Commit graph

498 commits

Author SHA1 Message Date
Bjørn Forsman
f9cb2b5640 nixos/security.wrappers: use literalExample in documentation
It's much more readable when the example attrset is pretty printed
instead of written as one line.
2017-02-15 09:08:41 +01:00
Bjørn Forsman
448acd8e5e nixos: remove remaining reference to setuidPrograms
The option doesn't exist anymore.
2017-02-15 07:25:33 +01:00
Parnell Springmeyer
1f83f1c878
security-wrapper: Wrap <para> tags in a <note> tag 2017-02-14 21:30:04 -06:00
Parnell Springmeyer
69794e333a
Using para tags for manual formatting 2017-02-14 08:53:30 -06:00
Parnell Springmeyer
794b3721bc
Syntax wibble 2017-02-14 08:42:08 -06:00
Parnell Springmeyer
e856d6efe8
Default should be to set owner and group to root on setcap wrappers too 2017-02-14 08:40:12 -06:00
Parnell Springmeyer
c01689f8da
Fixing ref to old-wrappersDir 2017-02-14 08:33:07 -06:00
Parnell Springmeyer
f8b8c353ff
Simplifying the wrapper program derivation 2017-02-14 08:27:40 -06:00
Parnell Springmeyer
fb6d13c01a
Addressing feedback and fixing a bug 2017-02-14 07:38:45 -06:00
Parnell Springmeyer
ba499e3aa0
Removing unused module option old-wrapperDir 2017-02-14 07:30:21 -06:00
Parnell Springmeyer
a27f35993d
Derp, correctly write the source program's path 2017-02-13 18:28:13 -06:00
Parnell Springmeyer
cca2e11556
Resurrecting the single-wrapper read from sibling .real file behavior 2017-02-13 18:03:06 -06:00
Parnell Springmeyer
9e36a58649
Merging against upstream master 2017-02-13 17:16:28 -06:00
Graham Christensen
96d767de62
pam_oath: require OATH and pam_unix credentials to be valid 2017-02-12 18:27:11 -05:00
Joachim Fasting
0c31286f75
grsecurity docs: some polish
Fix minor formatting issues, excessive punctuation, and also some
improved wording.
2017-02-03 18:47:07 +01:00
Parnell Springmeyer
128bdac94f
Conditionally logging debug messages based on the WRAPPER_DEBUG env var being set (or not) 2017-01-30 12:59:29 -06:00
Parnell Springmeyer
d8ecd5eb0d
Switching to individually generated derivations 2017-01-30 12:26:56 -06:00
Parnell Springmeyer
264db4e309
Set merge + mkIf always surprises me 2017-01-29 17:10:32 -06:00
Parnell Springmeyer
f2f3f1479e
Derp, wrong path name 2017-01-29 16:54:27 -06:00
Parnell Springmeyer
0f728de67e
More migration cleanup + todos for cleanup 2017-01-29 16:52:23 -06:00
Parnell Springmeyer
4856b42ab6
Gotta provide sane defaults! This is what I get for 5AM coding 2017-01-29 16:47:14 -06:00
Parnell Springmeyer
cfe4351c33
I'm clearly very tired 2017-01-29 05:39:54 -06:00
Parnell Springmeyer
1cc500ea8e
Syntax wibble 2017-01-29 05:34:50 -06:00
Parnell Springmeyer
628e6a83d0
More derp 2017-01-29 05:33:56 -06:00
Parnell Springmeyer
70b8167d4a
A few more tweaks 2017-01-29 05:05:30 -06:00
Parnell Springmeyer
4aa0923009
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00
Parnell Springmeyer
af3b9a3d46
More wibbles? 2017-01-29 01:41:39 -06:00
Parnell Springmeyer
48564d1ae5
Another wibble 2017-01-29 01:31:33 -06:00
Parnell Springmeyer
5077699605
Derp derp 2017-01-29 01:27:11 -06:00
Parnell Springmeyer
0707a3eaa2
Qualify with lib 2017-01-29 01:23:10 -06:00
Parnell Springmeyer
8e159b9d1e
Qualify mkOption with lib 2017-01-29 01:22:47 -06:00
Parnell Springmeyer
70ec24093c
Removing dead code 2017-01-29 01:22:19 -06:00
Parnell Springmeyer
82de4c0fad
setcap-wrapper: Syntax wibble 2017-01-29 01:20:02 -06:00
Parnell Springmeyer
7680a40a37
setcap-wrapper: Syntax wibble 2017-01-29 01:16:04 -06:00
Parnell Springmeyer
2f113ee90a
setcap-wrapper: Minor refactor 2017-01-29 01:08:36 -06:00
Parnell Springmeyer
3fe7b1a4c9
setcap-wrapper: Addressing more PR feedback, unifying drvs, and cleaning up a bit 2017-01-29 01:07:12 -06:00
Parnell Springmeyer
e92b8402b0
Addressing PR feedback 2017-01-28 20:48:03 -08:00
Parnell Springmeyer
9de070e620
Setuid wrapper should not be constrained to a specific linux kernel version 2017-01-26 09:39:37 -08:00
Parnell Springmeyer
01e6b82f3f
Removing dead code 2017-01-26 09:20:15 -08:00
Parnell Springmeyer
189a0c2579
Wrap with quotes as-per GCC's recommendation 2017-01-26 02:07:36 -08:00
Parnell Springmeyer
c30cf645f8
Make setting of the wrapper macros a compile-time error 2017-01-26 02:06:24 -08:00
Parnell Springmeyer
a26a796d5c
Merging against master - updating smokingpig, rebase was going to be messy 2017-01-26 02:00:04 -08:00
Parnell Springmeyer
ad8fde5e5d
Andddd more derp 2017-01-26 01:33:25 -08:00
Parnell Springmeyer
ce36b58e21
Derp 2017-01-26 01:31:49 -08:00
Parnell Springmeyer
f64b06a3e0
Hmmm 2017-01-26 01:13:19 -08:00
Parnell Springmeyer
fd974085bf
It's clearly quite late 2017-01-26 01:04:12 -08:00
Parnell Springmeyer
61fe8de40c
Silly, should just have one activation script 2017-01-26 01:03:18 -08:00
Parnell Springmeyer
48a0c5a3a7
More fixing 2017-01-26 01:00:46 -08:00
Parnell Springmeyer
21368c4c67
Hmm, unnecessary 2017-01-26 00:58:44 -08:00
Parnell Springmeyer
a4f905afc2
Enhhh I think compile time macros are gross 2017-01-26 00:41:00 -08:00
Parnell Springmeyer
785684f6c2
Ahhh, my compile-time macros confused me...of course they did... 2017-01-26 00:39:17 -08:00
Parnell Springmeyer
1ad541171e
Hmm 2017-01-26 00:36:35 -08:00
Parnell Springmeyer
e8bec4c75f
Implicit declared function... 2017-01-26 00:35:01 -08:00
Parnell Springmeyer
a20e65724b
Fixing 2017-01-26 00:32:59 -08:00
Parnell Springmeyer
025555d7f1
More fixes and improvements 2017-01-26 00:05:40 -08:00
Parnell Springmeyer
bae00e8aa8
setcap-wrapper: Merging with upstream master and resolving conflicts 2017-01-25 11:08:05 -08:00
Franz Pletz
516760a6fb
nixos/acme: add random delay to timer
This way we behave like good citizens and won't overload Let's Encrypt
with lots of cert renewal requests at the same time.
2017-01-25 19:15:04 +01:00
Jörg Thalheim
30a554acfb
apparmor: support for lxc profiles 2017-01-10 23:01:03 +01:00
teh
a878365b77 nixos docs: update for Nginx + ACME (#21320)
Closes #20698.
2017-01-09 06:39:10 +01:00
Alexander Kahl
61d125b842 sssd: init at 1.14.2
perlPackages.TextWrapI18N: init at 0.06
perlPackages.Po4a: init at 0.47
jade: init at 1.2.1
ding-libs: init at 0.6.0

Switch nscd to no-caching mode if SSSD is enabled.

abbradar: disable jade parallel building.

Closes #21150
2017-01-04 03:07:20 +03:00
Joachim Fasting
f39d13cd3e
grsecurity doc: describe work-around for gitlab
Fixes https://github.com/NixOS/nixpkgs/issues/20959
2016-12-08 11:59:57 +01:00
Joachim Fasting
984d9ebb56
hidepid: polkit and systemd-logind compatibility
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948
2016-12-07 01:12:05 +01:00
Joachim Fasting
0e765c72e5
grsecurity: enable module hardening 2016-12-06 01:23:58 +01:00
Joachim Fasting
31d79afbe5
grsecurity docs: note that pax_sanitize_slab defaults to fast 2016-12-06 01:23:51 +01:00
Joachim Fasting
071fbcda24
grsecurity: enable optional sysfs restrictions
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
2016-12-06 01:23:36 +01:00
Joachim Fasting
8c1f5afdf3
grsecurity: delay toggling of sysctls until system is up
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
2016-12-06 01:22:53 +01:00
Domen Kožar
75f131da02 acme: ensure nginx challenges directory is writeable 2016-11-29 15:56:01 +01:00
Joachim Fasting
e99228db30
grsecurity module: force a known good kernel package set
Previously, we would only set a default value, on the theory that
`boot.kernelPackages` could be used to sanely configure a custom grsec
kernel.  Regrettably, this is not the case and users who expect e.g.,
`boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up
with a non-grsec kernel (this problem has come up twice on the bug
tracker recently).

With this patch, `security.grsecurity.enable = true` implies
`boot.kernelPackages = linuxPackages_grsec_nixos` and any customization
must be done via package override or by eschewing the module.
2016-11-28 12:11:04 +01:00
Joachim Fasting
2eb6ec1bc4
grsecurity module: remove code pertaining to zfs
I don't know if it still the case that zfs fails to boot; either way,
that's the user's responsibility to contend with.
2016-11-20 23:01:22 +01:00
Joachim Fasting
98935c7103
grsecurity module: remove requiredKernelConfig
Using a custom package set with the NixOS module is no longer
something I wish to support.  It's still *possible* but not
advertised.  Secondly, the requiredKernelConfig didn't really
do anything (setting kernelPackages to a non-grsec kernel would
just silently let the user boot into a non-grsec setup ...).
2016-11-20 23:00:41 +01:00
Joachim Fasting
5ad8a56d16
grsecurity module: remove use of mkEnableOption 2016-11-20 23:00:24 +01:00
Eric Sagnes
9513ab45aa duosec module: use enum 2016-11-16 22:36:05 +09:00
Eric Sagnes
e5b7975fe3 acme module: certs option loaOf -> attrsOf 2016-11-16 16:28:27 +09:00
Timofei Kushnir
faa6f9b6b3 grsecurity: fix 'isYes' and 'isNo' 2016-10-29 14:26:06 +03:00
Domen Kožar
41c490b75e acme: we do want to support ipv4 afterall 2016-10-21 13:25:11 +02:00
Domen Kožar
d8f21b3ca3 acme: provide full nginx example
(cherry picked from commit 2af7382f76a6523f1220637b3ec49ad25a02b040)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-10-21 13:19:04 +02:00
Alexander Ried
d91365d714 audit module: only enable service if kernel has audit (#19569) 2016-10-15 16:03:41 +02:00
Franz Pletz
0d59fc1169
cacerts: refactor, add blacklist option
Previously, the list of CA certificates was generated with a perl script
which is included in curl. As this script is not very flexible, this commit
refactors the expression to use the python script that Debian uses to
generate their CA certificates from Mozilla's trust store in NSS.

Additionally, an option was added to the cacerts derivation and the
`security.pki` module to blacklist specific CAs.
2016-10-09 02:00:18 +02:00
Ricardo M. Correia
1623476904 nixos.acme: make timer persistent
This makes sure that if the system was powered off when the timer was
supposed to trigger, it will run the next time the system boots up.
2016-10-03 19:31:42 +02:00
Joachim Fasting
98e2b90cf3
grsecurity doc: note that module autoload hardening is disabled 2016-10-02 19:25:58 +02:00
Joachim Fasting
1bb7b44cd7
grsecurity: make GRKERNSEC y and PAX y implicit
These options should always be specified. Note, an implication of this
change is that not specifying any grsec/PaX options results in a build
failure.
2016-10-02 19:25:58 +02:00
Joachim F
7e80c42b0e Merge pull request #18511 from ericsagnes/feat/remove-optionSet
modules: optionSet -> submodule
2016-10-01 17:57:45 +02:00
Shea Levy
3f02cbbcaf Merge branch 'rngd-wantedBy' of git://github.com/srp/nixpkgs-1 2016-09-19 19:06:51 -04:00
Scott R. Parish
a560223119 rngd: update modalias to match cpu type
It looks like the cpu type part of modalias might have changed, my
systems (4.4.20 and 4.7.2) show something like the following:

```
cpu:type:x86,ven0000fam0006mod003F:feature:,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,002B,0034,003B,003D,0068,006F,0070,0072,0074,0075,0076,007D,0080,0081,0089,008C,008D,0091,0093,0094,0095,0096,0097,0098,0099,009A,009B,009C,009D,009E,009F,00C0,00C5,0120,0123,0125,0127,0128,0129,012A,0140
```

Update the rngd modalias rule to match this so udev properly has
systemd start rngd.
2016-09-17 18:36:57 -07:00
Thomas Tuegel
9300b4903f
Revert "nixos/pam: clean up generated files (no functional change) (#18580)"
This reverts commit 1010271c63.
This reverts commit e85e51d41f.

The first commit causes multiple regressions. The second commit tries to
fix the regressions, but does not catch all of them. There are multiple
failing tests, one of which is blocking a package update. That is not
acceptable for a cosmetic patch.
2016-09-17 16:39:49 -05:00
aszlig
e85e51d41f
nixos/pam: Fix wrong string concatenation
Regression introduced by 1010271c63.

This caused the line after using the loginuid module to be concatenated
with the next line without a newline.

In turn this has caused a lot of the NixOS VM tests to either run very
slowly (because of constantly hitting PAM errors) or simply fail.

I have tested this only with one of the failing NixOS tests.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-09-16 15:36:31 +02:00
Joachim Fasting
527b3dc1df
hidepid module: detailed description to external doc 2016-09-15 15:36:03 +02:00
Bjørn Forsman
1010271c63 nixos/pam: clean up generated files (no functional change) (#18580)
The generated files in /etc/pam.d/ typically have a lot of empty lines
in them, due to how the generated Nix strings are joined together;
optional elements that are excluded still produce a newline. This patch
changes how the files are generated to create more compact,
human-friendly output files.

The change is basically this, repeated:

-  ''
-    ${optionalString use_ldap
-        "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
-  ''
+  optionalString use_ldap ''
+    account sufficient ${pam_ldap}/lib/security/pam_ldap.so
+  ''
2016-09-14 11:56:07 +01:00
Roger Qiu
de0737aed5 sudo: Allow root to use sudo to switch groups 2016-09-13 23:15:56 +10:00
Eric Sagnes
fff4a9ee01 pam module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Eric Sagnes
3acf336f15 acme module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Franz Pletz
9190dbcc0e Merge pull request #18366 from groxxda/acme-loop
security.acme: require networking for client, remove loop without fallbackHost
2016-09-06 23:02:07 +02:00
Alexander Ried
7f98dca782 security.acme: the client really needs networking
Actually this can be improved since the client only needs network
connectivity if it needs to renew the certificate.
2016-09-06 17:47:00 +02:00
Eelco Dolstra
98102ebd92 Enable the runuser command from util-linux
Fixes #14701.
2016-09-06 17:23:27 +02:00
Joachim Fasting
269f739ded
grsecurity module: set nixpkgs.config.grsecurity = true 2016-09-05 00:56:17 +02:00
Domen Kožar
393e646e4f setuid-wrappers: correctly umount the tmpfs 2016-09-04 17:56:00 +02:00
Karn Kallio
8d977ead38
setuid-wrappers : Prepare permissions for running wrappers
The new setuid-wrappers in /run cannot be executed by users due to:

1) the temporary directory does not allow access
2) the /run is mounted nosuid
2016-09-04 03:19:32 +02:00
Parnell Springmeyer
d60581d4d6 Resolving that silly bad argument error. 2016-09-01 19:26:54 -05:00
Parnell Springmeyer
c686da8655 Updatig the chromium-suid-sandbox module 2016-09-01 19:26:30 -05:00
Parnell Springmeyer
98c058a1ee Adapting everything for the merged permissions wrappers work. 2016-09-01 19:21:06 -05:00
Parnell Springmeyer
390ab0b3ef everything?: Updating every package that depended on the old setuidPrograms configuration. 2016-09-01 19:17:43 -05:00
Parnell Springmeyer
79e81aa31b security: Removing the old wrappers and replacing with 'permissions-wrappers' 2016-09-01 19:15:56 -05:00
Parnell Springmeyer
c16647ec29 security: switching to linuxHeaders so we always stay current with the selected kernel. 2016-09-01 19:15:56 -05:00
Parnell Springmeyer
2efb60c8e9 security: tweaking the setcap-wrapper example to be more relevant 2016-09-01 19:15:56 -05:00
Parnell Springmeyer
1c0f672f7a security: update setcap-wrappers dir to match the system-level dir we're creating on init 2016-09-01 19:15:56 -05:00
Parnell Springmeyer
b3d63f8191 security: whitespace wibble 2016-09-01 19:13:54 -05:00
Parnell Springmeyer
bfc3956376 security: adding setcap-wrapper functionality 2016-09-01 19:13:54 -05:00
Domen Kožar
a6670c1a0b Fixes #18124: atomically replace /var/setuid-wrappers/ (#18186)
Before this commit updating /var/setuid-wrappers/ folder introduced
a small window where NixOS activation scripts could be terminated
and resulted into empty /var/setuid-wrappers/ folder.

That's very unfortunate because one might lose sudo binary.

Instead we use two atomic operations mv and ln (as described in
https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/)
to achieve atomicity.

Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints
were removed in installation scripts and in boot process.

Tested:

- upgrade /var/setuid-wrappers/ from folder to a symlink
- make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
2016-09-01 20:57:51 +02:00
Tuomas Tynkkynen
8c4aeb1780 Merge staging into master
Brings in:
    - changed output order for multiple outputs:
      https://github.com/NixOS/nixpkgs/pull/14766
    - audit disabled by default
      https://github.com/NixOS/nixpkgs/pull/17916

 Conflicts:
	pkgs/development/libraries/openldap/default.nix
2016-09-01 13:27:27 +03:00
Tuomas Tynkkynen
16b3e26da4 audit: Disable by default
Because in its default enabled state it it causes a global performance
hit on all system calls (https://fedorahosted.org/fesco/ticket/1311) and
unwanted spam in dmesg, in particular when using Chromium
(https://github.com/NixOS/nixpkgs/issues/13710).
2016-08-31 23:15:41 +03:00
Tuomas Tynkkynen
5eff0b990c audit service: Explicitly call auditctl to disable everything
Otherwise, journald might be starting auditing.
Some reading:
    - https://fedorahosted.org/fesco/ticket/1311
    - https://github.com/systemd/systemd/issues/959
    - 64f83d3087
2016-08-31 23:15:32 +03:00
Domen Kožar
d8d75ddec6 Revert "setuid-wrappers: Update wrapper dir atomically."
This reverts commit ee535056ce.

It doesn't work yet.
2016-08-31 16:25:18 +02:00
Nikolay Amiantov
4499a505ed hidepid service: use new boot.specialFileSystems 2016-08-31 17:16:41 +03:00
Shea Levy
ee535056ce setuid-wrappers: Update wrapper dir atomically.
Fixes #18124.
2016-08-31 08:00:57 -04:00
Nikolay Amiantov
509733a343 Merge pull request #17822 from abbradar/systemd-mounts
nixos filesystems: unify special filesystems handling
2016-08-30 22:42:19 +04:00
Joachim Fasting
dab32a1fa6
nixos manual: move chapter on grsecurity to auto-generated module docs 2016-08-29 23:48:12 +02:00
Domen Kožar
e01e92f12f Merge pull request #15025 from ericsagnes/modules/manual
manual: automatically generate modules documentation
2016-08-28 13:57:34 +02:00
Nikolay Amiantov
6efcfe03ae nixos filesystems: unify early filesystems handling
A new internal config option `fileSystems.<name>.early` is added to indicate
that the filesystem needs to be loaded very early (i.e. in initrd). They are
transformed to a shell script in `system.build.earlyMountScript` with calls to
an undefined `specialMount` function, which is expected to be caller-specific.
This option is used by stage-1, stage-2 and activation script to set up and
remount those filesystems.  Options for them are updated according to systemd
defaults.
2016-08-27 13:38:20 +03:00
Nikolay Amiantov
3f70fcd4c1 Merge pull request #11484 from oxij/nixos-toposort-filesystems
lib: add toposort, nixos: use toposort for fileSystems to properly support bind and move mounts
2016-08-27 14:34:55 +04:00
Markus Mueller
e04c3506eb ldap: Add option for login PAM integration 2016-08-23 21:12:51 +02:00
Jan Malakhovski
65d26c4dc1 nixos: apply toposort to fileSystems to support bind and move mounts
And use new `config.system.build.fileSystems` property everywhere.
2016-08-23 18:14:05 +00:00
Joachim Fasting
050b7eec16
grsecurity module: systemd-nspawn requires cap_sys_admin
As with 9ca3504a798291fbd7c49fcfeec8b64daa2022ad

Closes https://github.com/NixOS/nixpkgs/issues/17714
2016-08-15 20:36:47 +02:00
Joachim Fasting
7fd99066c4
grsecurity module: permit chmod +s in sandboxed builds
While useless, some builds may dabble with setuid bits (e.g.,
util-linux), which breaks under grsec.  In the interest of user
friendliness, we once again compromise by disabling an otherwise useful
feature ...

Closes https://github.com/NixOS/nixpkgs/issues/17501
2016-08-15 20:36:47 +02:00
Eric Sagnes
4cdfeb78f9 modules: move meta at top level 2016-08-11 00:29:48 +09:00
Nikolay Amiantov
b2413e48ae chromium-suid-sandbox module: fix description 2016-08-08 10:17:31 +03:00
obadz
66d5edf654 chromium: add nixos module security.chromiumSuidSandbox
Closes #17460

Changed the wrapper derivation to produce a second output containing the sandbox.
Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store).
This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it.

Does not trigger a Chromium rebuild.

cc @cleverca22 @joachifm @jasom
2016-08-06 10:27:47 +01:00
Joachim Fasting
43fc394a5c
grsecurity module: disable EFI runtime services by default
Enabling EFI runtime services provides a venue for injecting code into
the kernel.

When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services.  The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).

This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
2016-08-02 10:24:49 +02:00
Joachim Fasting
d1572d06fe
grsecurity module: correct internal note 2016-08-01 16:27:14 +02:00
Joachim Fasting
96542a1b00
grsecurity module: assert RBAC support in kernel 2016-07-24 12:54:07 +02:00
Joachim Fasting
5ece58ed66
grsecurity module: add gradm to system path 2016-07-24 12:54:07 +02:00
Joachim Fasting
59c9a88a6b
grsecurity module: tweak lockTunables option description 2016-07-16 11:11:35 +02:00
Joachim Fasting
cef7150bc7
grsecurity module: grsecurity is not capitalized mid-sentence 2016-07-16 11:11:35 +02:00
Joachim Fasting
94824303be
grsecurity module: smarter container support
Only set tunables required for container support if there are any containers.
2016-07-16 11:11:35 +02:00
Joachim Fasting
c606b9876f
grsecurity module: enforce size overflows by default
It is better to make this conditional on whether the configuration contains a
known size overflow that could prevent the system from booting.
2016-07-16 11:11:35 +02:00
zimbatm
b0f8416c5c Merge pull request #16180 from zimbatm/shell-escaping
Escape all shell arguments uniformly
2016-06-19 23:27:52 +01:00
Joachim Fasting
0677cc61c8
nixos: rewrite the grsecurity module
The new module is specifically adapted to the NixOS Grsecurity/PaX
kernel.  The module declares the required kernel configurations and
so *should* be somewhat compatible with custom Grsecurity kernels.

The module exposes only a limited number of options, minimising the need
for user intervention beyond enabling the module. For experts,
Grsecurity/PaX behavior may be configured via `boot.kernelParams` and
`boot.kernel.sysctl`.

The module assumes the user knows what she's doing (esp. if she decides
to modify configuration values not directly exposed by the module).

Administration of Grsecurity's role based access control system is yet
to be implemented.
2016-06-14 03:38:12 +02:00
zimbatm
28fa4a2f03 Escape all shell arguments uniformly 2016-06-12 18:11:37 +01:00
Bob van der Linden
4e6697dcb6 acme: added option security.acme.preliminarySelfsigned (#15562) 2016-06-01 11:39:46 +01:00
Domen Kožar
16535d4a71 setuid-wrappers: remove config.system.path from the closure
The motivation is using sudo in chroot nix builds, a somewhat
special edge case I have and pulling system path into chroot
yields to some very nasty bug like
https://github.com/NixOS/nixpkgs/issues/15581

Previously:

$ cat /var/setuid-wrappers/sudo.real
/nix/store/3sm04dzh0994r86xqxy52jjc0lqnkn65-system-path/bin/sudo

After the change:

$ cat /var/setuid-wrappers/sudo.real
/nix/store/4g9sxbzy8maxf1v217ikp69c0c3q12as-sudo-1.8.15/bin/sudo
2016-05-23 13:47:23 +01:00
Rok Garbas
03b115f8e0 nixos/i3lock-color: added to pam 2016-05-15 07:47:31 +02:00
Joachim Fasting
d4d7bfe07b
grsecurity: add option to disable chroot caps restriction
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293

This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
2016-05-10 16:17:08 +02:00
Joachim Fasting
c5d1bff2b6
apparmor-suid module: fix libcap lib output reference
After 7382afac40
2016-05-07 21:48:29 +02:00
Joachim Fasting
da767356f2
grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425
2016-05-04 03:53:24 +02:00
Joachim Fasting
60a27781d6
grsecurity module: fix grsec-lock unit ordering
Requirement without ordering implies parallel execution; it is crucial
that sysctl tunables are finalized before the lock is engaged, however.
2016-05-02 11:28:24 +02:00
Eelco Dolstra
0c5e837b66 acme.nix: Fix unit descriptions
Unit descriptions should be capitalized, and timer units don't have
to describe that they're timers.
2016-04-18 14:20:49 +02:00
Vladimír Čunát
39ebb01d6e Merge branch 'staging', containing closure-size #7701 2016-04-13 09:25:28 +02:00
Joachim Fasting
cef2814a4f nixos: add optional process information hiding
This module adds an option `security.hideProcessInformation` that, when
enabled, restricts access to process information such as command-line
arguments to the process owner.  The module adds a static group "proc"
whose members are exempt from process information hiding.

Ideally, this feature would be implemented by simply adding the
appropriate mount options to `fileSystems."/proc".fsOptions`, but this
was found to not work in vmtests. To ensure that process information
hiding is enforced, we use a systemd service unit that remounts `/proc`
after `systemd-remount-fs.service` has completed.

To verify the correctness of the feature, simple tests were added to
nixos/tests/misc: the test ensures that unprivileged users cannot see
process information owned by another user, while members of "proc" CAN.

Thanks to @abbradar for feedback and suggestions.
2016-04-10 12:27:06 +02:00
Vladimír Čunát
710573ce6d Merge #12653: rework default outputs 2016-04-07 16:00:09 +02:00
Vladimír Čunát
ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Vladimír Čunát
d6b46ecb30 Merge branch 'closure-size' into p/default-outputs 2016-03-14 11:27:15 +01:00
Domen Kožar
77ae55308c fix installer tests #13559 2016-03-12 20:19:40 +00:00
Vladimír Čunát
09af15654f Merge master into closure-size
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
tg(x)
be3bd972d5 grsecurity: add 4.1 kernel 2016-02-28 15:00:16 +01:00
tg(x)
38614d3f6a grsecurity: use kernel version instead of testing / stable 2016-02-28 04:10:59 +01:00
Leroy Hopson
24d5d28820 cacert: fix formatting of example 2016-02-27 22:25:39 +13:00
zimbatm
2c7e5a6d8e Merge pull request #13434 from spacefrogg/oath-module
config.security.oath: new module
2016-02-26 18:06:28 +00:00
tg(x)
629a89343e simp_le: external_pem.sh plugin is now called external.sh 2016-02-26 01:31:58 +01:00
Michael Raitza
d09c7986de config.security.oath: new module
Add a module to make options to pam_oath module configurable.
These are:
 - enable - enable the OATH pam module
 - window - number of OTPs to check
 - digits - length of the OTP (adds support for two-factor auth)
 - usersFile - filename to store OATH credentials in
2016-02-25 13:52:45 +00:00
Vladimír Čunát
e9520e81b3 Merge branch 'master' into staging 2016-02-17 10:06:31 +01:00
Vladimír Čunát
d039c87984 Merge branch 'master' into closure-size 2016-02-14 08:33:51 +01:00
Nikolay Amiantov
c420a6f1ef acme service: update plugins enum 2016-02-10 02:06:01 +03:00
Vladimír Čunát
ae74c356d9 Merge recent 'staging' into closure-size
Let's get rid of those merge conflicts.
2016-02-03 16:57:19 +01:00
Guillaume Maudoux
9f358f809d Configure a default trust store for openssl 2016-02-03 12:42:01 +01:00
Eelco Dolstra
bfebc7342e Fix some references to deprecated /etc/ssl/certs/ca-bundle.crt 2016-01-29 02:32:05 +01:00
Vladimír Čunát
ab8a691d05 nixos systemPackages: rework default outputs
- Now `pkg.outputUnspecified = true` but this attribute is missing in
  every output, so we can recognize whether the user chose or not.
  If (s)he didn't choose, we put `pkg.bin or pkg.out or pkg` into
  `systemPackages`.
- `outputsToLink` is replaced by `extraOutputsToLink`.
  We add extra outputs *regardless* of whether the user chose anything.
  It's mainly meant for outputs with docs and debug symbols.
- Note that as a result, some libraries will disappear from system path.
2016-01-28 11:24:18 +01:00
Eelco Dolstra
2352e2589e audit: Disable in containers
This barfs:

Jan 18 12:46:32 machine 522i0x9l80z7gw56iahxjjsdjp0xi10q-audit-start[506]: The audit system is disabled
2016-01-26 16:25:40 +01:00
Tuomas Tynkkynen
8707bf4a3c treewide: Mass replace 'libcap}/lib' to refer the 'out' output 2016-01-24 10:03:35 +02:00
Tuomas Tynkkynen
f412f5f3ee treewide: Mass replace 'attr}/lib' to refer the 'out' output 2016-01-24 10:03:32 +02:00
Vladimír Čunát
716aac2519 Merge branch 'staging' into closure-size 2016-01-19 09:55:31 +01:00
Domen Kožar
7fe7138968 nixos: fix acme service @abbradar 2016-01-12 11:50:34 +01:00
Nikolay Amiantov
f92cec4c1b nixos/acme: add allowKeysForGroup 2016-01-10 07:28:19 +03:00
Dan Peebles
63bfe20b72 security.audit: add NixOS module
Part of the way towards #11864. We still don't have the auditd
userland logging daemon, but journald also tracks audit logs so we
can already use this.
2016-01-07 03:06:10 +00:00
Vladimír Čunát
f9f6f41bff Merge branch 'master' into closure-size
TODO: there was more significant refactoring of qtbase and plasma 5.5
on master, and I'm deferring pointing to correct outputs to later.
2015-12-31 09:53:02 +01:00
Nikolay Amiantov
5250582396 nixos/acme: fix timer unit 2015-12-13 17:01:59 +03:00
Franz Pletz
1685b9d06e nixos/acme: Add module documentation 2015-12-12 16:06:53 +01:00
Franz Pletz
9374ddb895 nixos/acme: validMin & renewInterval aren't cert-specific 2015-12-12 16:06:53 +01:00
Franz Pletz
0517d59a66 nixos/acme: Improve documentation 2015-12-12 16:06:52 +01:00
Franz Pletz
de24b00d41 nixos/simp_le: Rename to security.acme 2015-12-12 16:06:52 +01:00
Luca Bruno
31ed92f65f Fix system-path with multiout 2015-12-01 15:09:41 +01:00
Luca Bruno
920b1d3591 Merge branch 'master' into closure-size 2015-11-29 16:50:26 +01:00
Luca Bruno
07a0204282 nixos/polkit: fix systemd service after spiltting 2015-11-26 18:14:22 +01:00
obadz
a05a340e26 PAM: reorganize the way pam_ecryptfs and pam_mount get their password
Run pam_unix an additional time rather than switching it from sufficient
to required. This fixes a potential security issue for
ecryptfs/pam_mount users as with pam_deny gone, if cfg.unixAuth = False
then it is possible to login without a password.
2015-11-21 21:10:40 +00:00
Tuomas Tynkkynen
d5c9e1aebe nixos/polkit: Reference correct output of polkit 2015-10-28 10:17:10 +01:00
Vladimír Čunát
2490848627 polkit: split dev and bin outputs 2015-10-14 14:32:26 +02:00
Tuomas Tynkkynen
1ac0e05f69 nixos/setuid-wrappers: Build with normal mkDerivation phases
This way the binary gets stripped & rpath-shrinked etc. as usual.
We'd seem to get a runtime reference to gcc otherwise.
2015-10-03 14:08:55 +02:00
Vladimír Čunát
5227fb1dd5 Merge commit staging+systemd into closure-size
Many non-conflict problems weren't (fully) resolved in this commit yet.
2015-10-03 13:33:37 +02:00
Jan Malakhovski
6eadb16022 nixos: fix some types 2015-09-18 18:48:50 +00:00
Tobias Geerinckx-Rice
c90eb862fc nixos: prey module: fix option descriptions 2015-09-06 23:50:03 +02:00
Jaka Hudoklin
c7bb64cb97 Merge pull request #7344 from joachifm/apparmor-pam
nixos: add AppArmor PAM support
2015-08-29 18:59:53 +02:00
obadz
172522e153 ecryptfs:
- upgrade 106 -> 108
- fix passphrase rewrapper (password changing should now work fine) as
  discussed on https://bugs.launchpad.net/ecryptfs/+bug/1486470
- add lsof dependency so ecryptfs-migrate-home should work out of the
  box
2015-08-19 12:16:57 +01:00
Joachim Fasting
2e0933787b nixos: add AppArmor PAM support
Enables attaching AppArmor profiles at the user/group level.

This is not intended to be used directly, but as part of a
role-based access control scheme. For now, profile attachment
is 'session optional', but should be changed to 'required' once
a more comprehensive solution is in place.
2015-07-15 12:40:06 +02:00
William A. Kennington III
d605663ae2 Merge branch 'master.upstream' into staging.upstream 2015-07-05 13:06:02 -07:00
Thomas Strobel
7b6f279142 pam_mount module: integrate pam_mount into PAM of NixOS 2015-07-04 23:42:31 +02:00
William A. Kennington III
8e19ac8d7c Merge branch 'master.upstream' into staging.upstream 2015-06-17 11:57:40 -07:00
Eelco Dolstra
6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00
William A. Kennington III
9d6555dc0a Merge branch 'master.upstream' into staging.upstream 2015-06-06 12:04:42 -07:00
William A. Kennington III
ffd0539eba cacert: store ca-bundle.crt in $out/etc/ssl/certs instead of $out 2015-06-05 13:00:52 -07:00
William A. Kennington III
867d2c5c46 openssl: Remove References to OPENSSL_X509_CERT_FILE 2015-05-31 15:50:51 -07:00
William A. Kennington III
d6cbb061e3 cacert: Build directly from nss instead of our own tarball 2015-05-29 13:52:07 -07:00
Ricardo M. Correia
aa75bb25d8 grsecurity: Update stable and test patches
stable: 3.1-3.14.41-201505072056 -> 3.1-3.14.41-201505101121
test:   3.1-4.0.2-201505072057   -> 3.1-4.0.2-201505101122
2015-05-11 02:45:38 +02:00
Vladimír Čunát
3b9ef2c71b fix "libc}/lib" and similar references
Done mostly without any verification.
I didn't bother with libc}/include, as the path is still correct.
2015-05-05 11:52:08 +02:00
Philip Potter
2216728979 add support for pam_u2f to nixos pam module
This adds support for authenticating using a U2F device such as a
yubikey neo.
2015-05-03 19:22:00 +01:00
Austin Seipp
8d3b8d0dc8 Merge pull request #7149 from joachifm/grsec-gradm-optional
grsecurity module: configure gradm iff RBAC is enabled
2015-04-13 17:11:29 -05:00
Austin Seipp
b86f6a3ed6 Merge pull request #7148 from joachifm/grsec-trivial
grsecurity module: trivial improvements
2015-04-13 17:10:47 -05:00
Nicolas B. Pierron
6de931a0f8 Merge rename.nix changes. 2015-04-03 23:12:12 +02:00
Arseniy Seroka
8592c6c004 Merge pull request #7150 from joachifm/grsec-types
grsecurity module: use types.enum
2015-04-03 16:03:49 +03:00
Joachim Fasting
3e847d512d grsecurity module: configure gradm iff RBAC is enabled 2015-04-03 13:45:57 +02:00
Joachim Fasting
ba93a75724 grsecurity module: use types.enum
Also
- set desktop as default system
- make virtualisationSoftware nullOr
- make virtualisationConfig nullOr
2015-04-03 13:45:45 +02:00
Joachim Fasting
66c4f51046 grsecurity module: simplify assertion 2015-04-03 13:38:32 +02:00
Joachim Fasting
2e88605a91 grsecurity module: remove reference to systemd-sysctl
First, that's not what the service is called, and secondly it's
most likely irrelevant to the user.
2015-04-03 13:38:32 +02:00
Arseniy Seroka
4fa554e32b Merge pull request #7017 from obadz/sg+sudo-g
Ability to switch groups with sg and sudo -g
2015-04-02 02:11:10 +03:00
obadz
be7f104502 sg: add setuid wrapper. (newgrp is a symlink to sg and was already setuid).
sudo: add ability for wheel users to change group (as well as user)
2015-03-30 23:50:45 +01:00
Austin Seipp
3ff22a924f Merge pull request #6871 from joachifm/apparmor-fixups
Apparmor fixups
2015-03-20 15:36:42 -05:00
Joachim Fasting
532337d673 Cleanup AppArmor module
Remove excessive whitespace & comment sections
2015-03-18 12:07:43 +01:00
Austin Seipp
ef95600372 Merge pull request #6771 from joachifm/apparmor-2.9
Apparmor 2.9
2015-03-15 14:16:24 -05:00
Ricardo M. Correia
7c8247a8c5 grsecurity: Update stable and test patches
stable: 3.1-3.14.35-201503071140 -> 3.1-3.14.35-201503092203
test:   3.1-3.18.9-201503071142  -> 3.1-3.19.1-201503122205
2015-03-15 03:49:58 +01:00
Shea Levy
1d62ad4746 modules.nix: Generate the extra argument set from the configuration
This allows for module arguments to be handled modularly, in particular
allowing the nixpkgs module to handle the nixpkgs import internally.
This creates the __internal option namespace, which should only be added
to by the module system itself.
2015-03-12 23:42:57 +01:00
Joachim Fasting
7a9a24a95e Update AppArmor service module
- Use AppArmor 2.9
- Enable PAM support
2015-03-12 11:49:05 +01:00
obadz
e5d4624420 PAM/eCryptfs now able to mount ecryptfs'd home directories on login 2015-03-08 16:03:51 -07:00
lethalman
c97d7819ab Merge pull request #6624 from joachifm/grsec-lock
nixos: grsec-lock service fixes
2015-03-02 18:49:39 +01:00
Joachim Fasting
18320d3b21 nixos: fix grsec-lock requires 2015-03-02 18:39:04 +01:00
Joachim Fasting
ccd6f5a313 nixos: make the grsec-lock unit depend on the path it writes to
The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock
exists and so prevents switching into a new configuration after enabling
grsecurity.sysctl.
2015-03-02 18:39:01 +01:00
Lluís Batlle i Rossell
b26e939111 fix pam (OATH related)
the pam config was wrong.

Issue #6551
2015-02-24 17:52:41 +01:00
Lluís Batlle i Rossell
4e99901961 nixos: Adding OATH in pam.
(cherry picked from commit cb3cba54a1b87c376d0801238cb827eadb18e39e)

Conflicts:
	nixos/modules/security/pam.nix
2015-02-22 15:25:38 +01:00
Eelco Dolstra
5092d625d6 /etc/ssl/certs/ca-bundle.crt -> ca-certificates.crt
Even though there is no "official" standard location, it's better to
stick to what most distros are using.
2015-02-15 19:06:31 +01:00
Eelco Dolstra
75e1b5e317 Provide symlinks to ca-bundle.crt for compat with other distros
There is no "standard" location for the certificate bundle, so many
programs/libraries have various hard-coded default locations that
don't exist on NixOS. To make these more likely to work, provide
some symlinks.
2015-02-15 19:06:31 +01:00
Eelco Dolstra
d2bfb5ceb0 Add options for installing additional root certificates 2015-02-05 18:08:35 +01:00
Ricardo M. Correia
a11dc2f0a3 grsecurity: Add denyUSB option to grsec NixOS module
The option had been added to the grsec build-support code,
but it hadn't been added to the grsec module.

After this commit, grsec module users will be able to change
the default value. It also serves to document that this option
exists and that NixOS will disable it by default.
2015-01-20 19:18:06 +01:00
Luca Bruno
804a958663 pam: add pam_wheel 2015-01-14 18:32:08 +01:00
Shea Levy
cca8bae86e Merge branch 'rngd-fix' of git://github.com/abbradar/nixpkgs 2015-01-08 09:36:29 -05:00
Nikolay Amiantov
dbc0395b2b nixos/rngd: some fixes 2015-01-06 17:27:07 +03:00
Nikolay Amiantov
a164a0b4c5 nixos/fprintd: add service and pam support 2015-01-03 19:50:40 +03:00
Tobias Geerinckx-Rice
c64257b8e5 Fix user-facing typos (mainly in descriptions) 2014-12-30 03:31:03 +01:00
Ricardo M. Correia
1d44322d53 grsecurity: Update stable and test patches
stable: 3.0-3.14.27-201412211908 -> 3.0-3.14.27-201412280859
test:   3.0-3.17.7-201412211910  -> 3.0-3.18.1-201412281149
2014-12-29 03:00:47 +01:00
Eelco Dolstra
89697b0fc1 Improve /etc/sudoers message 2014-12-18 11:51:42 +01:00
wmertens
3cecef15d7 Revert $GIT_SSL_CAINFO removal
Users have an older git in their user environment and it doesn't work without it. We should keep it around for a while.
2014-12-01 23:07:50 +01:00
wmertens
45c1b9147f Merge pull request #5130 from wmertens/git-ssl-env
Let git use $SSL_CERT_FILE
2014-11-27 13:24:08 +01:00
Wout Mertens
72b81cf8bb Remove unnecessary $GIT_SSL_CAINFO from sys env 2014-11-26 00:30:07 +01:00
Ricardo M. Correia
389143d808 grsecurity: Update assertion msg to correct major kernel versions 2014-11-16 18:52:39 +01:00
Mathijs Kwik
f356cee747 sudo: allow adding extra configuration options to the bottom of sudoers
from sudoers (5):
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not necessarily the most specific match).
2014-11-02 13:27:05 +01:00
Ricardo M. Correia
10348a0f2c grsecurity: Update documentation to mention correct kernels 2014-10-22 16:50:36 +02:00
Eelco Dolstra
bb9ee6a13f Remove some setuid wrappers for non-standard programs 2014-09-05 14:46:36 +02:00
Eelco Dolstra
cd7129a037 Revert "nixos: add setuid wrappers for some networked filesystems' helpers"
This reverts commit 26a4001a98. It
breaks the NFS test:

  http://hydra.nixos.org/build/13943148

Also, having more setuid programs is a bad thing security-wise.
2014-09-05 14:43:11 +02:00
Michael Raskin
419031bcfc Merge pull request #2644 from lethalman/pam_tally
pam: Add logFailures option for adding pam_tally to su
2014-09-02 00:58:30 +04:00
Jan Malakhovski
26a4001a98 nixos: add setuid wrappers for some networked filesystems' helpers
So that `user` mount option would work allowing normal users to mount
and umount stuff marked with it in `fileSystems.<name>.options`.
2014-09-01 10:33:48 +04:00
Jan Malakhovski
8f50d803ef nixos: add support for mkhomedir in PAM 2014-09-01 10:33:48 +04:00
Eelco Dolstra
785ed2b528 Don't silently ignore errors from the activation script 2014-08-15 02:14:34 +02:00
Vladimír Čunát
87c3c0e885 Merge master into #2129
Conflicts (easy, just UID shifted):
	nixos/modules/misc/ids.nix
	nixos/modules/module-list.nix
2014-08-12 19:24:08 +02:00
Eelco Dolstra
36f99a9a82 Set $SSL_CERT_FILE
It's more standard than $OPENSSL_X509_CERT_FILE (which I guess was a
totally unnecessary patch to OpenSSL). Since curl respects
$SSL_CERT_FILE, it's no longer needed to set $CURL_CA_BUNDLE. Git
unfortunately doesn't.
2014-07-28 19:09:32 +02:00
Rastus Vernon
d5daa8ae6f Fix repeated typo
"Can either by" should be "Can either be". There are three occurrences of this mistake, all in descriptions of configuration options.
2014-07-11 23:14:53 -04:00