commit d4d7bfe07bf97efb228ea949a1f09644e924b82d · pyrox.dev/nixpkgs

+13

nixos/modules/security/grsecurity.nix

···

       126
        
                 '';

     

       127
        
               };

     

       128
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       129
        
               denyUSB = mkOption {

     

       130
        
                 type = types.bool;

     

       131
        
                 default = false;

···

       126
        
                 '';

     

       127
        
               };

     

       128
        
       

     

       129
       +
               denyChrootCaps = mkOption {

     

       130
       +
                 type = types.bool;

     

       131
       +
                 default = false;

     

       132
       +
                 description = ''

     

       133
       +
                   Whether to lower capabilities of all processes within a chroot,

     

       134
       +
                   preventing commands that require <literal>CAP_SYS_ADMIN</literal>.

     

       135
       +
       

     

       136
       +
                   This protection is disabled by default because it breaks

     

       137
       +
                   <literal>nixos-rebuild</literal>. Whenever possible, it is

     

       138
       +
                   highly recommended to enable this protection.

     

       139
       +
                 '';

     

       140
       +
               };

     

       141
       +
       

     

       142
        
               denyUSB = mkOption {

     

       143
        
                 type = types.bool;

     

       144
        
                 default = false;

pkgs/build-support/grsecurity/default.nix

···

       8
        
           config = {

     

       9
        
             mode = "auto";

     

       10
        
             sysctl = false;

     

       0
        
       
     

       11
        
             denyChrootChmod = false;

     

       12
        
             denyUSB = false;

     

       13
        
             restrictProc = false;

     
···

       112
        
               }

     

       113
        
       

     

       114
        
               GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}

     

       0
        
       
     

       115
        
               GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}

     

       116
        
               GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}

     

       117
        
               GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}

···

       8
        
           config = {

     

       9
        
             mode = "auto";

     

       10
        
             sysctl = false;

     

       11
       +
             denyChrootCaps = false;

     

       12
        
             denyChrootChmod = false;

     

       13
        
             denyUSB = false;

     

       14
        
             restrictProc = false;

     
···

       113
        
               }

     

       114
        
       

     

       115
        
               GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}

     

       116
       +
               GRKERNSEC_CHROOT_CAPS ${boolToKernOpt cfg.config.denyChrootCaps}

     

       117
        
               GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}

     

       118
        
               GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}

     

       119
        
               GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}