2018-07-20 20:56:59 +00:00
|
|
|
{ config, lib, ... }:
|
2013-03-02 18:53:48 +00:00
|
|
|
|
2014-04-14 14:26:48 +00:00
|
|
|
with lib;
|
2013-03-02 18:53:48 +00:00
|
|
|
|
|
|
|
let
|
|
|
|
|
|
|
|
sysctlOption = mkOptionType {
|
|
|
|
name = "sysctl option value";
|
2014-04-15 19:13:34 +00:00
|
|
|
check = val:
|
|
|
|
let
|
2019-04-24 03:48:22 +00:00
|
|
|
checkType = x: isBool x || isString x || isInt x || x == null;
|
2014-04-15 19:13:34 +00:00
|
|
|
in
|
|
|
|
checkType val || (val._type or "" == "override" && checkType val.content);
|
|
|
|
merge = loc: defs: mergeOneOption loc (filterOverrides defs);
|
2013-03-02 18:53:48 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
|
|
boot.kernel.sysctl = mkOption {
|
2022-11-08 13:14:00 +00:00
|
|
|
type = types.submodule {
|
|
|
|
freeformType = types.attrsOf sysctlOption;
|
|
|
|
options."net.core.rmem_max" = mkOption {
|
|
|
|
type = types.nullOr types.ints.unsigned // {
|
|
|
|
merge = loc: defs:
|
|
|
|
foldl
|
|
|
|
(a: b: if b.value == null then null else lib.max a b.value)
|
|
|
|
0
|
|
|
|
(filterOverrides defs);
|
|
|
|
};
|
|
|
|
default = null;
|
|
|
|
description = lib.mdDoc "The maximum socket receive buffer size. In case of conflicting values, the highest will be used.";
|
|
|
|
};
|
|
|
|
};
|
2013-03-02 18:53:48 +00:00
|
|
|
default = {};
|
2021-10-03 16:06:03 +00:00
|
|
|
example = literalExpression ''
|
2015-12-30 18:10:39 +00:00
|
|
|
{ "net.ipv4.tcp_syncookies" = false; "vm.swappiness" = 60; }
|
|
|
|
'';
|
2013-03-02 18:53:48 +00:00
|
|
|
description = lib.mdDoc ''
|
|
|
|
Runtime parameters of the Linux kernel, as set by
|
|
|
|
{manpage}`sysctl(8)`. Note that sysctl
|
|
|
|
parameters names must be enclosed in quotes
|
|
|
|
(e.g. `"vm.swappiness"` instead of
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 19:18:12 +00:00
|
|
|
`vm.swappiness`). The value of each
|
|
|
|
parameter may be a string, integer, boolean, or null
|
|
|
|
(signifying the option will not appear at all).
|
2013-03-02 18:53:48 +00:00
|
|
|
'';
|
2022-11-08 13:14:00 +00:00
|
|
|
|
2013-03-02 18:53:48 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
config = {
|
|
|
|
|
2019-08-11 13:38:20 +00:00
|
|
|
environment.etc."sysctl.d/60-nixos.conf".text =
|
nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-06 19:18:12 +00:00
|
|
|
concatStrings (mapAttrsToList (n: v:
|
|
|
|
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
|
|
|
|
) config.boot.kernel.sysctl);
|
2013-03-02 18:53:48 +00:00
|
|
|
|
|
|
|
systemd.services.systemd-sysctl =
|
2014-04-17 16:52:31 +00:00
|
|
|
{ wantedBy = [ "multi-user.target" ];
|
2019-08-11 13:38:20 +00:00
|
|
|
restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
|
2013-03-02 18:53:48 +00:00
|
|
|
};
|
|
|
|
|
2013-07-31 14:10:13 +00:00
|
|
|
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
|
|
|
|
# users as these make it easier to exploit kernel vulnerabilities.
|
2019-09-26 09:07:35 +00:00
|
|
|
boot.kernel.sysctl."kernel.kptr_restrict" = mkDefault 1;
|
2017-03-21 17:41:58 +00:00
|
|
|
|
2023-06-21 17:23:08 +00:00
|
|
|
# Improve compatibility with applications that allocate
|
|
|
|
# a lot of memory, like modern games
|
|
|
|
boot.kernel.sysctl."vm.max_map_count" = mkDefault 1048576;
|
2013-03-02 18:53:48 +00:00
|
|
|
};
|
|
|
|
}
|