diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-06 16:12:21 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-30 12:05:37 +0200 |
commit | 878ad1ce6e2582fef11ed73c849b513afaca143e (patch) | |
tree | ae013f9b8d9f99a31655c36895157d48b47f1b6e | |
parent | 7ee05dff30a16ba12d869693d3f7fa93291d12e1 (diff) | |
download | nixpkgs-878ad1ce6e2582fef11ed73c849b513afaca143e.tar nixpkgs-878ad1ce6e2582fef11ed73c849b513afaca143e.tar.gz nixpkgs-878ad1ce6e2582fef11ed73c849b513afaca143e.tar.bz2 nixpkgs-878ad1ce6e2582fef11ed73c849b513afaca143e.tar.lz nixpkgs-878ad1ce6e2582fef11ed73c849b513afaca143e.tar.xz nixpkgs-878ad1ce6e2582fef11ed73c849b513afaca143e.tar.zst nixpkgs-878ad1ce6e2582fef11ed73c849b513afaca143e.zip |
nixos: add option to lock kernel modules
Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/lock-kernel-modules.nix | 36 |
2 files changed, 37 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 4ff069f48ab..99bc0da2b3a 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -116,6 +116,7 @@ ./security/duosec.nix ./security/grsecurity.nix ./security/hidepid.nix + ./security/lock-kernel-modules.nix ./security/oath.nix ./security/pam.nix ./security/pam_usb.nix diff --git a/nixos/modules/security/lock-kernel-modules.nix b/nixos/modules/security/lock-kernel-modules.nix new file mode 100644 index 00000000000..51994ee76c1 --- /dev/null +++ b/nixos/modules/security/lock-kernel-modules.nix @@ -0,0 +1,36 @@ +{ config, lib, ... }: + +with lib; + +{ + options = { + security.lockKernelModules = mkOption { + type = types.bool; + default = false; + description = '' + Disable kernel module loading once the system is fully initialised. + Module loading is disabled until the next reboot. Problems caused + by delayed module loading can be fixed by adding the module(s) in + question to <option>boot.kernelModules</option>. + ''; + }; + }; + + config = mkIf config.security.lockKernelModules { + systemd.services.disable-kernel-module-loading = rec { + description = "Disable kernel module loading"; + + wantedBy = [ config.systemd.defaultUnit ]; + after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy; + + script = "echo -n 1 > /proc/sys/kernel/modules_disabled"; + + unitConfig.ConditionPathIsWritable = "/proc/sys/kernel"; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + }; + }; +} |