nixpkgs/pkgs/os-specific/linux/kernel
Austin Seipp 172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00
..
common-config.nix Enable CC_STACKPROTECTOR_REGULAR on linux 3.14+ 2014-04-02 17:58:54 -04:00
generate-config.pl
generic.nix
grsec-path.patch grsecurity: Fix grsec-path.patch to apply with newest patches 2014-03-15 18:01:47 +01:00
linux-3.2.nix linux: Update to 3.2.57 2014-04-10 00:37:33 +02:00
linux-3.4.nix kernel: longterm updates 2014-04-07 13:56:50 -05:00
linux-3.10.nix kernel: longterm updates 2014-04-07 13:56:50 -05:00
linux-3.12.nix kernel: longterm updates 2014-04-07 13:56:50 -05:00
linux-3.13.nix linux: Update to 3.13.9 2014-04-07 15:31:12 +02:00
linux-3.14.nix Add linux 3.14 2014-03-31 20:54:47 -04:00
linux-rpi-3.6.nix
linux.upstream.template
manual-config.nix Remove timestamp from the kernel. 2014-04-05 08:40:55 +02:00
mips-ext3-n32.patch
mips-fpu-sigill.patch
mips-fpureg-emulation.patch
no-xsave.patch
patches.nix nixos: add grsecurity module (#1875) 2014-04-11 22:43:51 -05:00
perf.diff
perf.nix