Nix Packages collection & NixOS
Go to file
Joachim Fasting 75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
.github Update PR template with motivation for changes 2016-05-24 07:59:46 -04:00
doc fix link formatting 2016-05-30 09:25:32 -07:00
lib Merge pull request #16097 from mimadrid/update/klavaro-3.02 2016-06-10 00:18:39 +02:00
maintainers travis-ci: attempt to fix linux builds 2016-06-06 13:34:52 +01:00
nixos oauth2_proxy module: fix manual build 2016-06-10 01:02:40 +02:00
pkgs grsecurity: implement a single NixOS kernel 2016-06-14 00:08:20 +02:00
.gitignore kde5: consolidate packages into desktops/kde-5 2016-03-01 10:36:00 -06:00
.mention-bot Blacklist jhasse 2016-03-05 23:23:19 +01:00
.travis.yml travis-ci: allow failures on osx until nixpkgs channel is unblocked 2016-06-03 12:08:24 +01:00
.version as always, no newline in .version 2016-02-28 23:39:38 +00:00
COPYING COPYING: Update year range to 2016 (close #12621) 2016-01-26 10:10:45 +01:00
default.nix Extract the top-level logic out of all-packages.nix into pkgs/top-level/default.nix 2016-03-20 16:28:18 +00:00
README.md README: 15.09 -> 16.03 2016-04-04 14:42:07 -04:00

logo

Build Status Issue Stats Issue Stats

Nixpkgs is a collection of packages for the Nix package manager. It is periodically built and tested by the hydra build daemon as so-called channels. To get channel information via git, add nixpkgs-channels as a remote:

% git remote add channels git://github.com/NixOS/nixpkgs-channels.git

For stability and maximum binary package support, it is recommended to maintain custom changes on top of one of the channels, e.g. nixos-16.03 for the latest release and nixos-unstable for the latest successful build of master:

% git remote update channels
% git rebase channels/nixos-16.03

For pull-requests, please rebase onto nixpkgs master.

NixOS linux distribution source code is located inside nixos/ folder.

Communication: