[Nix-dev] grsecurity

Raahul Kumar raahul.kumar at gmail.com
Sat Jan 3 08:19:06 CET 2015


Can you put your entire configuration.nix in a pastebin site or a github
gist? I can only suggest the other alternative working kernel 3.11, or
Apparmour.
Please let us know which one works.

   nixpkgs.config = {
     grsecurity = true;

     packageOverrides = pkgs: {
       linuxPackages = pkgs.linuxPackages_3_11_grsecurity;


   };


AppArmour

http://permalink.gmane.org/gmane.linux.distributions.nixos/10799

Also provide all the error messages please.

Aloha,
RK.

On Fri, Jan 2, 2015 at 6:45 PM, peter.romfeld.hk at gmail.com <
peter.romfeld.hk at gmail.com> wrote:

> Hi,
>
> I followed this tutorial:
> https://nixos.org/wiki/Hardened_NixOS
>
> but got missing `linuxPackages_3_2_grsecurity` so i searched through the
> github packages and tried a few other names, but then i got `dependency
> could not be downloaded`
> then i went through options and found security.grsecurity, but then i
> get kernel does not support grsec :(
>
> I realy would like to get that working, please help
>
> some of my configuration.nix:
>
>   boot.kernelPackages = pkgs.linuxPackages_3_2;
>    nixpkgs.config = {
>      allowUnfree = true;
>      #grsecurity = true;
>      #packageOverrides = pkgs: {
>      #  linuxPackages = pkgs.linuxPackages_3_2_grsecurity; # i tried a
> few here, its either not found or dependency error because it cant
> download dep
>      #  stdenv = pkgs.stdenv // {
>      #    platform = pkgs.stdenv.platform // {
>      #      kernelExtraConfig = ''
>      #        XEN n
>      #        HIBERNATION n
>      #        DEVKMEM? n
>      #        GRKERNSEC y
>      #        GRKERNSEC_CONFIG_AUTO y
>      #        GRKERNSEC_CONFIG_DESKTOP y
>      #        GRKERNSEC_CONFIG_VIRT_HOST y
>      #        GRKERNSEC_CONFIG_VIRT_EPT y
>      #        GRKERNSEC_CONFIG_VIRT_KVM y
>      #        GRKERNSEC_CONFIG_PRIORITY_SECURITY y
>      #        GRKERNSEC_PROC_USER y
>      #        GRKERNSEC_PROC_GID 0
>      #        GRKERNSEC_CHROOT_CHMOD n
>      #      '';
>      #    };
>      #  };
>      #};
>    };
>    #security.grsecurity = {
>    #  enable = true;
>    #  stable = true;
>    #  config = {
>    #    system = "desktop";
>    #    virtualisationConfig = "host";
>    #    hardwareVirtualisation = true;
>    #    virtualisationSoftware = "kvm";
>    #  };
>    #};  # kernel does not support grsec
>    boot.kernel.sysctl = {
>      "kernel.grsecurity.grsec_lock" = 1;
>      "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
>      "net.ipv4.icmp_ignore_bogus_error_responses" = 1;
>      "net.ipv4.tcp_syncookies" = 1;
>      .....
>
>
> Cheers,
> Peter
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150103/a501b8f4/attachment.html 


More information about the nix-dev mailing list