diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index b116d8bfef2..16187f398b1 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -4,12 +4,6 @@ with lib;
let
cfg = config.security.grsecurity;
-
- customGrsecPkg =
- (import ../../../pkgs/build-support/grsecurity {
- grsecOptions = cfg;
- inherit pkgs lib;
- }).grsecPackage;
in
{
options = {
@@ -18,14 +12,24 @@ in
type = types.bool;
default = false;
description = ''
- Enable grsecurity support. This enables advanced exploit
+ Enable grsecurity support system-wide. This enables advanced exploit
hardening for the Linux kernel, and adds support for
administrative Role-Based Acess Control (RBAC) via
gradm. It also includes traditional
- utilities for PaX.
+ utilities for PaX, and more.
'';
};
+ kernelPackages = mkOption {
+ type = types.package;
+ description = ''
+ The kernel package set to use. In order to
+ understand how to set this option appropriately, please see
+ the NixOS wiki: TODO FIXME.
+ '';
+ };
+
+ /*
stable = mkOption {
type = types.bool;
default = false;
@@ -197,7 +201,7 @@ in
description = ''
If true, then set GRKERN_NO_RBAC
y. This disables the
- /dev/grsec device, which in turn
+ /dev/grsec device, which in turn
disables the RBAC system (and gradm).
'';
};
@@ -214,10 +218,12 @@ in
description = "Extra kernel configuration parameters.";
};
};
+ */
};
};
config = mkIf cfg.enable {
+ /*
assertions =
[ { assertion = cfg.stable || cfg.testing;
message = ''
@@ -246,6 +252,7 @@ in
message = "grsecurity configured for virtualisation but no virtualisation software specified";
}
];
+ */
systemd.services.grsec-lock = mkIf cfg.config.sysctl {
description = "grsecurity sysctl-lock Service";
@@ -287,10 +294,9 @@ in
chmod -R 0600 /etc/grsec
''; };
- # Enable AppArmor, gradm udev rules, and utilities
- security.apparmor.enable = true;
- boot.kernelPackages = customGrsecPkg;
- services.udev.packages = lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
- environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils ] ++ lib.optional (!cfg.config.disableRBAC) pkgs.gradm;
+ # Enable gradm udev rules and utilities
+ boot.kernelPackages = cfg.kernelPackages;
+ services.udev.packages = [ pkgs.gradm ];
+ environment.systemPackages = [ pkgs.paxctl pkgs.pax-utils pkgs.gradm ];
};
}
diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
index e82792be033..3780aab9488 100644
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@@ -1,154 +1,56 @@
-{ grsecOptions, lib, pkgs }:
+{ pkgs, lib, ... }:
+with pkgs;
with lib;
let
- cfg = {
- stable = grsecOptions.stable or false;
- testing = grsecOptions.testing or false;
- config = {
- mode = "auto";
- sysctl = false;
- denyChrootChmod = false;
- denyUSB = false;
- restrictProc = false;
- restrictProcWithGroup = true;
- unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid
- disableRBAC = false;
- verboseVersion = false;
- kernelExtraConfig = "";
- } // grsecOptions.config;
+ grsec_path_patch = { name "grsec-path"; patch = ./grsec-path.patch; };
+ genericKernelBuilder = import ../../os-specific/linux/kernel/generic.nix;
+in
+{
+ customGrsecKernelPackages = p:
+ let
+ version = p.kernel.version;
+ localver = p.kernel.localver or "";
+ modDirVersion = p.kernel.modDirVersion or (version+localver);
+ features = p.kernel.features or {};
+ src = with p.kernel; fetchurl { inherit url sha256; };
+
+ kernel = overrideDerivation (genericKernelBuilder (rec {
+ inherit version modDirVersion src;
+
+ /* Add any 'quirky' patches (like bridge_stp_helper and
+ * grsec_path_patch, which fix NixOS-specific quirks) plus the ones
+ * the user specified. */
+ kernelPatches = [ grsec_path_patch
+ kernelPatches.bridge_stp_helper
+ ] ++ (map fetchurl p.patches);
+
+ /* Default features */
+ features.iwlwifi = true;
+ features.efiBootStub = true;
+ features.needsCifsUtils = true;
+ features.canDisableNetfilterConntrackHelpers = true;
+ features.netfilterRPFilter = true;
+ })) (args: {
+ # Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins)
+ # include libgmp headers, so we need these extra tweaks
+ buildInputs = args.buildInputs ++ [ pkgs.gmp ];
+ preConfigure = ''
+ ${args.preConfigure or ""}
+ sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh
+ sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
+ sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
+ rm localversion-grsec
+ ${if localver == "" then "" else ''
+ echo ${localver} > localversion-nix
+ ''}
+ '';
+ }) // features;
+
+ kernelPackages = let self = linuxPackagesFor kernel self; in recurseIntoAttrs self;
+ in {
+ inherit kernel;
+ inherit kernelPackages;
};
-
- vals = rec {
-
- mkKernel = kernel: patch:
- assert patch.kversion == kernel.version;
- { inherit kernel patch;
- inherit (patch) grversion revision;
- };
-
- test-patch = with pkgs.kernelPatches; grsecurity_unstable;
- stable-patch = with pkgs.kernelPatches; grsecurity_stable;
-
- grKernel = if cfg.stable
- then mkKernel pkgs.linux_3_14 stable-patch
- else mkKernel pkgs.linux_3_19 test-patch;
-
- ## -- grsecurity configuration ---------------------------------------------
-
- grsecPrioCfg =
- if cfg.config.priority == "security" then
- "GRKERNSEC_CONFIG_PRIORITY_SECURITY y"
- else
- "GRKERNSEC_CONFIG_PRIORITY_PERF y";
-
- grsecSystemCfg =
- if cfg.config.system == "desktop" then
- "GRKERNSEC_CONFIG_DESKTOP y"
- else
- "GRKERNSEC_CONFIG_SERVER y";
-
- grsecVirtCfg =
- if cfg.config.virtualisationConfig == null then
- "GRKERNSEC_CONFIG_VIRT_NONE y"
- else if cfg.config.virtualisationConfig == "host" then
- "GRKERNSEC_CONFIG_VIRT_HOST y"
- else
- "GRKERNSEC_CONFIG_VIRT_GUEST y";
-
- grsecHwvirtCfg = if cfg.config.virtualisationConfig == null then "" else
- if cfg.config.hardwareVirtualisation == true then
- "GRKERNSEC_CONFIG_VIRT_EPT y"
- else
- "GRKERNSEC_CONFIG_VIRT_SOFT y";
-
- grsecVirtswCfg =
- let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
- in
- if cfg.config.virtualisationConfig == null then ""
- else if cfg.config.virtualisationSoftware == "xen" then virtCfg "XEN"
- else if cfg.config.virtualisationSoftware == "kvm" then virtCfg "KVM"
- else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"
- else virtCfg "VIRTUALBOX";
-
- grsecMainConfig = if cfg.config.mode == "custom" then "" else ''
- GRKERNSEC_CONFIG_AUTO y
- ${grsecPrioCfg}
- ${grsecSystemCfg}
- ${grsecVirtCfg}
- ${grsecHwvirtCfg}
- ${grsecVirtswCfg}
- '';
-
- grsecConfig =
- let boolToKernOpt = b: if b then "y" else "n";
- # Disable RANDSTRUCT under virtualbox, as it has some kind of
- # breakage with the vbox guest drivers
- #randstruct = optionalString config.services.virtualboxGuest.enable
- # "GRKERNSEC_RANDSTRUCT n";
-
- # Disable restricting links under the testing kernel, as something
- # has changed causing it to fail miserably during boot.
- restrictLinks = optionalString cfg.testing
- "GRKERNSEC_LINK n";
- in ''
- GRKERNSEC y
- ${grsecMainConfig}
-
- ${if cfg.config.restrictProc then
- "GRKERNSEC_PROC_USER y"
- else
- optionalString cfg.config.restrictProcWithGroup ''
- GRKERNSEC_PROC_USERGROUP y
- GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid}
- ''
- }
-
- GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
- GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
- GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
- GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
- ${restrictLinks}
-
- ${cfg.config.kernelExtraConfig}
- '';
-
- ## -- grsecurity kernel packages -------------------------------------------
-
- localver = grkern:
- "-grsec" + optionalString cfg.config.verboseVersion
- "-${grkern.grversion}-${grkern.revision}";
-
- grsecurityOverrider = args: grkern: {
- # Apparently as of gcc 4.6, gcc-plugin headers (which are needed by PaX plugins)
- # include libgmp headers, so we need these extra tweaks
- buildInputs = args.buildInputs ++ [ pkgs.gmp ];
- preConfigure = ''
- ${args.preConfigure or ""}
- sed -i 's|-I|-I${pkgs.gmp}/include -I|' scripts/gcc-plugin.sh
- sed -i 's|HOST_EXTRACFLAGS +=|HOST_EXTRACFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
- sed -i 's|HOST_EXTRACXXFLAGS +=|HOST_EXTRACXXFLAGS += -I${pkgs.gmp}/include|' tools/gcc/Makefile
- rm localversion-grsec
- echo ${localver grkern} > localversion-grsec
- '';
- };
-
- mkGrsecKern = grkern:
- lowPrio (overrideDerivation (grkern.kernel.override (args: {
- kernelPatches = args.kernelPatches ++ [ grkern.patch pkgs.kernelPatches.grsec_fix_path ];
- argsOverride = {
- modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
- };
- extraConfig = grsecConfig;
- features.grsecurity = true;
- })) (args: grsecurityOverrider args grkern));
-
- mkGrsecPkg = grkern: pkgs.linuxPackagesFor grkern (mkGrsecPkg grkern);
-
- ## -- Kernel packages ------------------------------------------------------
-
- grsecKernel = mkGrsecKern grKernel;
- grsecPackage = mkGrsecPkg grsecKernel;
- };
-in vals
+}
diff --git a/pkgs/os-specific/linux/kernel/patches/grsec-path.patch b/pkgs/build-support/grsecurity/grsec-path.patch
similarity index 100%
rename from pkgs/os-specific/linux/kernel/patches/grsec-path.patch
rename to pkgs/build-support/grsecurity/grsec-path.patch
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 0ff93df285e..95c313e4b80 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -1,16 +1,6 @@
{ stdenv, fetchurl }:
let
- grsecPatch = { grversion ? "3.1", kversion, revision, branch, sha256 }:
- { name = "grsecurity-${grversion}-${kversion}";
- inherit grversion kversion revision;
- patch = fetchurl {
- url = "http://grsecurity.net/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch";
- inherit sha256;
- };
- features.grsecurity = true;
- };
-
patches = rec {
btrfs_fix_deadlock =
{ name = "btrfs-fix-deadlock";
@@ -21,24 +11,5 @@ let
{ name = "bridge-stp-helper";
patch = ./patches/bridge-stp-helper.patch;
};
-
- grsec_fix_path =
- { name = "grsec-fix-path";
- patch = ./patches/grsec-path.patch;
- };
-
- grsecurity_stable = grsecPatch
- { kversion = "3.14.37";
- revision = "201504051405";
- branch = "stable";
- sha256 = "0w1rz5g4wwd22ivii7m7qjgakdynzjwpqxiydx51kiw5j0avkzs3";
- };
-
- grsecurity_unstable = grsecPatch
- { kversion = "3.19.3";
- revision = "201504021826";
- branch = "test";
- sha256 = "0r3gsha4x9bkzg9n4rcwzi9f3hkbqrf8yga1dd83kyd10fns4lzm";
- };
};
in patches