grsecurity: add option to disable chroot caps restriction

The chroot caps restriction disallows chroot'ed processes from running any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See e.g., https://github.com/NixOS/nixpkgs/issues/15293 This significantly weakens chroot protections, but to break nixos-rebuild out of the box is too severe.
2025-07-13 21:50:33 +03:00 · 2016-05-08 08:32:28 +02:00 · 2016-05-08 08:32:28 +02:00 · d4d7bfe07b
commit d4d7bfe07b
parent 8ca190c496
2 changed files with 15 additions and 0 deletions
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -126,6 +126,19 @@ in
          '';
        };

+        denyChrootCaps = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Whether to lower capabilities of all processes within a chroot,
+            preventing commands that require <literal>CAP_SYS_ADMIN</literal>.
+
+            This protection is disabled by default because it breaks
+            <literal>nixos-rebuild</literal>. Whenever possible, it is
+            highly recommended to enable this protection.
+          '';
+        };
+
        denyUSB = mkOption {
          type = types.bool;
          default = false;