diff options
Diffstat (limited to 'nixos/modules/security/grsecurity.nix')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 5c8c49939510..d0c7fa6ec288 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -156,6 +156,24 @@ in ''; }; + denyUSB = mkOption { + type = types.bool; + default = false; + description = '' + If true, then set <literal>GRKERNSEC_DENYUSB y</literal>. + + This enables a sysctl with name + <literal>kernel.grsecurity.deny_new_usb</literal>. Setting + its value to <literal>1</literal> will prevent any new USB + devices from being recognized by the OS. Any attempted + USB device insertion will be logged. + + This option is intended to be used against custom USB + devices designed to exploit vulnerabilities in various USB + device drivers. + ''; + }; + restrictProc = mkOption { type = types.bool; default = false; |