diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix index f2bb5f99417..2193dabd0bc 100644 --- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix +++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix @@ -3,39 +3,56 @@ with stdenv.lib; '' +# Auto configuration with these constraints will enable most of the +# important features (RAP, UDEREF, ASLR, memory sanitization). GRKERNSEC_CONFIG_AUTO y GRKERNSEC_CONFIG_DESKTOP y -GRKERNSEC_CONFIG_VIRT_HOST y -GRKERNSEC_CONFIG_VIRT_EPT y -GRKERNSEC_CONFIG_VIRT_KVM y GRKERNSEC_CONFIG_PRIORITY_SECURITY y -PAX_SOFTMODE y +# We specify virt guest rather than host here, the latter deselects e.g., +# paravirtualization. +GRKERNSEC_CONFIG_VIRT_GUEST y +# Note: assumes platform supports CPU-level virtualization (so no pentium 4) +GRKERNSEC_CONFIG_VIRT_EPT y +GRKERNSEC_CONFIG_VIRT_KVM y +# PaX control +PAX_SOFTMODE y PAX_PT_PAX_FLAGS y PAX_XATTR_PAX_FLAGS y PAX_EI_PAX n -GRKERNSEC_PROC_GID 0 - -PAX_LATENT_ENTROPY n - -GRKERNSEC_HIDESYM n -GRKERNSEC_RANDSTRUCT n -GRKERNSEC_PROC n -GRKERNSEC_SYSFS_RESTRICT n -GRKERNSEC_KMEM n -GRKERNSEC_MODHARDEN n -GRKERNSEC_NO_SIMULT_CONNECT n - +# The bts instrumentation method is compatible with binary only modules. +# +# Note: if platform supports SMEP, we could do without this PAX_KERNEXEC_PLUGIN_METHOD_BTS y -GRKERNSEC_ACL_HIDEKERN y +# Additional grsec hardening not implied by auto constraints GRKERNSEC_IO y +# Disable protections rendered useless by redistribution +GRKERNSEC_HIDESYM n +GRKERNSEC_RANDSTRUCT n + +# Disable protections covered by vanilla mechanisms +GRKERNSEC_DMESG n +GRKERNSEC_KMEM n +GRKERNSEC_PROC n + +# Disable protections that are inappropriate for a general-purpose kernel +GRKERNSEC_NO_SIMULT_CONNECT n + +# Enable additional audititing +GRKERNSEC_AUDIT_MOUNT y GRKERNSEC_AUDIT_PTRACE y GRKERNSEC_FORKFAIL y +# Wishlist: support trusted path execution +GRKERNSEC_TPE n + +# Wishlist: enable this, but breaks user initiated module loading +GRKERNSEC_MODHARDEN n + GRKERNSEC_SYSCTL y GRKERNSEC_SYSCTL_DISTRO y GRKERNSEC_SYSCTL_ON y