[Nix-dev] Hardened NixOS

Ricardo M. Correia rcorreia at wizy.org
Tue Nov 19 01:58:28 CET 2013 

Hi,

I am currently working on integrating grsecurity/PaX and making various
software packages work under a grsec-enabled kernel (well, the packages I
use):

https://github.com/NixOS/nixpkgs/pull/1187

With those patches and a couple of unpublished workarounds I have a basic
XFCE desktop + Firefox/Chromium browsers working under a grsec/PaX-enabled
kernel (KDE does not start up yet, though).

I am now working on a patch to the gcc derivation which fixes a broken
build of OpenJDK, due to gcc's precompiled headers feature not liking
randomized mmap addresses. This patch alone causes my entire NixOS system
to be rebuilt from source, though.

Looking forward, I would like to develop a NixOS module which provides an
adequate grsecurity kernel and kernel config, and later integrate features
similar to the ones used in the Hardened Gentoo project, especially an
improved compiler toolchain which would generate position-independent code
(PIE) and stack-smashing protection (SSP), if these are not enabled already.

In the future, I am also interested in developing a NixOS module for
grsecurity's RSBAC system.

I was wondering if anybody else is interested in having these security
enhancements to NixOS, some of which would of course only be enabled
optionally?

What do you think would be the best approach for development? I'm thinking
of a few options:

* I keep developing these patches in a piecemeal fashion and keep asking
for pull requests into NixOS master as I go along, as I've been trying to do
* I develop them in my own private branch, which would at some point be
merged into NixOS master
* Someone creates a NixOS/hardened branch, and I merge patches there
* Create a separate channel? Perhaps with these features enabled by default?
* Or should I just develop them in my own private branch, which would never
get merged?

Having Hydra precompile packages with these features enabled would of
course be very convenient if there is a relevant number of other interested
users, since otherwise the whole NixOS system has to be built from source
(because these patches will touch gcc). However, taking into account that
NixOS doesn't have many users, and hardened NixOS would have even less of
them, then perhaps this is not necessary at the moment...

Thanks,
Ricardo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20131119/ff4d27c1/attachment.html

More information about the nix-dev mailing list