diff options
author | Joachim F <joachifm@users.noreply.github.com> | 2016-08-03 10:48:25 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-08-03 10:48:25 +0200 |
commit | 772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef (patch) | |
tree | 3261a320cff38e2343132b61b754b1b364223f41 /nixos/doc | |
parent | 4ba0912a9298667b7f40e199b9648897b5e7237a (diff) | |
parent | 43fc394a5cd06c38ed43e857ed14496cafdde0b5 (diff) | |
download | nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar.gz nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar.bz2 nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar.lz nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar.xz nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.tar.zst nixlib-772a7bb49bdc7c0ee90fbbb2196cba9c8f242cef.zip |
Merge pull request #17425 from joachifm/grsec-efi
grsecurity module: disable EFI runtime services by default
Diffstat (limited to 'nixos/doc')
-rw-r--r-- | nixos/doc/manual/configuration/grsecurity.xml | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/doc/manual/configuration/grsecurity.xml b/nixos/doc/manual/configuration/grsecurity.xml index 06e7617d58eb..3c17fc19397f 100644 --- a/nixos/doc/manual/configuration/grsecurity.xml +++ b/nixos/doc/manual/configuration/grsecurity.xml @@ -265,6 +265,11 @@ <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title> <itemizedlist> + <listitem><para>Access to EFI runtime services is disabled by default: + this plugs a potential code injection attack vector; use + <option>security.grsecurity.disableEfiRuntimeServices</option> to override + this behavior.</para></listitem> + <listitem><para>Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are <emphasis>unsupported</emphasis> and most likely require a custom kernel. |