suzanne.soy/nixpkgs
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Refactor grsecurity support.

Browse Source 
Nota bene: this probably does not work! Caveat emptor, etc.

This inverts the grsecurity builder, making it much simpler. Instead,
users just give a full description of the type of kernel they want to
build, and the result is an attribute set containing kernel and
kernelPackages results.

Now, in order to build a custom grsecurity kernel, you do something more
like:

    let
      kver  = "4.0.4";
      grver = "3.1-${kver}-201505222222";

      kernel = rec
        { version  = kver;
          localver = "-grsec";
          src      = fetchurl rec {
            name  = "linux-${kver}.tar.xz";
            url   = "mirror://kernel/linux/kernel/v4.x/${name}.tar.xz";
            sha256 = "1j5l87z6gd05cqzg680id0x1nk38kd6sjffd2lifl0fz5k6iqr9h";
        };
      };

      patches =
        [ fetchurl rec {
            name   = "grsecurity-${grver}.patch";
            url    = "https://grsecurity.net/test/grsecurity-${grver}.patch";
            sha256 = "0ampby10y3kr36f7rvzm5fdk9f2gcfmcdgkzf67b5kj78y52ypfz";
          }
        ];

      customGrsecKern = customGrsecKernelPackages { inherit kernel patches; };
    in
    {
      ...
      boot.kernelPackages = customGrsecKern.kernelPackages;
    }

Which is far more flexible and easier to think about; plus, it gives
full control over the kernel localver and modDirVer, as well as support
for other patches (because you may have other patches to apply on-top of
grsec, or you may bundle grsec with some other distribution, and still
need the builder support.) It also gives you full control of the kernel
tarball, in case you want to use e.g. libre-linux.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit is contained in:
Austin Seipp 2015-04-13 20:03:20 -05:00
parent 74d867e95c
commit 26fa60ac55
4 changed files with 71 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
nixos/modules/security/grsecurity.nix
View File

@ -4,12 +4,6 @@ with lib;
let
cfg = config.security.grsecurity;
customGrsecPkg =
(import ../../../pkgs/build-support/grsecurity {
grsecOptions = cfg;
inherit pkgs lib;
}).grsecPackage;
in
{
options = {
@ -18,14 +12,24 @@ in
type = types.bool;
default = false;
description = ''
Enable grsecurity support. This enables advanced exploit
Enable grsecurity support system-wide. This enables advanced exploit
hardening for the Linux kernel, and adds support for
administrative Role-Based Acess Control (RBAC) via
<literal>gradm</literal>. It also includes traditional
utilities for PaX.
utilities for PaX, and more.
'';
};
kernelPackages = mkOption {
type = types.package;
description = ''
The kernel package set to use. In order to
understand how to set this option appropriately, please see
the NixOS wiki: TODO FIXME.
'';
};
/*
stable = mkOption {
type = types.bool;
default = false;
@ -197,7 +201,7 @@ in
description = ''
If true, then set <literal>GRKERN_NO_RBAC
y</literal>. This disables the
<literal>/dev/grsec</literal> device, which in turn
<literal>/dev/grsec</literal> device, which in turn
disables the RBAC system (and <literal>gradm</literal>).
'';
};
@ -214,10 +218,12 @@ in
description = "Extra kernel configuration parameters.";
};
};
*/
};
};
config = mkIf cfg.enable {
/*
assertions =
[ { assertion = cfg.stable || cfg.testing;
message = ''
@ -246,6 +252,7 @@ in
message = "grsecurity configured for virtualisation but no virtualisation software specified";
}
];
*/
systemd.services.grsec-lock = mkIf cfg.config.sysctl {
description = "grsecurity sysctl-lock Service";
@ -287,10 +294,9 @@ in
chmod -R 0600 /etc/grsec
''; };
# Enable AppArmor, gradm udev rules, and utilities
security.apparmor.enable = true;
boot.kernelPackages = customGrsecPkg;
services.udev.packages = lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils ] ++ lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
# Enable gradm udev rules and utilities
boot.kernelPackages = cfg.kernelPackages;
services.udev.packages = [ pkgs.gradm ];
environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils pkgs.gradm ];
};
}

200
pkgs/build-support/grsecurity/default.nix
View File

@ -1,154 +1,56 @@
{ grsecOptions, lib, pkgs }:
{ pkgs, lib, ... }:
with pkgs;
with lib;
let
cfg = {
stable = grsecOptions.stable or false;
testing = grsecOptions.testing or false;
config = {
mode = "auto";
sysctl = false;
denyChrootChmod = false;
denyUSB = false;
restrictProc = false;
restrictProcWithGroup = true;
unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid
disableRBAC = false;
verboseVersion = false;
kernelExtraConfig = "";
} // grsecOptions.config;
grsec_path_patch = { name "grsec-path"; patch = ./grsec-path.patch; };
genericKernelBuilder = import ../../os-specific/linux/kernel/generic.nix;
in
{
customGrsecKernelPackages = p:
let
version = p.kernel.version;
localver = p.kernel.localver or "";
modDirVersion = p.kernel.modDirVersion or (version+localver);
features = p.kernel.features or {};
src = with p.kernel; fetchurl { inherit url sha256; };
kernel = overrideDerivation (genericKernelBuilder (rec {
inherit version modDirVersion src;
/* Add any 'quirky' patches (like bridge_stp_helper and
* grsec_path_patch, which fix NixOS-specific quirks) plus the ones
* the user specified. */
kernelPatches = [ grsec_path_patch
kernelPatches.bridge_stp_helper
] ++ (map fetchurl p.patches);
/* Default features */
features.iwlwifi = true;
features.efiBootStub = true;
features.needsCifsUtils = true;
features.canDisableNetfilterConntrackHelpers = true;
features.netfilterRPFilter = true;
})) (args: {
# Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins)
# include libgmp headers, so we need these extra tweaks
buildInputs = args.buildInputs ++ [ pkgs.gmp ];
preConfigure = ''
${args.preConfigure or ""}
sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh
sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
rm localversion-grsec
${if localver == "" then "" else ''
echo ${localver} > localversion-nix
''}
'';
}) // features;
kernelPackages = let self = linuxPackagesFor kernel self; in recurseIntoAttrs self;
in {
inherit kernel;
inherit kernelPackages;
};
vals = rec {
mkKernel = kernel: patch:
assert patch.kversion == kernel.version;
{ inherit kernel patch;
inherit (patch) grversion revision;
};
test-patch = with pkgs.kernelPatches; grsecurity_unstable;
stable-patch = with pkgs.kernelPatches; grsecurity_stable;
grKernel = if cfg.stable
then mkKernel pkgs.linux_3_14 stable-patch
else mkKernel pkgs.linux_3_19 test-patch;
## -- grsecurity configuration ---------------------------------------------
grsecPrioCfg =
if cfg.config.priority == "security" then
"GRKERNSEC_CONFIG_PRIORITY_SECURITY y"
else
"GRKERNSEC_CONFIG_PRIORITY_PERF y";
grsecSystemCfg =
if cfg.config.system == "desktop" then
"GRKERNSEC_CONFIG_DESKTOP y"
else
"GRKERNSEC_CONFIG_SERVER y";
grsecVirtCfg =
if cfg.config.virtualisationConfig == null then
"GRKERNSEC_CONFIG_VIRT_NONE y"
else if cfg.config.virtualisationConfig == "host" then
"GRKERNSEC_CONFIG_VIRT_HOST y"
else
"GRKERNSEC_CONFIG_VIRT_GUEST y";
grsecHwvirtCfg = if cfg.config.virtualisationConfig == null then "" else
if cfg.config.hardwareVirtualisation == true then
"GRKERNSEC_CONFIG_VIRT_EPT y"
else
"GRKERNSEC_CONFIG_VIRT_SOFT y";
grsecVirtswCfg =
let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
in
if cfg.config.virtualisationConfig == null then ""
else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN"
else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM"
else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"
else virtCfg "VIRTUALBOX";
grsecMainConfig = if cfg.config.mode == "custom" then "" else ''
GRKERNSEC_CONFIG_AUTO y
${grsecPrioCfg}
${grsecSystemCfg}
${grsecVirtCfg}
${grsecHwvirtCfg}
${grsecVirtswCfg}
'';
grsecConfig =
let boolToKernOpt = b: if b then "y" else "n";
# Disable RANDSTRUCT under virtualbox, as it has some kind of
# breakage with the vbox guest drivers
#randstruct = optionalString config.services.virtualboxGuest.enable
# "GRKERNSEC_RANDSTRUCT n";
# Disable restricting links under the testing kernel, as something
# has changed causing it to fail miserably during boot.
restrictLinks = optionalString cfg.testing
"GRKERNSEC_LINK n";
in ''
GRKERNSEC y
${grsecMainConfig}
${if cfg.config.restrictProc then
"GRKERNSEC_PROC_USER y"
else
optionalString cfg.config.restrictProcWithGroup ''
GRKERNSEC_PROC_USERGROUP y
GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid}
''
}
GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
${restrictLinks}
${cfg.config.kernelExtraConfig}
'';
## -- grsecurity kernel packages -------------------------------------------
localver = grkern:
"-grsec" + optionalString cfg.config.verboseVersion
"-${grkern.grversion}-${grkern.revision}";
grsecurityOverrider = args: grkern: {
# Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins)
# include libgmp headers, so we need these extra tweaks
buildInputs = args.buildInputs ++ [ pkgs.gmp ];
preConfigure = ''
${args.preConfigure or ""}
sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh
sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
rm localversion-grsec
echo ${localver grkern} > localversion-grsec
'';
};
mkGrsecKern = grkern:
lowPrio (overrideDerivation (grkern.kernel.override (args: {
kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ];
argsOverride = {
modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
};
extraConfig = grsecConfig;
features.grsecurity = true;
})) (args: grsecurityOverrider args grkern));
mkGrsecPkg = grkern: pkgs.linuxPackagesFor grkern (mkGrsecPkg grkern);
## -- Kernel packages ------------------------------------------------------
grsecKernel = mkGrsecKern grKernel;
grsecPackage = mkGrsecPkg grsecKernel;
};
in vals
}

0
pkgs/os-specific/linux/kernel/patches/grsec-path.patch → pkgs/build-support/grsecurity/grsec-path.patch
View File

29
pkgs/os-specific/linux/kernel/patches.nix
View File

@ -1,16 +1,6 @@
{ stdenv, fetchurl }:
let
grsecPatch = { grversion ? "3.1", kversion, revision, branch, sha256 }:
{ name = "grsecurity-${grversion}-${kversion}";
inherit grversion kversion revision;
patch = fetchurl {
url = "http://grsecurity.net/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch";
inherit sha256;
};
features.grsecurity = true;
};
patches = rec {
btrfs_fix_deadlock =
{ name = "btrfs-fix-deadlock";
@ -21,24 +11,5 @@ let
{ name = "bridge-stp-helper";
patch = ./patches/bridge-stp-helper.patch;
};
grsec_fix_path =
{ name = "grsec-fix-path";
patch = ./patches/grsec-path.patch;
};
grsecurity_stable = grsecPatch
{ kversion = "3.14.37";
revision = "201504051405";
branch = "stable";
sha256 = "0w1rz5g4wwd22ivii7m7qjgakdynzjwpqxiydx51kiw5j0avkzs3";
};
grsecurity_unstable = grsecPatch
{ kversion = "3.19.3";
revision = "201504021826";
branch = "test";
sha256 = "0r3gsha4x9bkzg9n4rcwzi9f3hkbqrf8yga1dd83kyd10fns4lzm";
};
};
in patches