[Nix-dev] Hardened NixOS

[phreedom at yandex.ru]

On Tuesday, November 19, 2013 01:58:28 AM Ricardo M. Correia wrote:
> I am currently working on integrating grsecurity/PaX and making various
> software packages work under a grsec-enabled kernel (well, the packages I
> use):
> 
> https://github.com/NixOS/nixpkgs/pull/1187
> 
> With those patches and a couple of unpublished workarounds I have a basic
> XFCE desktop + Firefox/Chromium browsers working under a grsec/PaX-enabled
> kernel (KDE does not start up yet, though).
> 
> I am now working on a patch to the gcc derivation which fixes a broken
> build of OpenJDK, due to gcc's precompiled headers feature not liking
> randomized mmap addresses. This patch alone causes my entire NixOS system
> to be rebuilt from source, though.
> 
> Looking forward, I would like to develop a NixOS module which provides an
> adequate grsecurity kernel and kernel config, and later integrate features
> similar to the ones used in the Hardened Gentoo project, especially an
> improved compiler toolchain which would generate position-independent code
> (PIE) and stack-smashing protection (SSP), if these are not enabled already.
> 
> In the future, I am also interested in developing a NixOS module for
> grsecurity's RSBAC system.

I'm very happy to know that someone's working on this and this person is not 
me :)

> I was wondering if anybody else is interested in having these security
> enhancements to NixOS, some of which would of course only be enabled
> optionally?

My (totally unscientific) estimate is that the % of paranoid people in #nixos 
is only smaller than in specialized distros like Tails. Also, you shouldn't 
underestimate the number of people who would be happy to tick the "harden" 
checkbox if they don't expect any negative consequences.

> What do you think would be the best approach for development? I'm thinking
> of a few options:
> 
> * I keep developing these patches in a piecemeal fashion and keep asking
> for pull requests into NixOS master as I go along, as I've been trying to do

If it can be merged it should be merged. If it can be mainstreamed with some 
modifications, they should be discussed and implemented early to avoid 
headaches later.

> Having Hydra precompile packages with these features enabled would of
> course be very convenient if there is a relevant number of other interested
> users, since otherwise the whole NixOS system has to be built from source
> (because these patches will touch gcc). However, taking into account that
> NixOS doesn't have many users, and hardened NixOS would have even less of
> them, then perhaps this is not necessary at the moment...

Centralized building and security are often at odds. Say, certain grsecurity 
kernel features only make sense if you are running a unique, randomized build. 
Probably if you dig deep enough you'll find some features in gcc which 
introduce similar trade-offs.