grsecurity: revamp nixos kernel config

Cleanup: - Restructure & add some commentary - Remove redundant option specs given the auto config constraints (some are left in for documentation purposes) Changes: - GRKERNSEC_CONFIG_VIRT_HOST -> GUEST The former deselects paravirtualization and friends - PAX_LATENT_ENTROPY n -> y (implied by auto) - GRKERNSEC_ACL_HIDEKERN y -> n Possibly useless with redistribution
NixOS · Oct 2, 2016 · 9a9237e · 9a9237e
1 parent 1bb7b44
commit 9a9237e
Showing 1 changed file with 30 additions and 13 deletions.
diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
@@ -3,39 +3,56 @@
 with stdenv.lib;
 
 ''
+# Auto configuration with these constraints will enable most of the
+# important features (RAP, UDEREF, ASLR, memory sanitization).
 GRKERNSEC_CONFIG_AUTO y
 GRKERNSEC_CONFIG_DESKTOP y
-GRKERNSEC_CONFIG_VIRT_HOST y
+GRKERNSEC_CONFIG_PRIORITY_SECURITY y
+
+# We specify virt guest rather than host here, the latter deselects e.g.,
+# paravirtualization.
+GRKERNSEC_CONFIG_VIRT_GUEST y
+# Note: assumes platform supports CPU-level virtualization (so no pentium 4)
 GRKERNSEC_CONFIG_VIRT_EPT y
 GRKERNSEC_CONFIG_VIRT_KVM y
-GRKERNSEC_CONFIG_PRIORITY_SECURITY y
 
+# PaX control
 PAX_SOFTMODE y
-
 PAX_PT_PAX_FLAGS y
 PAX_XATTR_PAX_FLAGS y
 PAX_EI_PAX n
 
-GRKERNSEC_PROC_GID 0
+# The bts instrumentation method is compatible with binary only modules.
+#
+# Note: if platform supports SMEP, we could do without this
+PAX_KERNEXEC_PLUGIN_METHOD_BTS y
 
-PAX_LATENT_ENTROPY n
+# Additional grsec hardening not implied by auto constraints
+GRKERNSEC_IO y
 
+# Disable protections rendered useless by redistribution
 GRKERNSEC_HIDESYM n
 GRKERNSEC_RANDSTRUCT n
-GRKERNSEC_PROC n
-GRKERNSEC_SYSFS_RESTRICT n
-GRKERNSEC_KMEM n
-GRKERNSEC_MODHARDEN n
-GRKERNSEC_NO_SIMULT_CONNECT n
 
-PAX_KERNEXEC_PLUGIN_METHOD_BTS y
+# Disable protections covered by vanilla mechanisms
+GRKERNSEC_DMESG n
+GRKERNSEC_KMEM n
+GRKERNSEC_PROC n
 
-GRKERNSEC_ACL_HIDEKERN y
-GRKERNSEC_IO y
+# Disable protections that are inappropriate for a general-purpose kernel
+GRKERNSEC_NO_SIMULT_CONNECT n
 
+# Enable additional audititing
+GRKERNSEC_AUDIT_MOUNT y
 GRKERNSEC_AUDIT_PTRACE y
 GRKERNSEC_FORKFAIL y
 
+# Wishlist: support trusted path execution
+GRKERNSEC_TPE n
+
+# Wishlist: enable this, but breaks user initiated module loading
+GRKERNSEC_MODHARDEN n
+
 GRKERNSEC_SYSCTL y
 GRKERNSEC_SYSCTL_DISTRO y
 GRKERNSEC_SYSCTL_ON y