e..fcf4c32d277 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -124,26 +124,6 @@ with lib;
(mkRenamedOptionModule [ "services" "iodined" "extraConfig" ] [ "services" "iodine" "server" "extraConfig" ])
(mkRemovedOptionModule [ "services" "iodined" "client" ] "")
- # Grsecurity
- (mkRemovedOptionModule [ "security" "grsecurity" "kernelPatch" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "mode" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "priority" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "system" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationConfig" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "hardwareVirtualisation" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "virtualisationSoftware" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "sysctl" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootChmod" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyChrootCaps" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "denyUSB" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProc" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "restrictProcWithGroup" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "unrestrictProcGid" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableRBAC" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "disableSimultConnect" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "verboseVersion" ] "")
- (mkRemovedOptionModule [ "security" "grsecurity" "config" "kernelExtraConfig" ] "")
-
# Unity3D
(mkRenamedOptionModule [ "programs" "unity3d" "enable" ] [ "security" "chromiumSuidSandbox" "enable" ])
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
deleted file mode 100644
index d23c7f2e86d..00000000000
--- a/nixos/modules/security/grsecurity.nix
+++ /dev/null
@@ -1,169 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-let
- cfg = config.security.grsecurity;
- grsecLockPath = "/proc/sys/kernel/grsecurity/grsec_lock";
-
- # Ascertain whether NixOS container support is required
- containerSupportRequired =
- config.boot.enableContainers && config.containers != {};
-in
-
-{
- meta = {
- maintainers = with maintainers; [ ];
- doc = ./grsecurity.xml;
- };
-
- options.security.grsecurity = {
-
- enable = mkOption {
- type = types.bool;
- default = false;
- description = ''
- Enable grsecurity/PaX.
- '';
- };
-
- lockTunables = mkOption {
- type = types.bool;
- default = true;
- description = ''
- Whether to automatically lock grsecurity tunables
- (). Disable
- this to allow runtime configuration of grsecurity features. Activate
- the grsec-lock service unit to prevent further
- configuration until the next reboot.
- '';
- };
-
- disableEfiRuntimeServices = mkOption {
- type = types.bool;
- default = true;
- description = ''
- Whether to disable access to EFI runtime services. Enabling EFI runtime
- services creates a venue for code injection attacks on the kernel and
- should be disabled if at all possible. Changing this option enters into
- effect upon reboot.
- '';
- };
-
- };
-
- config = mkIf cfg.enable {
-
- boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
-
- boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
- ++ optional cfg.disableEfiRuntimeServices "noefi";
-
- nixpkgs.config.grsecurity = true;
-
- # Install PaX related utillities into the system profile.
- environment.systemPackages = with pkgs; [ gradm paxctl pax-utils ];
-
- # Install rules for the grsec device node
- services.udev.packages = [ pkgs.gradm ];
-
- # This service unit is responsible for locking the grsecurity tunables. The
- # unit is always defined, but only activated on bootup if lockTunables is
- # toggled. When lockTunables is toggled, failure to activate the unit will
- # enter emergency mode. The intent is to make it difficult to silently
- # enter multi-user mode without having locked the tunables. Some effort is
- # made to ensure that starting the unit is an idempotent operation.
- systemd.services.grsec-lock = {
- description = "Lock grsecurity tunables";
-
- wantedBy = optional cfg.lockTunables "multi-user.target";
-
- wants = [ "local-fs.target" "systemd-sysctl.service" ];
- after = [ "local-fs.target" "systemd-sysctl.service" ];
- conflicts = [ "shutdown.target" ];
-
- restartIfChanged = false;
-
- script = ''
- if ${pkgs.gnugrep}/bin/grep -Fq 0 ${grsecLockPath} ; then
- echo -n 1 > ${grsecLockPath}
- fi
- '';
-
- unitConfig = {
- ConditionPathIsReadWrite = grsecLockPath;
- DefaultDependencies = false;
- } // optionalAttrs cfg.lockTunables {
- OnFailure = "emergency.target";
- };
-
- serviceConfig = {
- Type = "oneshot";
- RemainAfterExit = true;
- };
- };
-
- # Configure system tunables
- boot.kernel.sysctl = {
- # Read-only under grsecurity
- "kernel.kptr_restrict" = mkForce null;
-
- # All grsec tunables default to off, those not enabled below are
- # *disabled*. We use mkDefault to allow expert users to override
- # our choices, but use mkForce where tunables would outright
- # conflict with other settings.
-
- # Enable all chroot restrictions by default (overwritten as
- # necessary below)
- "kernel.grsecurity.chroot_caps" = mkDefault 1;
- "kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1;
- "kernel.grsecurity.chroot_deny_chmod" = mkDefault 1;
- "kernel.grsecurity.chroot_deny_chroot" = mkDefault 1;
- "kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1;
- "kernel.grsecurity.chroot_deny_mknod" = mkDefault 1;
- "kernel.grsecurity.chroot_deny_mount" = mkDefault 1;
- "kernel.grsecurity.chroot_deny_pivot" = mkDefault 1;
- "kernel.grsecurity.chroot_deny_shmat" = mkDefault 1;
- "kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1;
- "kernel.grsecurity.chroot_deny_unix" = mkDefault 1;
- "kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1;
- "kernel.grsecurity.chroot_findtask" = mkDefault 1;
- "kernel.grsecurity.chroot_restrict_nice" = mkDefault 1;
-
- # Enable various grsec protections
- "kernel.grsecurity.consistent_setxid" = mkDefault 1;
- "kernel.grsecurity.deter_bruteforce" = mkDefault 1;
- "kernel.grsecurity.fifo_restrictions" = mkDefault 1;
- "kernel.grsecurity.harden_ipc" = mkDefault 1;
- "kernel.grsecurity.harden_ptrace" = mkDefault 1;
- "kernel.grsecurity.harden_tty" = mkDefault 1;
- "kernel.grsecurity.ip_blackhole" = mkDefault 1;
- "kernel.grsecurity.linking_restrictions" = mkDefault 1;
- "kernel.grsecurity.ptrace_readexec" = mkDefault 1;
-
- # Enable auditing
- "kernel.grsecurity.audit_ptrace" = mkDefault 1;
- "kernel.grsecurity.forkfail_logging" = mkDefault 1;
- "kernel.grsecurity.rwxmap_logging" = mkDefault 1;
- "kernel.grsecurity.signal_logging" = mkDefault 1;
- "kernel.grsecurity.timechange_logging" = mkDefault 1;
- } // optionalAttrs config.nix.useSandbox {
- # chroot(2) restrictions that conflict with sandboxed Nix builds
- "kernel.grsecurity.chroot_caps" = mkForce 0;
- "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
- "kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
- "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
- "kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
- } // optionalAttrs containerSupportRequired {
- # chroot(2) restrictions that conflict with NixOS lightweight containers
- "kernel.grsecurity.chroot_caps" = mkForce 0;
- "kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
- "kernel.grsecurity.chroot_deny_mount" = mkForce 0;
- "kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
- # Disable privileged IO by default, unless X is enabled
- } // optionalAttrs (!config.services.xserver.enable) {
- "kernel.grsecurity.disable_priv_io" = mkDefault 1;
- };
-
- };
-}
diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml
deleted file mode 100644
index 0a884b3f9b5..00000000000
--- a/nixos/modules/security/grsecurity.xml
+++ /dev/null
@@ -1,385 +0,0 @@
-
-
- Grsecurity/PaX
-
-
- Grsecurity/PaX is a set of patches against the Linux kernel that
- implements an extensive suite of
- features
- designed to increase the difficulty of exploiting kernel and
- application bugs.
-
-
-
- The NixOS grsecurity/PaX module is designed with casual users in mind and is
- intended to be compatible with normal desktop usage, without
- unnecessarily compromising security. The
- following sections describe the configuration and administration of
- a grsecurity/PaX enabled NixOS system. For more comprehensive
- coverage, please refer to the
- grsecurity wikibook
- and the
- Arch
- Linux wiki page on grsecurity.
-
- Upstream has ceased free support for grsecurity/PaX. See
-
- the announcement for more information. Consequently, NixOS
- support for grsecurity/PaX also must cease. Enabling this module will
- result in a build error.
- We standardise on a desktop oriented configuration primarily due
- to lack of resources. The grsecurity/PaX configuration state space is huge
- and each configuration requires quite a bit of testing to ensure that the
- resulting packages work as advertised. Defining additional package sets
- would likely result in a large number of functionally broken packages, to
- nobody's benefit.
-
-
- Enabling grsecurity/PaX
-
-
- To make use of grsecurity/PaX on NixOS, add the following to your
- configuration.nix:
-
- security.grsecurity.enable = true;
-
- followed by
-
- # nixos-rebuild boot
- # reboot
-
-
- Enabling the grsecurity module overrides
- , to reduce the risk of
- misconfiguration.
- describes how to use a custom kernel package set.
-
-
- For most users, further configuration should be unnecessary. All users
- are encouraged to look over before
- using the system, however. If you experience problems, please refer to
- .
-
-
-
- Once booted into the new system, you can optionally use
- paxtest to exercise various PaX features:
-
-
-
-
-
- Declarative tuning
-
-
- The default configuration mode is strictly declarative. Some features
- simply cannot be changed at all after boot, while others are locked once the
- system is up and running. Moreover, changes to the configuration enter
- into effect only upon booting into the new system.
-
-
-
- The NixOS module exposes a limited number of options for tuning the behavior
- of grsecurity/PaX. These are options thought to be of particular interest
- to most users. For experts, further tuning is possible via
- (see
- ) and
- (the wikibook
- contains an
- exhaustive listing of grsecurity sysctl tunables).
-
-
-
-
- Manual tuning
-
-
- To permit manual tuning of grsecurity runtime parameters, set:
-
- security.grsecurity.lockTunables = false;
-
- Once booted into this system, grsecurity features that have a corresponding
- sysctl tunable can be changed without rebooting, either by switching into
- a new system profile or via the sysctl utility.
-
-
-
- To lock all grsecurity tunables until the next boot, do:
-
- # systemctl start grsec-lock
-
-
-
-
-
- Security considerations
-
-
- The NixOS kernel is built using upstream's recommended settings for a
- desktop deployment that generally favours security over performance. This
- section details deviations from upstream's recommendations that may
- compromise security.
-
- There may be additional problems not covered here!
-
-
-
-
-
-
- The following hardening features are disabled in the NixOS kernel:
-
- Kernel symbol hiding: rendered useless by redistributing
- kernel objects.
-
- Randomization of kernel structures: rendered useless by
- redistributing kernel objects.
-
- TCP simultaneous OPEN connection is permitted: breaking
- strict TCP conformance is inappropriate for a general purpose kernel.
- The trade-off is that an attacker may be able to deny outgoing
- connections if they are able to guess the source port allocated by your
- OS for that connection and also manage to initiate
- a TCP simultaneous OPEN on that port before the connection is actually
- established.
-
- Trusted path execution: a desirable feature, but
- requires some more work to operate smoothly on NixOS.
-
-
-
-
- The NixOS module conditionally weakens chroot
- restrictions to accommodate NixOS lightweight containers and sandboxed Nix
- builds. This can be problematic if the deployment also runs privileged
- network facing processes that rely on
- chroot for isolation.
-
-
-
- The NixOS kernel is patched to allow usermode helpers from anywhere in the
- Nix store. A usermode helper is an executable called by the kernel in
- certain circumstances, e.g., modprobe. Vanilla
- grsecurity only allows usermode helpers from paths typically owned by the
- super user. The NixOS kernel allows an attacker to inject malicious code
- into the Nix store which could then be executed by the kernel as a
- usermode helper.
-
-
-
- The following features are disabled because they overlap with
- vanilla kernel mechanisms:
-
-
- /proc hardening:
- use instead. This
- trades weaker protection for greater compatibility.
-
-
- dmesg restrictions:
- use instead
-
-
-
-
-
-
-
-
- Using a custom grsecurity/PaX kernel
-
-
- The NixOS kernel is likely to be either too permissive or too restrictive
- for many deployment scenarios. In addition to producing a kernel more
- suitable for a particular deployment, a custom kernel may improve security
- by depriving an attacker the ability to study the kernel object code, adding
- yet more guesswork to successfully carry out certain exploits.
-
-
-
- To build a custom kernel using upstream's recommended settings for server
- deployments, while still using the NixOS module:
-
- nixpkgs.config.packageOverrides = super: {
- linux_grsec_nixos = super.linux_grsec_nixos.override {
- extraConfig = ''
- GRKERNSEC_CONFIG_AUTO y
- GRKERNSEC_CONFIG_SERVER y
- GRKERNSEC_CONFIG_SECURITY y
- '';
- };
- };
-
-
-
-
- The grsecurity/PaX wikibook provides an exhaustive listing of
- kernel configuration options.
-
-
-
- The NixOS module makes several assumptions about the kernel and so
- may be incompatible with your customised kernel. Currently, the only way
- to work around these incompatibilities is to eschew the NixOS
- module.
-
-
-
- If not using the NixOS module, a custom grsecurity package set can
- be specified inline instead, as in
-
- boot.kernelPackages =
- let
- kernel = pkgs.linux_grsec_nixos.override {
- extraConfig = /* as above */;
- };
- self = pkgs.linuxPackagesFor kernel self;
- in self;
-
-
-
-
-
- Per-executable PaX flags
-
-
- Manual tuning of per-file PaX flags for executables in the Nix store is
- impossible on a properly configured system. If a package in Nixpkgs fails
- due to PaX, that is a bug in the package recipe and should be reported to
- the maintainer (including relevant dmesg output).
-
-
-
- For executables installed outside of the Nix store, PaX flags can be set
- using the paxctl utility:
-
- paxctl -czem foo
-
-
-
- paxctl overwrites files in-place.
-
-
- Equivalently, on file systems that support extended attributes:
-
- setfattr -n user.pax.flags -v em foo
-
-
-
-
-
-
-
- Issues and work-arounds
-
-
- User namespaces require CAP_SYS_ADMIN:
- consequently, unprivileged namespaces are unsupported. Applications that
- rely on namespaces for sandboxing must use a privileged helper. For chromium
- there is .
-
- Access to EFI runtime services is disabled by default:
- this plugs a potential code injection attack vector; use
- to override
- this behavior.
-
- User initiated autoloading of modules (e.g., when
- using fuse or loop devices) is disallowed; either load requisite modules
- as root or add them to .
-
- Virtualization: KVM is the preferred virtualization
- solution. Xen, Virtualbox, and VMWare are
- unsupported and most likely require a custom kernel.
-
-
-
- Attaching gdb to a running process is disallowed by
- default: unprivileged users can only ptrace processes that are children of
- the ptracing process. To relax this restriction, set
-
- boot.kernel.sysctl."kernel.grsecurity.harden_ptrace" = 0;
-
-
-
-
- Overflows in boot critical code (e.g., the root filesystem module) can
- render the system unbootable. Work around by setting
-
- boot.kernelParams = [ "pax_size_overflow_report_only" ];
-
-
-
-
- The modify_ldt
- 2 syscall is disabled
- by default. This restriction can interfere with programs designed to run
- legacy 16-bit or segmented 32-bit code. To support applications that rely
- on this syscall, set
-
- boot.kernel.sysctl."kernel.modify_ldt" = 1;
-
-
-
-
- The gitlab service ()
- requires a variant of the ruby interpreter
- built without `mprotect()` hardening, as in
-
- services.gitlab.packages.gitlab = pkgs.gitlab.override {
- ruby = pkgs.ruby.overrideAttrs (attrs: {
- postFixup = "paxmark m $out/bin/ruby";
- });
- };
-
-
-
-
-
-
-
- Grsecurity/PaX kernel parameters
-
-
- The NixOS kernel supports the following kernel command line parameters:
-
-
- pax_nouderef: disable UDEREF (separate kernel and
- user address spaces).
-
-
-
- pax_weakuderef: enable a faster but
- weaker variant of UDEREF on 64-bit processors with PCID support
- (check grep pcid /proc/cpuinfo).
-
-
-
- pax_sanitize_slab={off|fast|full}: control kernel
- slab object sanitization. Defaults to fast
-
-
-
- pax_size_overflow_report_only: log size overflow
- violations but leave the violating task running
-
-
-
- grsec_sysfs_restrict=[0|1]: toggle sysfs
- restrictions. The NixOS module sets this to 0
- for systemd compatibility
-
-
-
-
-
-
-