mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-28 14:22:50 +03:00
grsecurity: delay toggling of sysctls until system is up
We generally trust init, so there's little point in having these enabled during early bootup; it accomplishes little except fill our logs with spam.
This commit is contained in:
parent
601b47ab94
commit
8c1f5afdf3
@ -109,19 +109,62 @@ in
|
||||
boot.kernel.sysctl = {
|
||||
# Read-only under grsecurity
|
||||
"kernel.kptr_restrict" = mkForce null;
|
||||
|
||||
# All grsec tunables default to off, those not enabled below are
|
||||
# *disabled*. We use mkDefault to allow expert users to override
|
||||
# our choices, but use mkForce where tunables would outright
|
||||
# conflict with other settings.
|
||||
|
||||
# Enable all chroot restrictions by default (overwritten as
|
||||
# necessary below)
|
||||
"kernel.grsecurity.chroot_caps" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_bad_rename" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_chmod" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_chroot" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_fchdir" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_mknod" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_mount" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_pivot" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_shmat" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_sysctl" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_deny_unix" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_enforce_chdir" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_findtask" = mkDefault 1;
|
||||
"kernel.grsecurity.chroot_restrict_nice" = mkDefault 1;
|
||||
|
||||
# Enable various grsec protections
|
||||
"kernel.grsecurity.consistent_setxid" = mkDefault 1;
|
||||
"kernel.grsecurity.deter_bruteforce" = mkDefault 1;
|
||||
"kernel.grsecurity.fifo_restrictions" = mkDefault 1;
|
||||
"kernel.grsecurity.harden_ipc" = mkDefault 1;
|
||||
"kernel.grsecurity.harden_ptrace" = mkDefault 1;
|
||||
"kernel.grsecurity.harden_tty" = mkDefault 1;
|
||||
"kernel.grsecurity.ip_blackhole" = mkDefault 1;
|
||||
"kernel.grsecurity.linking_restrictions" = mkDefault 1;
|
||||
"kernel.grsecurity.ptrace_readexec" = mkDefault 1;
|
||||
|
||||
# Enable auditing
|
||||
"kernel.grsecurity.audit_ptrace" = mkDefault 1;
|
||||
"kernel.grsecurity.forkfail_logging" = mkDefault 1;
|
||||
"kernel.grsecurity.rwxmap_logging" = mkDefault 1;
|
||||
"kernel.grsecurity.signal_logging" = mkDefault 1;
|
||||
"kernel.grsecurity.timechange_logging" = mkDefault 1;
|
||||
} // optionalAttrs config.nix.useSandbox {
|
||||
# chroot(2) restrictions that conflict with sandboxed Nix builds
|
||||
"kernel.grsecurity.chroot_caps" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_chroot" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_pivot" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
|
||||
} // optionalAttrs containerSupportRequired {
|
||||
# chroot(2) restrictions that conflict with NixOS lightweight containers
|
||||
"kernel.grsecurity.chroot_caps" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_chmod" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_deny_mount" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_restrict_nice" = mkForce 0;
|
||||
"kernel.grsecurity.chroot_caps" = mkForce 0;
|
||||
# Disable privileged IO by default, unless X is enabled
|
||||
} // optionalAttrs (!config.services.xserver.enable) {
|
||||
"kernel.grsecurity.disable_priv_io" = mkDefault 1;
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -55,5 +55,6 @@ GRKERNSEC_MODHARDEN n
|
||||
|
||||
GRKERNSEC_SYSCTL y
|
||||
GRKERNSEC_SYSCTL_DISTRO y
|
||||
GRKERNSEC_SYSCTL_ON y
|
||||
# Assume that appropriate sysctls are toggled once the system is up
|
||||
GRKERNSEC_SYSCTL_ON n
|
||||
''
|
||||
|
Loading…
Reference in New Issue
Block a user