From 98935c7103927690b4ca366a2763140081615794 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sun, 20 Nov 2016 21:54:38 +0100 Subject: [PATCH] grsecurity module: remove requiredKernelConfig Using a custom package set with the NixOS module is no longer something I wish to support. It's still *possible* but not advertised. Secondly, the requiredKernelConfig didn't really do anything (setting kernelPackages to a non-grsec kernel would just silently let the user boot into a non-grsec setup ...). --- nixos/modules/security/grsecurity.nix | 10 ---------- nixos/modules/security/grsecurity.xml | 8 +++----- 2 files changed, 3 insertions(+), 15 deletions(-) diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 155bbea8c6e..c37bcb70d9d 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -65,20 +65,10 @@ in config = mkIf cfg.enable { - # Allow the user to select a different package set, subject to the stated - # required kernel config boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos; boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi"; - system.requiredKernelConfig = with config.lib.kernelConfig; - [ (isEnabled "GRKERNSEC") - (isEnabled "PAX") - (isYes "GRKERNSEC_SYSCTL") - (isYes "GRKERNSEC_SYSCTL_DISTRO") - (isNo "GRKERNSEC_NO_RBAC") - ]; - nixpkgs.config.grsecurity = true; # Install PaX related utillities into the system profile. diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml index 37314bdba8a..6f9884336b1 100644 --- a/nixos/modules/security/grsecurity.xml +++ b/nixos/modules/security/grsecurity.xml @@ -225,11 +225,9 @@ - The NixOS module makes several assumptions about the kernel and so may be - incompatible with your customised kernel. Most of these assumptions are - encoded as assertions — mismatches should ideally result in a build - failure. Currently, the only way to work around incompatibilities is to - eschew the NixOS module and do all configuration yourself. + The NixOS module makes several assumptions about the kernel and so + may be incompatible with your customised kernel. Currently, the only way + to work around incompatibilities is to eschew the NixOS module.