From d4d7bfe07bf97efb228ea949a1f09644e924b82d Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sun, 8 May 2016 08:32:28 +0200 Subject: [PATCH] grsecurity: add option to disable chroot caps restriction The chroot caps restriction disallows chroot'ed processes from running any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See e.g., https://github.com/NixOS/nixpkgs/issues/15293 This significantly weakens chroot protections, but to break nixos-rebuild out of the box is too severe. --- nixos/modules/security/grsecurity.nix | 13 +++++++++++++ pkgs/build-support/grsecurity/default.nix | 2 ++ 2 files changed, 15 insertions(+) diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 12401f044a7..3f24118ea1c 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -126,6 +126,19 @@ in ''; }; + denyChrootCaps = mkOption { + type = types.bool; + default = false; + description = '' + Whether to lower capabilities of all processes within a chroot, + preventing commands that require CAP_SYS_ADMIN. + + This protection is disabled by default because it breaks + nixos-rebuild. Whenever possible, it is + highly recommended to enable this protection. + ''; + }; + denyUSB = mkOption { type = types.bool; default = false; diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix index e06c02a294f..7777b600062 100644 --- a/pkgs/build-support/grsecurity/default.nix +++ b/pkgs/build-support/grsecurity/default.nix @@ -8,6 +8,7 @@ let config = { mode = "auto"; sysctl = false; + denyChrootCaps = false; denyChrootChmod = false; denyUSB = false; restrictProc = false; @@ -112,6 +113,7 @@ let } GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl} + GRKERNSEC_CHROOT_CAPS ${boolToKernOpt cfg.config.denyChrootCaps} GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB} GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}