[Nix-dev] grsecurity

peter.romfeld.hk at gmail.com peter.romfeld.hk at gmail.com
Mon Jan 5 05:29:12 CET 2015 

when i use:

packageOverrides = pkgs: {
        linuxPackages = pkgs.linuxPackages_3_11_grsecurity;

or

packageOverrides = pkgs: {
        linuxPackages = pkgs.linuxPackages_3_2_grsecurity;

i get:
error: attribute ‘linuxPackages_3_{11,2}_grsecurity’ missing, at 
"/etc/nixos/configuration.nix":18:23

if i just comment it outi get:
builder for 
‘/nix/store/f3ki9ligga217d44zaprbqybl3vq0pmj-linux-config-3.2.64.drv’ 
failed with exit code 255
cannot build derivation 
‘/nix/store/a0ydf19bz5pqjv26kmqx948wsmnxzmfa-linux-3.2.64.drv’: 1 
dependencies couldn't be built
cannot build derivation 
‘/nix/store/hg31v8gq8jpcd3i7a4mgwhv7l049sfq2-nixos-15.05pre54730.cbe467e.drv’: 
1 dependencies couldn't be built
error: build of 
‘/nix/store/hg31v8gq8jpcd3i7a4mgwhv7l049sfq2-nixos-15.05pre54730.cbe467e.drv’ 
failed

if i use:
boot.kernelPackages = pkgs.linuxPackages_grsecurity_stable;
   security.grsecurity = {
     enable = true;
     stable = true;
     config = {
       verboseVersion = true;
   #    priority = "security";
       system = "desktop";
       virtualisationConfig = "host";
       hardwareVirtualisation = true;
       virtualisationSoftware = "kvm";
       kernelExtraConfig = ''
XEN n
HIBERNATION n
DEVKMEM? n
       '';
     };
   };

the build works, but at reboot i get kernel-panic no init found.

im not sure but i looks like that if i use security.grsecurity i should 
be able to somehow tell it to apply the grsecurity patch to my current 
kernel?

i also tried with kernel 3.14, same problems

my config:
http://pastebin.com/K7yEWRk4

cheers,
peter

On 01/03/2015 03:19 PM, Raahul Kumar wrote:
> Can you put your entire configuration.nix in a pastebin site or a 
> github gist? I can only suggest the other alternative working kernel 
> 3.11, or Apparmour.
> Please let us know which one works.
>
>     nixpkgs.config = {
>       grsecurity = true;
>     
>       packageOverrides = pkgs: {
>         linuxPackages = pkgs.linuxPackages_3_11_grsecurity;
>     
>         
>     };
>
> AppArmour
>
> http://permalink.gmane.org/gmane.linux.distributions.nixos/10799
>
> Also provide all the error messages please.
>
> Aloha,
> RK.
>
> On Fri, Jan 2, 2015 at 6:45 PM, peter.romfeld.hk at gmail.com 
> <mailto:peter.romfeld.hk at gmail.com> <peter.romfeld.hk at gmail.com 
> <mailto:peter.romfeld.hk at gmail.com>> wrote:
>
>     Hi,
>
>     I followed this tutorial:
>     https://nixos.org/wiki/Hardened_NixOS
>
>     but got missing `linuxPackages_3_2_grsecurity` so i searched
>     through the
>     github packages and tried a few other names, but then i got
>     `dependency
>     could not be downloaded`
>     then i went through options and found security.grsecurity, but then i
>     get kernel does not support grsec :(
>
>     I realy would like to get that working, please help
>
>     some of my configuration.nix:
>
>       boot.kernelPackages = pkgs.linuxPackages_3_2;
>        nixpkgs.config = {
>          allowUnfree = true;
>          #grsecurity = true;
>          #packageOverrides = pkgs: {
>          #  linuxPackages = pkgs.linuxPackages_3_2_grsecurity; # i tried a
>     few here, its either not found or dependency error because it cant
>     download dep
>          #  stdenv = pkgs.stdenv // {
>          #    platform = pkgs.stdenv.platform // {
>          #      kernelExtraConfig = ''
>          #        XEN n
>          #        HIBERNATION n
>          #        DEVKMEM? n
>          #        GRKERNSEC y
>          #        GRKERNSEC_CONFIG_AUTO y
>          #        GRKERNSEC_CONFIG_DESKTOP y
>          #        GRKERNSEC_CONFIG_VIRT_HOST y
>          #        GRKERNSEC_CONFIG_VIRT_EPT y
>          #        GRKERNSEC_CONFIG_VIRT_KVM y
>          #        GRKERNSEC_CONFIG_PRIORITY_SECURITY y
>          #        GRKERNSEC_PROC_USER y
>          #        GRKERNSEC_PROC_GID 0
>          #        GRKERNSEC_CHROOT_CHMOD n
>          #      '';
>          #    };
>          #  };
>          #};
>        };
>        #security.grsecurity = {
>        #  enable = true;
>        #  stable = true;
>        #  config = {
>        #    system = "desktop";
>        #    virtualisationConfig = "host";
>        #    hardwareVirtualisation = true;
>        #    virtualisationSoftware = "kvm";
>        #  };
>        #};  # kernel does not support grsec
>        boot.kernel.sysctl = {
>          "kernel.grsecurity.grsec_lock" = 1;
>          "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
>          "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
>          "net.ipv4.tcp_syncookies" = 1;
>          .....
>
>
>     Cheers,
>     Peter
>
>     _______________________________________________
>     nix-dev mailing list
>     nix-dev at lists.science.uu.nl <mailto:nix-dev at lists.science.uu.nl>
>     http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150105/d5686438/attachment.html

More information about the nix-dev mailing list