8c1f5afdf3
We generally trust init, so there's little point in having these enabled during early bootup; it accomplishes little except fill our logs with spam.
61 lines
1.5 KiB
Nix
61 lines
1.5 KiB
Nix
{ stdenv }:
|
|
|
|
with stdenv.lib;
|
|
|
|
''
|
|
# Auto configuration with these constraints will enable most of the
|
|
# important features (RAP, UDEREF, ASLR, memory sanitization).
|
|
GRKERNSEC_CONFIG_AUTO y
|
|
GRKERNSEC_CONFIG_DESKTOP y
|
|
GRKERNSEC_CONFIG_PRIORITY_SECURITY y
|
|
|
|
# We specify virt guest rather than host here, the latter deselects e.g.,
|
|
# paravirtualization.
|
|
GRKERNSEC_CONFIG_VIRT_GUEST y
|
|
# Note: assumes platform supports CPU-level virtualization (so no pentium 4)
|
|
GRKERNSEC_CONFIG_VIRT_EPT y
|
|
GRKERNSEC_CONFIG_VIRT_KVM y
|
|
|
|
# PaX control
|
|
PAX_SOFTMODE y
|
|
PAX_PT_PAX_FLAGS y
|
|
PAX_XATTR_PAX_FLAGS y
|
|
PAX_EI_PAX n
|
|
|
|
# The bts instrumentation method is compatible with binary only modules.
|
|
#
|
|
# Note: if platform supports SMEP, we could do without this
|
|
PAX_KERNEXEC_PLUGIN_METHOD_BTS y
|
|
|
|
# Additional grsec hardening not implied by auto constraints
|
|
GRKERNSEC_IO y
|
|
|
|
# Disable protections rendered useless by redistribution
|
|
GRKERNSEC_HIDESYM n
|
|
GRKERNSEC_RANDSTRUCT n
|
|
|
|
# Disable protections covered by vanilla mechanisms
|
|
GRKERNSEC_DMESG n
|
|
GRKERNSEC_KMEM n
|
|
GRKERNSEC_PROC n
|
|
|
|
# Disable protections that are inappropriate for a general-purpose kernel
|
|
GRKERNSEC_NO_SIMULT_CONNECT n
|
|
|
|
# Enable additional audititing
|
|
GRKERNSEC_AUDIT_MOUNT y
|
|
GRKERNSEC_AUDIT_PTRACE y
|
|
GRKERNSEC_FORKFAIL y
|
|
|
|
# Wishlist: support trusted path execution
|
|
GRKERNSEC_TPE n
|
|
|
|
# Wishlist: enable this, but breaks user initiated module loading
|
|
GRKERNSEC_MODHARDEN n
|
|
|
|
GRKERNSEC_SYSCTL y
|
|
GRKERNSEC_SYSCTL_DISTRO y
|
|
# Assume that appropriate sysctls are toggled once the system is up
|
|
GRKERNSEC_SYSCTL_ON n
|
|
''
|