From 0e765c72e5c1f12d629d9d23d34f5fcb235e2833 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Mon, 5 Dec 2016 19:19:33 +0100 Subject: [PATCH] grsecurity: enable module hardening --- nixos/modules/security/grsecurity.xml | 8 ++++---- pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix | 5 ++--- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml index 97628b0fe329..5b3e4db03a13 100644 --- a/nixos/modules/security/grsecurity.xml +++ b/nixos/modules/security/grsecurity.xml @@ -153,10 +153,6 @@ Trusted path execution: a desirable feature, but requires some more work to operate smoothly on NixOS. - - Module hardening: would break user initiated module - loading. Might enable this at some point, depending on the potential - breakage. @@ -292,6 +288,10 @@ to override this behavior. + User initiated autoloading of modules (e.g., when + using fuse or loop devices) is disallowed; either load requisite modules + as root or add them to. + Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are unsupported and most likely require a custom kernel. diff --git a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix index 96da936642d2..c426799f59dd 100644 --- a/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix +++ b/pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix @@ -31,6 +31,8 @@ PAX_KERNEXEC_PLUGIN_METHOD_BTS y GRKERNSEC_IO y GRKERNSEC_SYSFS_RESTRICT y +GRKERNSEC_MODHARDEN y + # Disable protections rendered useless by redistribution GRKERNSEC_HIDESYM n GRKERNSEC_RANDSTRUCT n @@ -51,9 +53,6 @@ GRKERNSEC_FORKFAIL y # Wishlist: support trusted path execution GRKERNSEC_TPE n -# Wishlist: enable this, but breaks user initiated module loading -GRKERNSEC_MODHARDEN n - GRKERNSEC_SYSCTL y GRKERNSEC_SYSCTL_DISTRO y # Assume that appropriate sysctls are toggled once the system is up