Commit graph

227 commits

Author SHA1 Message Date
Joachim Fasting
f39d13cd3e
grsecurity doc: describe work-around for gitlab
Fixes https://github.com/NixOS/nixpkgs/issues/20959
2016-12-08 11:59:57 +01:00
Joachim Fasting
984d9ebb56
hidepid: polkit and systemd-logind compatibility
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948
2016-12-07 01:12:05 +01:00
Joachim Fasting
0e765c72e5
grsecurity: enable module hardening 2016-12-06 01:23:58 +01:00
Joachim Fasting
31d79afbe5
grsecurity docs: note that pax_sanitize_slab defaults to fast 2016-12-06 01:23:51 +01:00
Joachim Fasting
071fbcda24
grsecurity: enable optional sysfs restrictions
Fairly severe, but can be disabled at bootup via
grsec_sysfs_restrict=0. For the NixOS module we ensure that it is
disabled, for systemd compatibility.
2016-12-06 01:23:36 +01:00
Joachim Fasting
8c1f5afdf3
grsecurity: delay toggling of sysctls until system is up
We generally trust init, so there's little point in having these enabled
during early bootup; it accomplishes little except fill our logs with
spam.
2016-12-06 01:22:53 +01:00
Domen Kožar
75f131da02 acme: ensure nginx challenges directory is writeable 2016-11-29 15:56:01 +01:00
Joachim Fasting
e99228db30
grsecurity module: force a known good kernel package set
Previously, we would only set a default value, on the theory that
`boot.kernelPackages` could be used to sanely configure a custom grsec
kernel.  Regrettably, this is not the case and users who expect e.g.,
`boot.kernelPackages = pkgs.linuxPackages_latest` to work will end up
with a non-grsec kernel (this problem has come up twice on the bug
tracker recently).

With this patch, `security.grsecurity.enable = true` implies
`boot.kernelPackages = linuxPackages_grsec_nixos` and any customization
must be done via package override or by eschewing the module.
2016-11-28 12:11:04 +01:00
Joachim Fasting
2eb6ec1bc4
grsecurity module: remove code pertaining to zfs
I don't know if it still the case that zfs fails to boot; either way,
that's the user's responsibility to contend with.
2016-11-20 23:01:22 +01:00
Joachim Fasting
98935c7103
grsecurity module: remove requiredKernelConfig
Using a custom package set with the NixOS module is no longer
something I wish to support.  It's still *possible* but not
advertised.  Secondly, the requiredKernelConfig didn't really
do anything (setting kernelPackages to a non-grsec kernel would
just silently let the user boot into a non-grsec setup ...).
2016-11-20 23:00:41 +01:00
Joachim Fasting
5ad8a56d16
grsecurity module: remove use of mkEnableOption 2016-11-20 23:00:24 +01:00
Eric Sagnes
9513ab45aa duosec module: use enum 2016-11-16 22:36:05 +09:00
Timofei Kushnir
faa6f9b6b3 grsecurity: fix 'isYes' and 'isNo' 2016-10-29 14:26:06 +03:00
Domen Kožar
41c490b75e acme: we do want to support ipv4 afterall 2016-10-21 13:25:11 +02:00
Domen Kožar
d8f21b3ca3 acme: provide full nginx example
(cherry picked from commit 2af7382f76a6523f1220637b3ec49ad25a02b040)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-10-21 13:19:04 +02:00
Alexander Ried
d91365d714 audit module: only enable service if kernel has audit (#19569) 2016-10-15 16:03:41 +02:00
Franz Pletz
0d59fc1169
cacerts: refactor, add blacklist option
Previously, the list of CA certificates was generated with a perl script
which is included in curl. As this script is not very flexible, this commit
refactors the expression to use the python script that Debian uses to
generate their CA certificates from Mozilla's trust store in NSS.

Additionally, an option was added to the cacerts derivation and the
`security.pki` module to blacklist specific CAs.
2016-10-09 02:00:18 +02:00
Ricardo M. Correia
1623476904 nixos.acme: make timer persistent
This makes sure that if the system was powered off when the timer was
supposed to trigger, it will run the next time the system boots up.
2016-10-03 19:31:42 +02:00
Joachim Fasting
98e2b90cf3
grsecurity doc: note that module autoload hardening is disabled 2016-10-02 19:25:58 +02:00
Joachim Fasting
1bb7b44cd7
grsecurity: make GRKERNSEC y and PAX y implicit
These options should always be specified. Note, an implication of this
change is that not specifying any grsec/PaX options results in a build
failure.
2016-10-02 19:25:58 +02:00
Joachim F
7e80c42b0e Merge pull request #18511 from ericsagnes/feat/remove-optionSet
modules: optionSet -> submodule
2016-10-01 17:57:45 +02:00
Shea Levy
3f02cbbcaf Merge branch 'rngd-wantedBy' of git://github.com/srp/nixpkgs-1 2016-09-19 19:06:51 -04:00
Scott R. Parish
a560223119 rngd: update modalias to match cpu type
It looks like the cpu type part of modalias might have changed, my
systems (4.4.20 and 4.7.2) show something like the following:

```
cpu:type:x86,ven0000fam0006mod003F:feature:,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000B,000C,000D,000E,000F,0010,0011,0013,0017,0018,0019,001A,001C,002B,0034,003B,003D,0068,006F,0070,0072,0074,0075,0076,007D,0080,0081,0089,008C,008D,0091,0093,0094,0095,0096,0097,0098,0099,009A,009B,009C,009D,009E,009F,00C0,00C5,0120,0123,0125,0127,0128,0129,012A,0140
```

Update the rngd modalias rule to match this so udev properly has
systemd start rngd.
2016-09-17 18:36:57 -07:00
Thomas Tuegel
9300b4903f
Revert "nixos/pam: clean up generated files (no functional change) (#18580)"
This reverts commit 1010271c63.
This reverts commit e85e51d41f.

The first commit causes multiple regressions. The second commit tries to
fix the regressions, but does not catch all of them. There are multiple
failing tests, one of which is blocking a package update. That is not
acceptable for a cosmetic patch.
2016-09-17 16:39:49 -05:00
aszlig
e85e51d41f
nixos/pam: Fix wrong string concatenation
Regression introduced by 1010271c63.

This caused the line after using the loginuid module to be concatenated
with the next line without a newline.

In turn this has caused a lot of the NixOS VM tests to either run very
slowly (because of constantly hitting PAM errors) or simply fail.

I have tested this only with one of the failing NixOS tests.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-09-16 15:36:31 +02:00
Joachim Fasting
527b3dc1df
hidepid module: detailed description to external doc 2016-09-15 15:36:03 +02:00
Bjørn Forsman
1010271c63 nixos/pam: clean up generated files (no functional change) (#18580)
The generated files in /etc/pam.d/ typically have a lot of empty lines
in them, due to how the generated Nix strings are joined together;
optional elements that are excluded still produce a newline. This patch
changes how the files are generated to create more compact,
human-friendly output files.

The change is basically this, repeated:

-  ''
-    ${optionalString use_ldap
-        "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
-  ''
+  optionalString use_ldap ''
+    account sufficient ${pam_ldap}/lib/security/pam_ldap.so
+  ''
2016-09-14 11:56:07 +01:00
Roger Qiu
de0737aed5 sudo: Allow root to use sudo to switch groups 2016-09-13 23:15:56 +10:00
Eric Sagnes
fff4a9ee01 pam module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Eric Sagnes
3acf336f15 acme module: optionSet -> submodule 2016-09-13 12:53:09 +09:00
Franz Pletz
9190dbcc0e Merge pull request #18366 from groxxda/acme-loop
security.acme: require networking for client, remove loop without fallbackHost
2016-09-06 23:02:07 +02:00
Alexander Ried
7f98dca782 security.acme: the client really needs networking
Actually this can be improved since the client only needs network
connectivity if it needs to renew the certificate.
2016-09-06 17:47:00 +02:00
Eelco Dolstra
98102ebd92 Enable the runuser command from util-linux
Fixes #14701.
2016-09-06 17:23:27 +02:00
Joachim Fasting
269f739ded
grsecurity module: set nixpkgs.config.grsecurity = true 2016-09-05 00:56:17 +02:00
Domen Kožar
393e646e4f setuid-wrappers: correctly umount the tmpfs 2016-09-04 17:56:00 +02:00
Karn Kallio
8d977ead38
setuid-wrappers : Prepare permissions for running wrappers
The new setuid-wrappers in /run cannot be executed by users due to:

1) the temporary directory does not allow access
2) the /run is mounted nosuid
2016-09-04 03:19:32 +02:00
Domen Kožar
a6670c1a0b Fixes #18124: atomically replace /var/setuid-wrappers/ (#18186)
Before this commit updating /var/setuid-wrappers/ folder introduced
a small window where NixOS activation scripts could be terminated
and resulted into empty /var/setuid-wrappers/ folder.

That's very unfortunate because one might lose sudo binary.

Instead we use two atomic operations mv and ln (as described in
https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/)
to achieve atomicity.

Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints
were removed in installation scripts and in boot process.

Tested:

- upgrade /var/setuid-wrappers/ from folder to a symlink
- make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
2016-09-01 20:57:51 +02:00
Tuomas Tynkkynen
8c4aeb1780 Merge staging into master
Brings in:
    - changed output order for multiple outputs:
      https://github.com/NixOS/nixpkgs/pull/14766
    - audit disabled by default
      https://github.com/NixOS/nixpkgs/pull/17916

 Conflicts:
	pkgs/development/libraries/openldap/default.nix
2016-09-01 13:27:27 +03:00
Tuomas Tynkkynen
16b3e26da4 audit: Disable by default
Because in its default enabled state it it causes a global performance
hit on all system calls (https://fedorahosted.org/fesco/ticket/1311) and
unwanted spam in dmesg, in particular when using Chromium
(https://github.com/NixOS/nixpkgs/issues/13710).
2016-08-31 23:15:41 +03:00
Tuomas Tynkkynen
5eff0b990c audit service: Explicitly call auditctl to disable everything
Otherwise, journald might be starting auditing.
Some reading:
    - https://fedorahosted.org/fesco/ticket/1311
    - https://github.com/systemd/systemd/issues/959
    - 64f83d3087
2016-08-31 23:15:32 +03:00
Domen Kožar
d8d75ddec6 Revert "setuid-wrappers: Update wrapper dir atomically."
This reverts commit ee535056ce.

It doesn't work yet.
2016-08-31 16:25:18 +02:00
Nikolay Amiantov
4499a505ed hidepid service: use new boot.specialFileSystems 2016-08-31 17:16:41 +03:00
Shea Levy
ee535056ce setuid-wrappers: Update wrapper dir atomically.
Fixes #18124.
2016-08-31 08:00:57 -04:00
Nikolay Amiantov
509733a343 Merge pull request #17822 from abbradar/systemd-mounts
nixos filesystems: unify special filesystems handling
2016-08-30 22:42:19 +04:00
Joachim Fasting
dab32a1fa6
nixos manual: move chapter on grsecurity to auto-generated module docs 2016-08-29 23:48:12 +02:00
Domen Kožar
e01e92f12f Merge pull request #15025 from ericsagnes/modules/manual
manual: automatically generate modules documentation
2016-08-28 13:57:34 +02:00
Nikolay Amiantov
6efcfe03ae nixos filesystems: unify early filesystems handling
A new internal config option `fileSystems.<name>.early` is added to indicate
that the filesystem needs to be loaded very early (i.e. in initrd). They are
transformed to a shell script in `system.build.earlyMountScript` with calls to
an undefined `specialMount` function, which is expected to be caller-specific.
This option is used by stage-1, stage-2 and activation script to set up and
remount those filesystems.  Options for them are updated according to systemd
defaults.
2016-08-27 13:38:20 +03:00
Nikolay Amiantov
3f70fcd4c1 Merge pull request #11484 from oxij/nixos-toposort-filesystems
lib: add toposort, nixos: use toposort for fileSystems to properly support bind and move mounts
2016-08-27 14:34:55 +04:00
Markus Mueller
e04c3506eb ldap: Add option for login PAM integration 2016-08-23 21:12:51 +02:00
Jan Malakhovski
65d26c4dc1 nixos: apply toposort to fileSystems to support bind and move mounts
And use new `config.system.build.fileSystems` property everywhere.
2016-08-23 18:14:05 +00:00