diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-08-01 15:36:03 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-08-02 10:24:49 +0200 |
commit | 43fc394a5cd06c38ed43e857ed14496cafdde0b5 (patch) | |
tree | 1082538c1da93d58cd3e4c308d77d8e99ea88c96 /nixos | |
parent | 402a53736eab190dc08ea8c350568f0b16b8c9f8 (diff) | |
download | nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar.gz nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar.bz2 nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar.lz nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar.xz nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.tar.zst nixlib-43fc394a5cd06c38ed43e857ed14496cafdde0b5.zip |
grsecurity module: disable EFI runtime services by default
Enabling EFI runtime services provides a venue for injecting code into the kernel. When grsecurity is enabled, we close this by default by disabling access to EFI runtime services. The upshot of this is that /sys/firmware/efi/efivars will be unavailable by default (and attempts to mount it will fail). This is not strictly a grsecurity related option, it could be made into a general option, but it seems to be of particular interest to grsecurity users (for non-grsecurity users, there are other, more immediate kernel injection attack dangers to contend with anyway).
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/configuration/grsecurity.xml | 5 | ||||
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 14 |
2 files changed, 19 insertions, 0 deletions
diff --git a/nixos/doc/manual/configuration/grsecurity.xml b/nixos/doc/manual/configuration/grsecurity.xml index 06e7617d58eb..3c17fc19397f 100644 --- a/nixos/doc/manual/configuration/grsecurity.xml +++ b/nixos/doc/manual/configuration/grsecurity.xml @@ -265,6 +265,11 @@ <sect1 xml:id="sec-grsec-issues"><title>Issues and work-arounds</title> <itemizedlist> + <listitem><para>Access to EFI runtime services is disabled by default: + this plugs a potential code injection attack vector; use + <option>security.grsecurity.disableEfiRuntimeServices</option> to override + this behavior.</para></listitem> + <listitem><para>Virtualization: KVM is the preferred virtualization solution. Xen, Virtualbox, and VMWare are <emphasis>unsupported</emphasis> and most likely require a custom kernel. diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 6b4dbe8e11f8..60e9058dd69e 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -37,6 +37,18 @@ in ''; }; + disableEfiRuntimeServices = mkOption { + type = types.bool; + example = false; + default = true; + description = '' + Whether to disable access to EFI runtime services. Enabling EFI runtime + services creates a venue for code injection attacks on the kernel and + should be disabled if at all possible. Changing this option enters into + effect upon reboot. + ''; + }; + }; config = mkIf cfg.enable { @@ -45,6 +57,8 @@ in # required kernel config boot.kernelPackages = mkDefault pkgs.linuxPackages_grsec_nixos; + boot.kernelParams = optional cfg.disableEfiRuntimeServices "noefi"; + system.requiredKernelConfig = with config.lib.kernelConfig; [ (isEnabled "GRKERNSEC") (isEnabled "PAX") |