Hi, I'm attaching a simple patch that allows you to use a kernel with grsecurity, PaX and AppArmor enabled, just in case it's useful to anyone.
It requires the following changes to be applied first: https://github.com/NixOS/nixpkgs/pull/802 I am not sending a pull request for this new kernel directly because it needs further work to allow customization of the grsec kernel config options from /etc/nixos/configuration.nix and I don't have time to investigate how to do that right now. In particular, you need to specify whether the machine is a server or a desktop; whether it's running as a VM guest, host or simply on bare metal; whether hardware or software virtualization is being used and whether you prefer more security or more performance. You can accomplish that by changing the GRKERNSEC_CONFIG_* options which you can see in the patch (I enabled the ones I personally use). You can find a reference for these options here: https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Configuration_Method In order to use the new kernel and features, you also need to add "boot.kernelPackages = pkgs.linuxPackages_3_2_hardened;" and "security.apparmor.enable = true;" to your configuration. You may also need to create AppArmor profiles for the programs you are interested in confining. If you are doing chroot builds and running the new kernel, package installation may fail due to "chmod +s" protection (apparently it can be used to break out of the chroot). As a quick workaround, you can disable this protection temporarily during package installation: # sysctl -w kernel.grsecurity.chroot_deny_chmod=0 You should probably re-enable it afterwards. I'm sure there are better ways to do this, though. To make sure the kernel has been properly installed and is running, I suggest running "dmesg" as a normal user: it should fail with "operation not permitted". I hope this is useful to someone. PS: you can re-enable the following kernel config options, but you will lose the corresponding security features: Xen support -> disables "Prevent invalid userland pointer dereference" (MEMORY_UDEREF) Hibernation -> disables "Sanitize all freed memory" (MEMORY_SANITIZE) Thanks, Ricardo
grsec.patch
Description: Binary data
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
