diff options
| author | Peter Simons <simons@cryp.to> | 2014-11-11 13:29:42 +0100 |
|---|---|---|
| committer | Michael Raskin <7c6f434c@mail.ru> | 2015-01-19 00:15:41 +0300 |
| commit | cfce8509b85281a967a5937f3f0c672125990474 (patch) | |
| tree | 3a6b3ad7729f7cb32e40a94766e3ed2d55b25f5b /pkgs/build-support | |
| parent | 47f07849859c4400b3eaf8b4c9511325e593993c (diff) | |
| download | nixlib-cfce8509b85281a967a5937f3f0c672125990474.tar nixlib-cfce8509b85281a967a5937f3f0c672125990474.tar.gz nixlib-cfce8509b85281a967a5937f3f0c672125990474.tar.bz2 nixlib-cfce8509b85281a967a5937f3f0c672125990474.tar.lz nixlib-cfce8509b85281a967a5937f3f0c672125990474.tar.xz nixlib-cfce8509b85281a967a5937f3f0c672125990474.tar.zst nixlib-cfce8509b85281a967a5937f3f0c672125990474.zip | |
grsecurity: add GRKERNSEC_DENYUSB option (disabled by default)
This option tells the kernel to ignore plug-in events of USB devices. Useful to protect against attacks with malicious hardware. Currently disabled by default, though.
Diffstat (limited to 'pkgs/build-support')
| -rw-r--r-- | pkgs/build-support/grsecurity/default.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix index 919728382301..b2bffc781b30 100644 --- a/pkgs/build-support/grsecurity/default.nix +++ b/pkgs/build-support/grsecurity/default.nix @@ -10,6 +10,7 @@ let mode = "auto"; sysctl = false; denyChrootChmod = false; + denyUSB = false; restrictProc = false; restrictProcWithGroup = true; unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid @@ -106,6 +107,7 @@ let GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl} GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod} + GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB} GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC} ${restrictLinks} |