grsecurity: Add `denyUSB` option to grsec NixOS module

The option had been added to the grsec build-support code,
but it hadn't been added to the grsec module.

After this commit, grsec module users will be able to change
the default value. It also serves to document that this option
exists and that NixOS will disable it by default.

1 files changed, 18 insertions, 0 deletions

diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix
index 5c8c49939510..d0c7fa6ec288 100644
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@@ -156,6 +156,24 @@ in
           '';
         };
 
+        denyUSB = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERNSEC_DENYUSB y</literal>.
+
+            This enables a sysctl with name
+            <literal>kernel.grsecurity.deny_new_usb</literal>. Setting
+            its value to <literal>1</literal> will prevent any new USB
+            devices from being recognized by the OS.  Any attempted
+            USB device insertion will be logged.
+
+            This option is intended to be used against custom USB
+            devices designed to exploit vulnerabilities in various USB
+            device drivers.
+          '';
+        };
+
         restrictProc = mkOption {
           type = types.bool;
           default = false;