diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-12-05 19:19:33 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-12-06 01:23:58 +0100 |
commit | 0e765c72e5c1f12d629d9d23d34f5fcb235e2833 (patch) | |
tree | 58094583e68cbd159ac3f47ad88a2970ee6b9ce9 /nixos/modules/security | |
parent | 31d79afbe5c0dc4f5343e842e40ada6738b1abb3 (diff) | |
download | nixpkgs-0e765c72e5c1f12d629d9d23d34f5fcb235e2833.tar nixpkgs-0e765c72e5c1f12d629d9d23d34f5fcb235e2833.tar.gz nixpkgs-0e765c72e5c1f12d629d9d23d34f5fcb235e2833.tar.bz2 nixpkgs-0e765c72e5c1f12d629d9d23d34f5fcb235e2833.tar.lz nixpkgs-0e765c72e5c1f12d629d9d23d34f5fcb235e2833.tar.xz nixpkgs-0e765c72e5c1f12d629d9d23d34f5fcb235e2833.tar.zst nixpkgs-0e765c72e5c1f12d629d9d23d34f5fcb235e2833.zip |
grsecurity: enable module hardening
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/grsecurity.xml | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/nixos/modules/security/grsecurity.xml b/nixos/modules/security/grsecurity.xml index 97628b0fe32..5b3e4db03a1 100644 --- a/nixos/modules/security/grsecurity.xml +++ b/nixos/modules/security/grsecurity.xml @@ -153,10 +153,6 @@ <listitem><para>Trusted path execution: a desirable feature, but requires some more work to operate smoothly on NixOS.</para></listitem> - - <listitem><para>Module hardening: would break user initiated module - loading. Might enable this at some point, depending on the potential - breakage.</para></listitem> </itemizedlist> </para></listitem> @@ -292,6 +288,10 @@ <option>security.grsecurity.disableEfiRuntimeServices</option> to override this behavior.</para></listitem> + <listitem><para>User initiated autoloading of modules (e.g., when + using fuse or loop devices) is disallowed; either load requisite modules + as root or add them to<option>boot.kernelModules</option>.</para></listitem> + <listitem><para>Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are <emphasis>unsupported</emphasis> and most likely require a custom kernel. |