From cfce8509b85281a967a5937f3f0c672125990474 Mon Sep 17 00:00:00 2001
From: Peter Simons <simons@cryp.to>
Date: Tue, 11 Nov 2014 13:29:42 +0100
Subject: grsecurity: add GRKERNSEC_DENYUSB option (disabled by default)

This option tells the kernel to ignore plug-in events of USB devices. Useful to
protect against attacks with malicious hardware. Currently disabled by default,
though.
---
 pkgs/build-support/grsecurity/default.nix | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'pkgs/build-support')

diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
index 919728382301..b2bffc781b30 100644
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@@ -10,6 +10,7 @@ let
       mode = "auto";
       sysctl = false;
       denyChrootChmod = false;
+      denyUSB = false;
       restrictProc = false;
       restrictProcWithGroup = true;
       unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid
@@ -106,6 +107,7 @@ let
 
         GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
         GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
+        GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
         GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
         ${restrictLinks}
 
-- 
cgit 1.4.1