grsecurity: enable optional sysfs restrictions

Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.

nixos/modules/security/grsecurity.nix

@@ -59,7 +59,8 @@ in
 
     boot.kernelPackages = mkForce pkgs.linuxPackages_grsec_nixos;
 
-    boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi";
+    boot.kernelParams = [ "grsec_sysfs_restrict=0" ]
+      ++ optional cfg.disableEfiRuntimeServices "noefi";
 
     nixpkgs.config.grsecurity = true;
 

nixos/modules/security/grsecurity.xml

@@ -151,9 +151,6 @@
         a TCP simultaneous OPEN on that port before the connection is actually
         established.</para></listitem>
 
-        <listitem><para><filename class="directory">/sys</filename> hardening:
-        breaks systemd.</para></listitem>
-
         <listitem><para>Trusted path execution: a desirable feature, but
         requires some more work to operate smoothly on NixOS.</para></listitem>
 
@@ -357,6 +354,12 @@
         <literal>pax_size_overflow_report_only</literal>: log size overflow
         violations but leave the violating task running
       </para></listitem>
+
+      <listitem><para>
+        <literal>grsec_sysfs_restrict=[0|1]</literal>: toggle sysfs
+        restrictions. The NixOS module sets this to <literal>0</literal>
+        for systemd compatibility
+      </para></listitem>
     </itemizedlist>
   </para>
 

pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix

@@ -29,6 +29,7 @@ PAX_KERNEXEC_PLUGIN_METHOD_BTS y
 
 # Additional grsec hardening not implied by auto constraints
 GRKERNSEC_IO y
+GRKERNSEC_SYSFS_RESTRICT y
 
 # Disable protections rendered useless by redistribution
 GRKERNSEC_HIDESYM n