diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 8cd40093348..35974f6890e 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -44,53 +44,41 @@ in
config = {
mode = mkOption {
- type = types.str;
+ type = types.enum [ "auto" "custom" ];
default = "auto";
- example = "custom";
description = ''
grsecurity configuration mode. This specifies whether
grsecurity is auto-configured or otherwise completely
- manually configured. Can either be
- custom or auto.
-
- auto is recommended.
+ manually configured.
'';
};
priority = mkOption {
- type = types.str;
+ type = types.enum [ "security" "performance" ];
default = "security";
- example = "performance";
description = ''
grsecurity configuration priority. This specifies whether
the kernel configuration should emphasize speed or
- security. Can either be security or
- performance.
+ security.
'';
};
system = mkOption {
- type = types.str;
- default = "";
- example = "desktop";
+ type = types.enum [ "desktop" "server" ];
+ default = "desktop";
description = ''
- grsecurity system configuration. This specifies whether
- the kernel configuration should be suitable for a Desktop
- or a Server. Can either be server or
- desktop.
+ grsecurity system configuration.
'';
};
virtualisationConfig = mkOption {
- type = types.str;
- default = "none";
- example = "host";
+ type = types.nullOr (types.enum [ "host" "guest" ]);
+ default = null;
description = ''
grsecurity virtualisation configuration. This specifies
the virtualisation role of the machine - that is, whether
it will be a virtual machine guest, a virtual machine
- host, or neither. Can be one of none,
- host, or guest.
+ host, or neither.
'';
};
@@ -106,17 +94,10 @@ in
};
virtualisationSoftware = mkOption {
- type = types.str;
- default = "";
- example = "kvm";
+ type = types.nullOr (types.enum [ "kvm" "xen" "vmware" "virtualbox" ]);
+ default = null;
description = ''
- grsecurity virtualisation software. Set this to the
- specified virtual machine technology if the machine is
- running as a guest, or a host.
-
- Can be one of kvm,
- xen, vmware or
- virtualbox.
+ Configure grsecurity for use with this virtualisation software.
'';
};
@@ -262,25 +243,13 @@ in
&& config.boot.kernelPackages.kernel.features.grsecurity;
message = "grsecurity enabled, but kernel doesn't have grsec support";
}
- { assertion = elem cfg.config.mode [ "auto" "custom" ];
- message = "grsecurity mode must either be 'auto' or 'custom'.";
- }
- { assertion = cfg.config.mode == "auto" -> elem cfg.config.system [ "desktop" "server" ];
- message = "when using auto grsec mode, system must be either 'desktop' or 'server'";
- }
- { assertion = cfg.config.mode == "auto" -> elem cfg.config.priority [ "performance" "security" ];
- message = "when using auto grsec mode, priority must be 'performance' or 'security'.";
- }
- { assertion = cfg.config.mode == "auto" -> elem cfg.config.virtualisationConfig [ "host" "guest" "none" ];
- message = "when using auto grsec mode, 'virt' must be 'host', 'guest' or 'none'.";
- }
- { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) ->
+ { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) ->
cfg.config.hardwareVirtualisation != null;
message = "when using auto grsec mode with virtualisation, you must specify if your hardware has virtualisation extensions";
}
- { assertion = (cfg.config.mode == "auto" && (elem cfg.config.virtualisationConfig [ "host" "guest" ])) ->
- elem cfg.config.virtualisationSoftware [ "kvm" "xen" "virtualbox" "vmware" ];
- message = "virtualisation software must be 'kvm', 'xen', 'vmware' or 'virtualbox'";
+ { assertion = (cfg.config.mode == "auto" && (cfg.config.virtualisationConfig != null)) ->
+ cfg.config.virtualisationSoftware != null;
+ message = "grsecurity configured for virtualisation but no virtualisation software specified";
}
];
diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
index 7bafd78d76a..e82792be033 100644
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@@ -50,14 +50,14 @@ let
"GRKERNSEC_CONFIG_SERVER y";
grsecVirtCfg =
- if cfg.config.virtualisationConfig == "none" then
+ if cfg.config.virtualisationConfig == null then
"GRKERNSEC_CONFIG_VIRT_NONE y"
else if cfg.config.virtualisationConfig == "host" then
"GRKERNSEC_CONFIG_VIRT_HOST y"
else
"GRKERNSEC_CONFIG_VIRT_GUEST y";
- grsecHwvirtCfg = if cfg.config.virtualisationConfig == "none" then "" else
+ grsecHwvirtCfg = if cfg.config.virtualisationConfig == null then "" else
if cfg.config.hardwareVirtualisation == true then
"GRKERNSEC_CONFIG_VIRT_EPT y"
else
@@ -66,7 +66,7 @@ let
grsecVirtswCfg =
let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
in
- if cfg.config.virtualisationConfig == "none" then ""
+ if cfg.config.virtualisationConfig == null then ""
else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN"
else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM"
else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"