grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some legitimate use cases, notably WebRTC [1], but it's nice to provide the option for deployments where those features are unneeded anyway. This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937 [1]: http://article.gmane.org/gmane.linux.documentation/9425
This commit is contained in:
parent
c5451206ab
commit
da767356f2
|
@ -194,6 +194,23 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
disableSimultConnect = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Disable TCP simultaneous connect. The TCP simultaneous connect
|
||||
feature allows two clients to connect without either of them
|
||||
entering the listening state. This feature of the TCP specification
|
||||
is claimed to enable an attacker to deny the target access to a given
|
||||
server by guessing the source port the target would use to make the
|
||||
connection.
|
||||
|
||||
This option is OFF by default because TCP simultaneous connect has
|
||||
some legitimate uses. Enable this option if you know what this TCP
|
||||
feature is for and know that you do not need it.
|
||||
'';
|
||||
};
|
||||
|
||||
verboseVersion = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
|
|
|
@ -14,6 +14,7 @@ let
|
|||
restrictProcWithGroup = true;
|
||||
unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid
|
||||
disableRBAC = false;
|
||||
disableSimultConnect = false;
|
||||
verboseVersion = false;
|
||||
kernelExtraConfig = "";
|
||||
} // grsecOptions.config;
|
||||
|
@ -107,6 +108,7 @@ let
|
|||
GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
|
||||
GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
|
||||
GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
|
||||
GRKERNSEC_NO_SIMULT_CONNECT ${boolToKernOpt cfg.config.disableSimultConnect}
|
||||
|
||||
${cfg.config.kernelExtraConfig}
|
||||
'';
|
||||
|
|
Loading…
Reference in New Issue