Commit Graph

35 Commits

Author SHA1 Message Date
Joachim Fasting
6d1bf921fa
grsecurity: work around #19698
This is a temporary work-around to fix using grsecurity on NixOS with
the new kernelPackages/kernelPatches machinery.

For whatever reason, when `security.grsecurity.enable = true`, the grsec
patch ends up being applied twice, causing the kernel build to fail.

Until the root cause of this is identified, we hack around it by simply
pruning duplicate patches in the grsec kernel builder.

Closes #19698
2016-10-23 18:25:29 +02:00
Joachim Fasting
1bb7b44cd7
grsecurity: make GRKERNSEC y and PAX y implicit
These options should always be specified. Note, an implication of this
change is that not specifying any grsec/PaX options results in a build
failure.
2016-10-02 19:25:58 +02:00
Tuomas Tynkkynen
8576332fdf grsec: Fix build after multiple output shuffling
Same problem with overrideDerivation as in
https://github.com/NixOS/nixpkgs/issues/10721. Would be nice to have
that fixed...
2016-08-30 15:55:49 +03:00
Joachim Fasting
e5c3a52afc
grsecurity: fix features.grsecurity
Previously, features.grsecurity wasn't actually set due to a bug in the
grsec builder. We now rely on the generic kernel builder to set features
from kernelPatches.
2016-08-29 04:09:40 +02:00
Joachim Fasting
75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
Joachim Fasting
d4d7bfe07b
grsecurity: add option to disable chroot caps restriction
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293

This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
2016-05-10 16:17:08 +02:00
Joachim Fasting
50d915c758
grsecurity: optionally disable features for redistributed kernels 2016-05-06 16:37:25 +02:00
Joachim Fasting
da767356f2
grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425
2016-05-04 03:53:24 +02:00
Joachim Fasting
39db90eaf6
grsecurity: simplify preConfigure 2016-05-02 11:28:06 +02:00
Joachim Fasting
a69501a936
grsecurity: ensure that PaX ELF markings are enabled
The upstream default is to enable only xattr markings, breaking the
paxmarks facility.
2016-05-02 11:28:06 +02:00
Joachim Fasting
27035365ec build-support/grsecurity: simplify the grsecurityOverrider
Adding inputs required by gcc plugins to the ambient environment is sufficient.
2016-04-12 01:23:32 +02:00
Domen Kožar
b07e7bfc7b Merge remote-tracking branch 'origin/staging' 2016-03-27 13:19:04 +01:00
Joachim Fasting
304c4a514e grsecurity: fix gcc plugin
Also needs mpfr and libmpc
2016-03-26 21:01:21 +01:00
tg(x)
38614d3f6a grsecurity: use kernel version instead of testing / stable 2016-02-28 04:10:59 +01:00
tg(x)
4e3d6d3e90 grsecurity: separate fix patches for testing & stable 2016-02-27 19:54:55 +01:00
tg(x)
7547960546 grsecurity: move version information to one place 2016-02-27 18:36:12 +01:00
tg(x)
d95321b83e grsecurity: 4.3.4 -> 4.4.2 2016-02-27 18:36:12 +01:00
Dan Peebles
8f9aea9ccc grsecurity: fix kernel config and uncomment grsecurity kernels 2016-01-23 16:58:44 +00:00
Dan Peebles
33cf0792b1 grsecurity-testing: update patches and associated kernel version 2016-01-23 14:29:34 +00:00
Eelco Dolstra
16acdb45bd Revert "kernel: Remove unsupported 3.10, 3.12, 3.14"
This reverts commit 2441e002e2. The
motivation for removing them was not very convincing. Also, we need
3.14 on some Hydra build machines.
2015-11-19 14:25:16 +01:00
William A. Kennington III
2441e002e2 kernel: Remove unsupported 3.10, 3.12, 3.14
Our base kernel headers were bumped to 3.18 so we can no longer reliably
support kernels older than 3.18
2015-11-09 11:10:42 -08:00
William A. Kennington III
194357ad20 grsecurityUnstable: 4.1.7 -> 4.2.3 2015-10-15 10:41:04 -07:00
Vladimír Čunát
54c4aab662 nixos: kill services.virtualboxGuest to fix #9600 2015-09-02 04:54:31 +02:00
William A. Kennington III
a5d6e61c2f grsecurity: Push testing from 4.0 -> 4.1 2015-08-04 13:28:16 -07:00
William A. Kennington III
0e4057b167 kernel: 4.0.1 -> 4.0.2 2015-05-07 20:32:24 -07:00
Joachim Fasting
ba93a75724 grsecurity module: use types.enum
Also
- set desktop as default system
- make virtualisationSoftware nullOr
- make virtualisationConfig nullOr
2015-04-03 13:45:45 +02:00
Ricardo M. Correia
7c8247a8c5 grsecurity: Update stable and test patches
stable: 3.1-3.14.35-201503071140 -> 3.1-3.14.35-201503092203
test:   3.1-3.18.9-201503071142  -> 3.1-3.19.1-201503122205
2015-03-15 03:49:58 +01:00
Peter Simons
cfce8509b8 grsecurity: add GRKERNSEC_DENYUSB option (disabled by default)
This option tells the kernel to ignore plug-in events of USB devices. Useful to
protect against attacks with malicious hardware. Currently disabled by default,
though.
2015-01-19 00:15:41 +03:00
Ricardo M. Correia
1d44322d53 grsecurity: Update stable and test patches
stable: 3.0-3.14.27-201412211908 -> 3.0-3.14.27-201412280859
test:   3.0-3.17.7-201412211910  -> 3.0-3.18.1-201412281149
2014-12-29 03:00:47 +01:00
aszlig
444987193e
nixos: Rename virtualbox to virtualboxGuest.
Especially new users could be confused by this, so we're now marking
services.virtualbox.enable as obsolete and defaulting to
services.virtualboxGuest.enable instead. I believe this now makes it
clear, that this option is for guest additions only.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 18:42:22 +01:00
Alexander Kjeldaas
005bb796e6 Updated grsec. 2014-10-22 02:18:41 +02:00
Ricardo M. Correia
238a84ac78 grsecurity: Update stable and test patches
stable: 3.0-3.14.17-201408260041 -> 3.0-3.14.18-201409060013
test:   3.0-3.15.10-201408212335 -> 3.0-3.16.2-201409060014
2014-09-08 15:16:38 +02:00
Austin Seipp
0399c5ee24 grsecurity: update stable/testing kernels, refactoring
This updates the new stable kernel to 3.14, and the new testing kernel
to 3.15.

This also removes the vserver kernel, since it's probably not nearly as
used.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-06-22 22:29:10 -05:00
Austin Seipp
85b5dc3949 grsec: Fix vserver/stable packaging
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 16:37:22 -05:00
Austin Seipp
4f27ad14a1 grsec: refactor grsecurity packages
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-17 14:09:43 -05:00