commit da767356f275785950c9847428b60be2d6753943 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

grsecurity: support disabling TCP simultaneous connect

Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425

Joachim Fasting 9 years ago da767356 c5451206

+19

2 changed files

expand all

unified split

nixos

modules

security

grsecurity.nix

pkgs

build-support

grsecurity

default.nix

+17

nixos/modules/security/grsecurity.nix

··· 194 ''; 195 }; 196 197 verboseVersion = mkOption { 198 type = types.bool; 199 default = false;

··· 194 ''; 195 }; 196 197 + disableSimultConnect = mkOption { 198 + type = types.bool; 199 + default = false; 200 + description = '' 201 + Disable TCP simultaneous connect. The TCP simultaneous connect 202 + feature allows two clients to connect without either of them 203 + entering the listening state. This feature of the TCP specification 204 + is claimed to enable an attacker to deny the target access to a given 205 + server by guessing the source port the target would use to make the 206 + connection. 207 + 208 + This option is OFF by default because TCP simultaneous connect has 209 + some legitimate uses. Enable this option if you know what this TCP 210 + feature is for and know that you do not need it. 211 + ''; 212 + }; 213 + 214 verboseVersion = mkOption { 215 type = types.bool; 216 default = false;

pkgs/build-support/grsecurity/default.nix

··· 14 restrictProcWithGroup = true; 15 unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid 16 disableRBAC = false; 17 verboseVersion = false; 18 kernelExtraConfig = ""; 19 } // grsecOptions.config; ··· 107 GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} 108 GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB} 109 GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} 110 111 ${cfg.config.kernelExtraConfig} 112 '';

··· 14 restrictProcWithGroup = true; 15 unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid 16 disableRBAC = false; 17 + disableSimultConnect = false; 18 verboseVersion = false; 19 kernelExtraConfig = ""; 20 } // grsecOptions.config; ··· 108 GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} 109 GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB} 110 GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} 111 + GRKERNSEC_NO_SIMULT_CONNECT ${boolToKernOpt cfg.config.disableSimultConnect} 112 113 ${cfg.config.kernelExtraConfig} 114 '';