diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-08-01 15:36:03 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-08-02 10:24:49 +0200 |
commit | 43fc394a5cd06c38ed43e857ed14496cafdde0b5 (patch) | |
tree | 1082538c1da93d58cd3e4c308d77d8e99ea88c96 /nixos/doc/manual/configuration | |
parent | 402a53736eab190dc08ea8c350568f0b16b8c9f8 (diff) | |
download | nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar.gz nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar.bz2 nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar.lz nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar.xz nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar.zst nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.zip |
grsecurity module: disable EFI runtime services by default
Enabling EFI runtime services provides a venue for injecting code into the kernel. When grsecurity is enabled, we close this by default by disabling access to EFI runtime services. The upshot of this is that /sys/firmware/efi/efivars will be unavailable by default (and attempts to mount it will fail). This is not strictly a grsecurity related option, it could be made into a general option, but it seems to be of particular interest to grsecurity users (for non-grsecurity users, there are other, more immediate kernel injection attack dangers to contend with anyway).
Diffstat (limited to 'nixos/doc/manual/configuration')
-rw-r--r-- | nixos/doc/manual/configuration/grsecurity.xml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/doc/manual/configuration/grsecurity.xml b/nixos/doc/manual/configuration/grsecurity.xml index 06e7617d58eb..3c17fc19397f 100644 --- a/nixos/doc/manual/configuration/grsecurity.xml +++ b/nixos/doc/manual/configuration/grsecurity.xml @@ -265,6 +265,11 @@ <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title> <itemizedlist> + <listitem><para>Access to EFI runtime services is disabled by default: + this plugs a potential code injection attack vector; use + <option>security.grsecurity.disableEfiRuntimeServices</option> to override + this behavior.</para></listitem> + <listitem><para>Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are <emphasis>unsupported</emphasis> and most likely require a custom kernel. |