grsecurity: delay toggling of sysctls until system is up

We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
This commit is contained in:
Joachim Fasting 2016-12-05 19:02:10 +01:00
parent 601b47ab94
commit 8c1f5afdf3
No known key found for this signature in database
GPG key ID: 7544761007FE4E08
2 changed files with 47 additions and 3 deletions

View file

@ -109,19 +109,62 @@ in
boot.kernel.sysctl = {
# Read-only under grsecurity
"kernel.kptr_restrict" = mkForce null;
# All grsec tunables default to off, those not enabled below are
# *disabled*. We use mkDefault to allow expert users to override
# our choices, but use mkForce where tunables would outright
# conflict with other settings.
# Enable all chroot restrictions by default (overwritten as
# necessary below)
"kernel.grsecurity.chroot_caps" = mkDefault 1;
"kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1;
"kernel.grsecurity.chroot_deny_chmod" = mkDefault 1;
"kernel.grsecurity.chroot_deny_chroot" = mkDefault 1;
"kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1;
"kernel.grsecurity.chroot_deny_mknod" = mkDefault 1;
"kernel.grsecurity.chroot_deny_mount" = mkDefault 1;
"kernel.grsecurity.chroot_deny_pivot" = mkDefault 1;
"kernel.grsecurity.chroot_deny_shmat" = mkDefault 1;
"kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1;
"kernel.grsecurity.chroot_deny_unix" = mkDefault 1;
"kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1;
"kernel.grsecurity.chroot_findtask" = mkDefault 1;
"kernel.grsecurity.chroot_restrict_nice" = mkDefault 1;
# Enable various grsec protections
"kernel.grsecurity.consistent_setxid" = mkDefault 1;
"kernel.grsecurity.deter_bruteforce" = mkDefault 1;
"kernel.grsecurity.fifo_restrictions" = mkDefault 1;
"kernel.grsecurity.harden_ipc" = mkDefault 1;
"kernel.grsecurity.harden_ptrace" = mkDefault 1;
"kernel.grsecurity.harden_tty" = mkDefault 1;
"kernel.grsecurity.ip_blackhole" = mkDefault 1;
"kernel.grsecurity.linking_restrictions" = mkDefault 1;
"kernel.grsecurity.ptrace_readexec" = mkDefault 1;
# Enable auditing
"kernel.grsecurity.audit_ptrace" = mkDefault 1;
"kernel.grsecurity.forkfail_logging" = mkDefault 1;
"kernel.grsecurity.rwxmap_logging" = mkDefault 1;
"kernel.grsecurity.signal_logging" = mkDefault 1;
"kernel.grsecurity.timechange_logging" = mkDefault 1;
} // optionalAttrs config.nix.useSandbox {
# chroot(2) restrictions that conflict with sandboxed Nix builds
"kernel.grsecurity.chroot_caps" = mkForce 0;
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
"kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
"kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
} // optionalAttrs containerSupportRequired {
# chroot(2) restrictions that conflict with NixOS lightweight containers
"kernel.grsecurity.chroot_caps" = mkForce 0;
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
"kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
"kernel.grsecurity.chroot_caps" = mkForce 0;
# Disable privileged IO by default, unless X is enabled
} // optionalAttrs (!config.services.xserver.enable) {
"kernel.grsecurity.disable_priv_io" = mkDefault 1;
};
};

View file

@ -55,5 +55,6 @@ GRKERNSEC_MODHARDEN n
GRKERNSEC_SYSCTL y
GRKERNSEC_SYSCTL_DISTRO y
GRKERNSEC_SYSCTL_ON y
# Assume that appropriate sysctls are toggled once the system is up
GRKERNSEC_SYSCTL_ON n
''