75b9a7beac
This patch replaces the old grsecurity kernels with a single NixOS specific grsecurity kernel. This kernel is intended as a general purpose kernel, tuned for casual desktop use. Providing only a single kernel may seem like a regression compared to offering a multitude of flavors. It is impossible, however, to effectively test and support that many options. This is amplified by the reality that very few seem to actually use grsecurity on NixOS, meaning that bugs go unnoticed for long periods of time, simply because those code paths end up never being exercised. More generally, it is hopeless to anticipate imagined needs. It is better to start from a solid foundation and possibly add more flavours on demand. While the generic kernel is intended to cover a wide range of use cases, it cannot cover everything. For some, the configuration will be either too restrictive or too lenient. In those cases, the recommended solution is to build a custom kernel --- this is *strongly* recommended for security sensitive deployments. Building a custom grsec kernel should be as simple as ```nix linux_grsec_nixos.override { extraConfig = '' GRKERNSEC y PAX y # and so on ... ''; } ``` The generic kernel should be usable both as a KVM guest and host. When running as a host, the kernel assumes hardware virtualisation support. Virtualisation systems other than KVM are *unsupported*: users of non-KVM systems are better served by compiling a custom kernel. Unlike previous Grsecurity kernels, this configuration disables `/proc` restrictions in favor of `security.hideProcessInformation`. Known incompatibilities: - ZFS: can't load spl and zfs kernel modules; claims incompatibility with KERNEXEC method `or` and RAP; changing to `bts` does not fix the problem, which implies we'd have to disable RAP as well for ZFS to work - `kexec()`: likely incompatible with KERNEXEC (unverified) - Xen: likely incompatible with KERNEXEC and UDEREF (unverified) - Virtualbox: likely incompatible with UDEREF (unverified)
15 lines
938 B
Diff
15 lines
938 B
Diff
diff -ru a/kernel/kmod.c b/kernel/kmod.c
|
|
--- a/kernel/kmod.c 2016-04-21 17:06:09.882281660 +0200
|
|
+++ b/kernel/kmod.c 2016-04-21 17:08:17.458949309 +0200
|
|
@@ -294,7 +294,9 @@
|
|
strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
|
|
strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
|
|
strncmp(sub_info->path, "/usr/sbin/", 10) && strcmp(sub_info->path, "/bin/false") &&
|
|
- strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
|
|
+ strcmp(sub_info->path, "/usr/share/apport/apport") &&
|
|
+ strncmp(sub_info->path, "/nix/store/", 11) &&
|
|
+ strncmp(sub_info->path, "/run/current-system/systemd/lib/", 32)) || strstr(sub_info->path, "..")) {
|
|
printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
|
|
retval = -EPERM;
|
|
goto out;
|