Hi, I am currently working on integrating grsecurity/PaX and making various software packages work under a grsec-enabled kernel (well, the packages I use):
https://github.com/NixOS/nixpkgs/pull/1187 With those patches and a couple of unpublished workarounds I have a basic XFCE desktop + Firefox/Chromium browsers working under a grsec/PaX-enabled kernel (KDE does not start up yet, though). I am now working on a patch to the gcc derivation which fixes a broken build of OpenJDK, due to gcc's precompiled headers feature not liking randomized mmap addresses. This patch alone causes my entire NixOS system to be rebuilt from source, though. Looking forward, I would like to develop a NixOS module which provides an adequate grsecurity kernel and kernel config, and later integrate features similar to the ones used in the Hardened Gentoo project, especially an improved compiler toolchain which would generate position-independent code (PIE) and stack-smashing protection (SSP), if these are not enabled already. In the future, I am also interested in developing a NixOS module for grsecurity's RSBAC system. I was wondering if anybody else is interested in having these security enhancements to NixOS, some of which would of course only be enabled optionally? What do you think would be the best approach for development? I'm thinking of a few options: * I keep developing these patches in a piecemeal fashion and keep asking for pull requests into NixOS master as I go along, as I've been trying to do * I develop them in my own private branch, which would at some point be merged into NixOS master * Someone creates a NixOS/hardened branch, and I merge patches there * Create a separate channel? Perhaps with these features enabled by default? * Or should I just develop them in my own private branch, which would never get merged? Having Hydra precompile packages with these features enabled would of course be very convenient if there is a relevant number of other interested users, since otherwise the whole NixOS system has to be built from source (because these patches will touch gcc). However, taking into account that NixOS doesn't have many users, and hardened NixOS would have even less of them, then perhaps this is not necessary at the moment... Thanks, Ricardo
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev