grsecurity: revamp nixos kernel config

Cleanup: - Restructure & add some commentary - Remove redundant option specs given the auto config constraints (some are left in for documentation purposes) Changes: - GRKERNSEC_CONFIG_VIRT_HOST -> GUEST The former deselects paravirtualization and friends - PAX_LATENT_ENTROPY n -> y (implied by auto) - GRKERNSEC_ACL_HIDEKERN y -> n Possibly useless with redistribution
2024-11-25 00:12:56 +00:00 · 2016-10-02 18:35:43 +02:00 · 2016-10-02 18:35:43 +02:00 · 9a9237e0aa
commit 9a9237e0aa
parent 1bb7b44cd7
1 changed files with 34 additions and 17 deletions
--- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
+++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@ -3,39 +3,56 @@
 with stdenv.lib;

 ''
+# Auto configuration with these constraints will enable most of the
+# important features (RAP, UDEREF, ASLR, memory sanitization).
 GRKERNSEC_CONFIG_AUTO y
 GRKERNSEC_CONFIG_DESKTOP y
-GRKERNSEC_CONFIG_VIRT_HOST y
-GRKERNSEC_CONFIG_VIRT_EPT y
-GRKERNSEC_CONFIG_VIRT_KVM y
 GRKERNSEC_CONFIG_PRIORITY_SECURITY y

-PAX_SOFTMODE y
+# We specify virt guest rather than host here, the latter deselects e.g.,
+# paravirtualization.
+GRKERNSEC_CONFIG_VIRT_GUEST y
+# Note: assumes platform supports CPU-level virtualization (so no pentium 4)
+GRKERNSEC_CONFIG_VIRT_EPT y
+GRKERNSEC_CONFIG_VIRT_KVM y

+# PaX control
+PAX_SOFTMODE y
 PAX_PT_PAX_FLAGS y
 PAX_XATTR_PAX_FLAGS y
 PAX_EI_PAX n

-GRKERNSEC_PROC_GID 0
-
-PAX_LATENT_ENTROPY n
-
-GRKERNSEC_HIDESYM n
-GRKERNSEC_RANDSTRUCT n
-GRKERNSEC_PROC n
-GRKERNSEC_SYSFS_RESTRICT n
-GRKERNSEC_KMEM n
-GRKERNSEC_MODHARDEN n
-GRKERNSEC_NO_SIMULT_CONNECT n
-
+# The bts instrumentation method is compatible with binary only modules.
+#
+# Note: if platform supports SMEP, we could do without this
 PAX_KERNEXEC_PLUGIN_METHOD_BTS y

-GRKERNSEC_ACL_HIDEKERN y
+# Additional grsec hardening not implied by auto constraints
 GRKERNSEC_IO y

+# Disable protections rendered useless by redistribution
+GRKERNSEC_HIDESYM n
+GRKERNSEC_RANDSTRUCT n
+
+# Disable protections covered by vanilla mechanisms
+GRKERNSEC_DMESG n
+GRKERNSEC_KMEM n
+GRKERNSEC_PROC n
+
+# Disable protections that are inappropriate for a general-purpose kernel
+GRKERNSEC_NO_SIMULT_CONNECT n
+
+# Enable additional audititing
+GRKERNSEC_AUDIT_MOUNT y
 GRKERNSEC_AUDIT_PTRACE y
 GRKERNSEC_FORKFAIL y

+# Wishlist: support trusted path execution
+GRKERNSEC_TPE n
+
+# Wishlist: enable this, but breaks user initiated module loading
+GRKERNSEC_MODHARDEN n
+
 GRKERNSEC_SYSCTL y
 GRKERNSEC_SYSCTL_DISTRO y
 GRKERNSEC_SYSCTL_ON y