diff options
| author | Bernardo Meurer <bernardo@meurer.org> | 2022-01-10 17:45:21 -0300 |
|---|---|---|
| committer | Bernardo Meurer <bernardo@meurer.org> | 2022-01-10 17:49:30 -0300 |
| commit | 5f36161ae19fc226b7b2797cd3ba38794dc0bc37 (patch) | |
| tree | 5888462452d97cf6f33c5fe421bb38d183c00850 /pkgs/os-specific/linux/kernel/common-config.nix | |
| parent | d36d401087a7e347c8b8ec539af1d32e130de564 (diff) | |
| download | nixpkgs-5f36161ae19fc226b7b2797cd3ba38794dc0bc37.tar nixpkgs-5f36161ae19fc226b7b2797cd3ba38794dc0bc37.tar.gz nixpkgs-5f36161ae19fc226b7b2797cd3ba38794dc0bc37.tar.bz2 nixpkgs-5f36161ae19fc226b7b2797cd3ba38794dc0bc37.tar.lz nixpkgs-5f36161ae19fc226b7b2797cd3ba38794dc0bc37.tar.xz nixpkgs-5f36161ae19fc226b7b2797cd3ba38794dc0bc37.tar.zst nixpkgs-5f36161ae19fc226b7b2797cd3ba38794dc0bc37.zip | |
linuxKernel.kernels: mark {IO_,}STRICT_DEVMEM optional to unbreak hardened kernels
Diffstat (limited to 'pkgs/os-specific/linux/kernel/common-config.nix')
| -rw-r--r-- | pkgs/os-specific/linux/kernel/common-config.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 347f7b2802e..14afc85aa7c 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -457,8 +457,8 @@ let # Detect writes to read-only module pages DEBUG_SET_MODULE_RONX = { optional = true; tristate = whenOlder "4.11" "y"; }; RANDOMIZE_BASE = option yes; - STRICT_DEVMEM = yes; # Filter access to /dev/mem - IO_STRICT_DEVMEM = whenAtLeast "4.5" yes; + STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem + IO_STRICT_DEVMEM = whenAtLeast "4.5" (mkDefault yes); SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default # Prevent processes from ptracing non-children processes SECURITY_YAMA = option yes; |