diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1703.xml | 9 | ||||
-rw-r--r-- | nixos/modules/security/ca.nix | 28 |
2 files changed, 34 insertions, 3 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index 9bc42edb49bc..c1107977db79 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -43,6 +43,15 @@ following incompatible changes:</para> <literal>radicale</literal>. </para> </listitem> + + <listitem> + <para> + The Yama LSM is now enabled by default in the kernel, + which prevents ptracing non-child processes. + This means you will not be able to attach gdb to an existing process, + but will need to start that process from gdb (so it is a child). + </para> + </listitem> </itemizedlist> diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 849530238e7e..67469be18b41 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -4,10 +4,16 @@ with lib; let + cfg = config.security.pki; + + cacertPackage = pkgs.cacert.override { + blacklist = cfg.caCertificateBlacklist; + }; + caCertificates = pkgs.runCommand "ca-certificates.crt" { files = - config.security.pki.certificateFiles ++ - [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ]; + cfg.certificateFiles ++ + [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; } '' cat $files > $out @@ -52,11 +58,27 @@ in ''; }; + security.pki.caCertificateBlacklist = mkOption { + type = types.listOf types.str; + default = []; + example = [ + "WoSign" "WoSign China" + "CA WoSign ECC Root" + "Certification Authority of WoSign G2" + ]; + description = '' + A list of blacklisted CA certificate names that won't be imported from + the Mozilla Trust Store into + <filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the + names from that file. + ''; + }; + }; config = { - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ]; # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates; |