[Nix-dev] grsecurity

Raahul Kumar raahul.kumar at gmail.com
Mon Jan 5 06:26:11 CET 2015


I poked around here


"You can enable it by just specifying which kernel you want (stable,
stable+vserver patches, or testing), and the system configuration (desktop
or server):

security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"

This defaults to high-security enhancements, and auto-selects all the
appropriate configuration options and enabled protections. This implies no
virtualisation support, which is needed for all your expected software
functionality to work properly. For example, to enable KVM support:

security.grsecurity.enable = true; security.grsecurity.stable = true; #
enable stable 3.2 kernel security.grsecurity.config = { system = "server";
priority = "security"; virtualisationConfig = "host";
virtualisationSoftware = "kvm"; hardwareVirtualisation = true; }"

https://github.com/NixOS/nixpkgs/tree/master/nixos/modules/security
http://lists.science.uu.nl/pipermail/nix-dev/2014-April/012957.html

If that still doesn't work file a bug report against the grsecurity
package. Give apparmour a go?

Aloha,
RK.

On Mon, Jan 5, 2015 at 2:29 PM, peter.romfeld.hk at gmail.com <
peter.romfeld.hk at gmail.com> wrote:

>  when i use:
>
> packageOverrides = pkgs: {
>        linuxPackages = pkgs.linuxPackages_3_11_grsecurity;
>
> or
>
> packageOverrides = pkgs: {
>        linuxPackages = pkgs.linuxPackages_3_2_grsecurity;
>
> i get:
> error: attribute ‘linuxPackages_3_{11,2}_grsecurity’ missing, at
> "/etc/nixos/configuration.nix":18:23
>
> if i just comment it out i get:
> builder for
> ‘/nix/store/f3ki9ligga217d44zaprbqybl3vq0pmj-linux-config-3.2.64.drv’
> failed with exit code 255
> cannot build derivation
> ‘/nix/store/a0ydf19bz5pqjv26kmqx948wsmnxzmfa-linux-3.2.64.drv’: 1
> dependencies couldn't be built
> cannot build derivation
> ‘/nix/store/hg31v8gq8jpcd3i7a4mgwhv7l049sfq2-nixos-15.05pre54730.cbe467e.drv’:
> 1 dependencies couldn't be built
> error: build of
> ‘/nix/store/hg31v8gq8jpcd3i7a4mgwhv7l049sfq2-nixos-15.05pre54730.cbe467e.drv’
> failed
>
> if i use:
> boot.kernelPackages = pkgs.linuxPackages_grsecurity_stable;
>   security.grsecurity = {
>     enable = true;
>     stable = true;
>     config = {
>       verboseVersion = true;
>   #    priority = "security";
>       system = "desktop";
>       virtualisationConfig = "host";
>       hardwareVirtualisation = true;
>       virtualisationSoftware = "kvm";
>       kernelExtraConfig = ''
> XEN n
> HIBERNATION n
> DEVKMEM? n
>       '';
>     };
>   };
>
> the build works, but at reboot i get kernel-panic no init found.
>
> im not sure but i looks like that if i use security.grsecurity i should be
> able to somehow tell it to apply the grsecurity patch to my current kernel?
>
> i also tried with kernel 3.14, same problems
>
> my config:
> http://pastebin.com/K7yEWRk4
>
> cheers,
> peter
>
> On 01/03/2015 03:19 PM, Raahul Kumar wrote:
>
>  Can you put your entire configuration.nix in a pastebin site or a github
> gist? I can only suggest the other alternative working kernel 3.11, or
> Apparmour.
>  Please let us know which one works.
>
>    nixpkgs.config = {
>      grsecurity = true;
>
>      packageOverrides = pkgs: {
>        linuxPackages = pkgs.linuxPackages_3_11_grsecurity;
>
>
>    };
>
>
>  AppArmour
>
> http://permalink.gmane.org/gmane.linux.distributions.nixos/10799
>
>  Also provide all the error messages please.
>
>  Aloha,
> RK.
>
> On Fri, Jan 2, 2015 at 6:45 PM, peter.romfeld.hk at gmail.com <
> peter.romfeld.hk at gmail.com> wrote:
>
>> Hi,
>>
>> I followed this tutorial:
>> https://nixos.org/wiki/Hardened_NixOS
>>
>> but got missing `linuxPackages_3_2_grsecurity` so i searched through the
>> github packages and tried a few other names, but then i got `dependency
>> could not be downloaded`
>> then i went through options and found security.grsecurity, but then i
>> get kernel does not support grsec :(
>>
>> I realy would like to get that working, please help
>>
>> some of my configuration.nix:
>>
>>   boot.kernelPackages = pkgs.linuxPackages_3_2;
>>    nixpkgs.config = {
>>      allowUnfree = true;
>>      #grsecurity = true;
>>      #packageOverrides = pkgs: {
>>      #  linuxPackages = pkgs.linuxPackages_3_2_grsecurity; # i tried a
>> few here, its either not found or dependency error because it cant
>> download dep
>>      #  stdenv = pkgs.stdenv // {
>>      #    platform = pkgs.stdenv.platform // {
>>      #      kernelExtraConfig = ''
>>      #        XEN n
>>      #        HIBERNATION n
>>      #        DEVKMEM? n
>>      #        GRKERNSEC y
>>      #        GRKERNSEC_CONFIG_AUTO y
>>      #        GRKERNSEC_CONFIG_DESKTOP y
>>      #        GRKERNSEC_CONFIG_VIRT_HOST y
>>      #        GRKERNSEC_CONFIG_VIRT_EPT y
>>      #        GRKERNSEC_CONFIG_VIRT_KVM y
>>      #        GRKERNSEC_CONFIG_PRIORITY_SECURITY y
>>      #        GRKERNSEC_PROC_USER y
>>      #        GRKERNSEC_PROC_GID 0
>>      #        GRKERNSEC_CHROOT_CHMOD n
>>      #      '';
>>      #    };
>>      #  };
>>      #};
>>    };
>>    #security.grsecurity = {
>>    #  enable = true;
>>    #  stable = true;
>>    #  config = {
>>    #    system = "desktop";
>>    #    virtualisationConfig = "host";
>>    #    hardwareVirtualisation = true;
>>    #    virtualisationSoftware = "kvm";
>>    #  };
>>    #};  # kernel does not support grsec
>>    boot.kernel.sysctl = {
>>      "kernel.grsecurity.grsec_lock" = 1;
>>      "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
>>      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
>>      "net.ipv4.tcp_syncookies" = 1;
>>      .....
>>
>>
>> Cheers,
>> Peter
>>
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150105/c19c7487/attachment-0001.html 


More information about the nix-dev mailing list