From da767356f275785950c9847428b60be2d6753943 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Wed, 4 May 2016 02:20:49 +0200 Subject: [PATCH] grsecurity: support disabling TCP simultaneous connect Defaults to OFF because disabling TCP simultaneous connect breaks some legitimate use cases, notably WebRTC [1], but it's nice to provide the option for deployments where those features are unneeded anyway. This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937 [1]: http://article.gmane.org/gmane.linux.documentation/9425 --- nixos/modules/security/grsecurity.nix | 17 +++++++++++++++++ pkgs/build-support/grsecurity/default.nix | 2 ++ 2 files changed, 19 insertions(+) diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 11668162808..12401f044a7 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -194,6 +194,23 @@ in ''; }; + disableSimultConnect = mkOption { + type = types.bool; + default = false; + description = '' + Disable TCP simultaneous connect. The TCP simultaneous connect + feature allows two clients to connect without either of them + entering the listening state. This feature of the TCP specification + is claimed to enable an attacker to deny the target access to a given + server by guessing the source port the target would use to make the + connection. + + This option is OFF by default because TCP simultaneous connect has + some legitimate uses. Enable this option if you know what this TCP + feature is for and know that you do not need it. + ''; + }; + verboseVersion = mkOption { type = types.bool; default = false; diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix index 0ba27036667..d8042d65273 100644 --- a/pkgs/build-support/grsecurity/default.nix +++ b/pkgs/build-support/grsecurity/default.nix @@ -14,6 +14,7 @@ let restrictProcWithGroup = true; unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid disableRBAC = false; + disableSimultConnect = false; verboseVersion = false; kernelExtraConfig = ""; } // grsecOptions.config; @@ -107,6 +108,7 @@ let GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB} GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} + GRKERNSEC_NO_SIMULT_CONNECT ${boolToKernOpt cfg.config.disableSimultConnect} ${cfg.config.kernelExtraConfig} '';