[Nix-dev] Secure NixOS
joachifm at fastmail.fm
joachifm at fastmail.fm
Mon Dec 7 13:35:44 CET 2015
On Mon, Dec 7, 2015, at 12:14 PM, zimbatm wrote:
> [...]
> (3) is already supported by adding `security.grsecurity.enable` to your
> configuration.nix file.
To be frank, grsecurity support in NixOS is user-unfriendly. My biggest
gripe is that the implementation is biased towards compile-time tuning
of run-time behavior. I proposed a few patches towards a sysctl oriented
implementation, but they failed to gain traction (granted, the patches
are imperfect and incomplete). What is more, the lack of a satisfying
method of applying appropriate PaX flags to binaries, ala paxd, greatly
impedes use of Grsecurity/PaX on the desktop. Finally, I failed to get
RBAC to actually work, in its current form.
I have found it easier to simply switch to a distro with proper
Grsecurity/PaX support. If I continue to tinker with NixOS, it will be
in a virtual machine.
Just my 2 NOK ...
More information about the nix-dev
mailing list