nixpkgs/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix

60 lines
1.4 KiB
Nix
Raw Normal View History

grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
{ stdenv }:
with stdenv.lib;
''
# Auto configuration with these constraints will enable most of the
# important features (RAP, UDEREF, ASLR, memory sanitization).
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
GRKERNSEC_CONFIG_AUTO y
GRKERNSEC_CONFIG_DESKTOP y
GRKERNSEC_CONFIG_PRIORITY_SECURITY y
# We specify virt guest rather than host here, the latter deselects e.g.,
# paravirtualization.
GRKERNSEC_CONFIG_VIRT_GUEST y
# Note: assumes platform supports CPU-level virtualization (so no pentium 4)
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
GRKERNSEC_CONFIG_VIRT_EPT y
GRKERNSEC_CONFIG_VIRT_KVM y
# PaX control
PAX_SOFTMODE y
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
PAX_PT_PAX_FLAGS y
PAX_XATTR_PAX_FLAGS y
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
PAX_EI_PAX n
# The bts instrumentation method is compatible with binary only modules.
#
# Note: if platform supports SMEP, we could do without this
PAX_KERNEXEC_PLUGIN_METHOD_BTS y
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
# Additional grsec hardening not implied by auto constraints
GRKERNSEC_IO y
# Disable protections rendered useless by redistribution
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
GRKERNSEC_HIDESYM n
GRKERNSEC_RANDSTRUCT n
# Disable protections covered by vanilla mechanisms
GRKERNSEC_DMESG n
GRKERNSEC_KMEM n
GRKERNSEC_PROC n
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
# Disable protections that are inappropriate for a general-purpose kernel
GRKERNSEC_NO_SIMULT_CONNECT n
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
# Enable additional audititing
GRKERNSEC_AUDIT_MOUNT y
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
GRKERNSEC_AUDIT_PTRACE y
GRKERNSEC_FORKFAIL y
# Wishlist: support trusted path execution
GRKERNSEC_TPE n
# Wishlist: enable this, but breaks user initiated module loading
GRKERNSEC_MODHARDEN n
grsecurity: implement a single NixOS kernel This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-13 23:04:56 +01:00
GRKERNSEC_SYSCTL y
GRKERNSEC_SYSCTL_DISTRO y
GRKERNSEC_SYSCTL_ON y
''