From 9a9237e0aa9a834604ec0ce5c2ef3483654a0314 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sun, 2 Oct 2016 18:35:43 +0200 Subject: [PATCH] grsecurity: revamp nixos kernel config Cleanup: - Restructure & add some commentary - Remove redundant option specs given the auto config constraints (some are left in for documentation purposes) Changes: - GRKERNSEC_CONFIG_VIRT_HOST -> GUEST The former deselects paravirtualization and friends - PAX_LATENT_ENTROPY n -> y (implied by auto) - GRKERNSEC_ACL_HIDEKERN y -> n Possibly useless with redistribution --- .../linux/kernel/grsecurity-nixos-config.nix | 51 ++++++++++++------- 1 file changed, 34 insertions(+), 17 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix index f2bb5f99417..2193dabd0bc 100644 --- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix +++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix @@ -3,39 +3,56 @@ with stdenv.lib; '' +# Auto configuration with these constraints will enable most of the +# important features (RAP, UDEREF, ASLR, memory sanitization). GRKERNSEC_CONFIG_AUTO y GRKERNSEC_CONFIG_DESKTOP y -GRKERNSEC_CONFIG_VIRT_HOST y -GRKERNSEC_CONFIG_VIRT_EPT y -GRKERNSEC_CONFIG_VIRT_KVM y GRKERNSEC_CONFIG_PRIORITY_SECURITY y -PAX_SOFTMODE y +# We specify virt guest rather than host here, the latter deselects e.g., +# paravirtualization. +GRKERNSEC_CONFIG_VIRT_GUEST y +# Note: assumes platform supports CPU-level virtualization (so no pentium 4) +GRKERNSEC_CONFIG_VIRT_EPT y +GRKERNSEC_CONFIG_VIRT_KVM y +# PaX control +PAX_SOFTMODE y PAX_PT_PAX_FLAGS y PAX_XATTR_PAX_FLAGS y PAX_EI_PAX n -GRKERNSEC_PROC_GID 0 - -PAX_LATENT_ENTROPY n - -GRKERNSEC_HIDESYM n -GRKERNSEC_RANDSTRUCT n -GRKERNSEC_PROC n -GRKERNSEC_SYSFS_RESTRICT n -GRKERNSEC_KMEM n -GRKERNSEC_MODHARDEN n -GRKERNSEC_NO_SIMULT_CONNECT n - +# The bts instrumentation method is compatible with binary only modules. +# +# Note: if platform supports SMEP, we could do without this PAX_KERNEXEC_PLUGIN_METHOD_BTS y -GRKERNSEC_ACL_HIDEKERN y +# Additional grsec hardening not implied by auto constraints GRKERNSEC_IO y +# Disable protections rendered useless by redistribution +GRKERNSEC_HIDESYM n +GRKERNSEC_RANDSTRUCT n + +# Disable protections covered by vanilla mechanisms +GRKERNSEC_DMESG n +GRKERNSEC_KMEM n +GRKERNSEC_PROC n + +# Disable protections that are inappropriate for a general-purpose kernel +GRKERNSEC_NO_SIMULT_CONNECT n + +# Enable additional audititing +GRKERNSEC_AUDIT_MOUNT y GRKERNSEC_AUDIT_PTRACE y GRKERNSEC_FORKFAIL y +# Wishlist: support trusted path execution +GRKERNSEC_TPE n + +# Wishlist: enable this, but breaks user initiated module loading +GRKERNSEC_MODHARDEN n + GRKERNSEC_SYSCTL y GRKERNSEC_SYSCTL_DISTRO y GRKERNSEC_SYSCTL_ON y