Branch: refs/heads/master
Home: https://github.com/NixOS/nixpkgs
Commit: d8e4432fe26c2b9aaa4eedfb17d77d0cbd9492cf
https://github.com/NixOS/nixpkgs/commit/d8e4432fe26c2b9aaa4eedfb17d77d0cbd9492cf
Author: Joachim Fasting <[email protected]>
Date: 2016-06-10 (Fri, 10 Jun 2016)
Changed paths:
M pkgs/os-specific/linux/kernel/common-config.nix
Log Message:
-----------
kernel: unconditionally disable /dev/kmem
This was presumably set for grsecurity compatibility, but now appears
redundant. Grsecurity does not expect nor require /dev/kmem to be
present and so it makes little sense to continue making its inclusion in
the standard kernel dependent on grsecurity.
More generally, given the large number of possible grsecurity
configurations, it is unclear what `features.grsecurity` even
*means* and its use should be discouraged.
Commit: 4ae5eb97f12218525ebb3657b311ac52e21c8418
https://github.com/NixOS/nixpkgs/commit/4ae5eb97f12218525ebb3657b311ac52e21c8418
Author: Joachim Fasting <[email protected]>
Date: 2016-06-10 (Fri, 10 Jun 2016)
Changed paths:
M pkgs/os-specific/linux/kernel/common-config.nix
Log Message:
-----------
kernel: set virtualization options regardless of grsec
Per my own testing, the NixOS grsecurity kernel works both as a
KVM-based virtualisation host and guest; there appears to be no good
reason to making these conditional on `features.grsecurity`.
More generally, it's unclear what `features.grsecurity` *means*. If
someone configures a grsecurity kernel in such a fashion that it breaks
KVM support, they should know to disable KVM themselves.
Commit: 75b9a7beac4529fcff9e452e5e88f6ddfb4567f6
https://github.com/NixOS/nixpkgs/commit/75b9a7beac4529fcff9e452e5e88f6ddfb4567f6
Author: Joachim Fasting <[email protected]>
Date: 2016-06-14 (Tue, 14 Jun 2016)
Changed paths:
M pkgs/build-support/grsecurity/default.nix
R pkgs/build-support/grsecurity/flavors.nix
A pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
A pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch
R pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch
R pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
A pkgs/os-specific/linux/kernel/linux-grsecurity.nix
M pkgs/os-specific/linux/kernel/patches.nix
M pkgs/top-level/all-packages.nix
Log Message:
-----------
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel. This kernel is intended as a general
purpose kernel, tuned for casual desktop use.
Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors. It is impossible, however, to
effectively test and support that many options. This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised. More generally, it is
hopeless to anticipate imagined needs. It is better to start from a
solid foundation and possibly add more flavours on demand.
While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything. For some, the configuration will be either
too restrictive or too lenient. In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.
Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
extraConfig = ''
GRKERNSEC y
PAX y
# and so on ...
'';
}
```
The generic kernel should be usable both as a KVM guest and host. When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.
Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.
Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
problem, which implies we'd have to disable RAP as well for ZFS to
work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
Commit: 0677cc61c8fae0b699a9be837c897b8d7b6d837c
https://github.com/NixOS/nixpkgs/commit/0677cc61c8fae0b699a9be837c897b8d7b6d837c
Author: Joachim Fasting <[email protected]>
Date: 2016-06-14 (Tue, 14 Jun 2016)
Changed paths:
M nixos/modules/rename.nix
M nixos/modules/security/grsecurity.nix
Log Message:
-----------
nixos: rewrite the grsecurity module
The new module is specifically adapted to the NixOS Grsecurity/PaX
kernel. The module declares the required kernel configurations and
so *should* be somewhat compatible with custom Grsecurity kernels.
The module exposes only a limited number of options, minimising the need
for user intervention beyond enabling the module. For experts,
Grsecurity/PaX behavior may be configured via `boot.kernelParams` and
`boot.kernel.sysctl`.
The module assumes the user knows what she's doing (esp. if she decides
to modify configuration values not directly exposed by the module).
Administration of Grsecurity's role based access control system is yet
to be implemented.
Commit: a53452f3e12f4feb76a5169149d93c3bd5359363
https://github.com/NixOS/nixpkgs/commit/a53452f3e12f4feb76a5169149d93c3bd5359363
Author: Joachim Fasting <[email protected]>
Date: 2016-06-14 (Tue, 14 Jun 2016)
Changed paths:
M nixos/modules/config/users-groups.nix
M nixos/modules/misc/ids.nix
Log Message:
-----------
nixos: remove the grsecurity GID
This GID was used to exempt users from Grsecurity's
`/proc` restrictions; we now prefer to rely on
`security.hideProcessInformation`, which uses the `proc` group
for this purpose. That leaves no use for the grsecurity GID.
More generally, having only a single GID to, presumably, serve as the
default for all of grsecurity's GID based exemption/resriction schemes
would be problematic in any event, so if we decide to enable those
grsecurity features in the future, more specific GIDs should be added.
Commit: 09cf92ccee755bb67ecbf1b5928ef58eb43016f7
https://github.com/NixOS/nixpkgs/commit/09cf92ccee755bb67ecbf1b5928ef58eb43016f7
Author: Joachim Fasting <[email protected]>
Date: 2016-06-14 (Tue, 14 Jun 2016)
Changed paths:
M nixos/tests/grsecurity.nix
Log Message:
-----------
nixos: flesh out the grsecurity test suite
I've failed to figure out what why `paxtest blackhat` hangs the vm, and
have resigned to running individual `paxtest` programs. This provides
limited coverage, but at least verifies that some important features are
in fact working.
Ideas for future work includes a subtest for basic desktop
functionality.
Commit: dae5f53d257817a33d6f59a2abf1f75634af1ab0
https://github.com/NixOS/nixpkgs/commit/dae5f53d257817a33d6f59a2abf1f75634af1ab0
Author: Joachim Fasting <[email protected]>
Date: 2016-06-14 (Tue, 14 Jun 2016)
Changed paths:
M pkgs/applications/virtualization/qemu/default.nix
Log Message:
-----------
qemu: apply PaX markings
Commit: 544b42f8f567ad573b04131f0bc5f5bee0f60c66
https://github.com/NixOS/nixpkgs/commit/544b42f8f567ad573b04131f0bc5f5bee0f60c66
Author: Joachim Fasting <[email protected]>
Date: 2016-06-14 (Tue, 14 Jun 2016)
Changed paths:
M pkgs/top-level/release.nix
Log Message:
-----------
top-level/release.nix: remove obsolete grsec jobs
Commit: 7bda8f0a8fc38e3cccd565521342ec9aaeffb297
https://github.com/NixOS/nixpkgs/commit/7bda8f0a8fc38e3cccd565521342ec9aaeffb297
Author: Joachim Fasting <[email protected]>
Date: 2016-06-14 (Tue, 14 Jun 2016)
Changed paths:
M pkgs/top-level/all-packages.nix
Log Message:
-----------
grsecurity: add a xen guest kernel
This is for the benefit of users who want to quickly get up and running
on a Xen host, for which the stock NixOS kernel is likely unsuitable.
Commit: 886c03ad2ec5fed59831bd552d34ba03327f2ac7
https://github.com/NixOS/nixpkgs/commit/886c03ad2ec5fed59831bd552d34ba03327f2ac7
Author: Joachim Fasting <[email protected]>
Date: 2016-06-14 (Tue, 14 Jun 2016)
Changed paths:
M nixos/modules/config/users-groups.nix
M nixos/modules/misc/ids.nix
M nixos/modules/rename.nix
M nixos/modules/security/grsecurity.nix
M nixos/tests/grsecurity.nix
M pkgs/applications/virtualization/qemu/default.nix
M pkgs/build-support/grsecurity/default.nix
R pkgs/build-support/grsecurity/flavors.nix
M pkgs/os-specific/linux/kernel/common-config.nix
A pkgs/os-specific/linux/kernel/grsecurity-nixos-config.nix
A pkgs/os-specific/linux/kernel/grsecurity-nixos-kmod.patch
R pkgs/os-specific/linux/kernel/grsecurity-path-4.5.patch
R pkgs/os-specific/linux/kernel/linux-grsecurity-4.5.nix
A pkgs/os-specific/linux/kernel/linux-grsecurity.nix
M pkgs/os-specific/linux/kernel/patches.nix
M pkgs/top-level/all-packages.nix
M pkgs/top-level/release.nix
Log Message:
-----------
Merge pull request #16107 from joachifm/grsec-ng
Rework grsecurity support
Compare: https://github.com/NixOS/nixpkgs/compare/3123c7df37ac...886c03ad2ec5_______________________________________________
nix-commits mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-commits
