Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
base: 7ee05dff30a1
Choose a base ref
...
head repository: NixOS/nixpkgs
compare: 1dd3ba924bb7
Choose a head ref
  • 7 commits
  • 14 files changed
  • 1 contributor

Commits on Apr 30, 2017

  1. nixos: add option to lock kernel modules 

    Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.

The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.

The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session.  This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).

From an aestethic point of view, enabling this option helps make the
configuration more "declarative".

Closes #24681
    @joachifm
    joachifm committed Apr 30, 2017
    Configuration menu
    Copy the full SHA
    878ad1c View commit details
    Browse the repository at this point in the history

  2. nixos/hardened profile: lock kernel modules

    @joachifm
    joachifm committed Apr 30, 2017
    Configuration menu
    Copy the full SHA
    6a5a572 View commit details
    Browse the repository at this point in the history

  3. linux_hardened: init 

    The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
    @joachifm
    joachifm committed Apr 30, 2017
    Configuration menu
    Copy the full SHA
    62f2a1c View commit details
    Browse the repository at this point in the history

  4. nixos/hardened profile: use the linux_hardened kernel

    @joachifm
    joachifm committed Apr 30, 2017
    Configuration menu
    Copy the full SHA
    8c98e8c View commit details
    Browse the repository at this point in the history

  5. tree-wide: prune some dead grsec leaves 

    The beginning of pruning grsecurity/PaX from the tree.
    @joachifm
    joachifm committed Apr 30, 2017
    Configuration menu
    Copy the full SHA
    ab4fa1c View commit details
    Browse the repository at this point in the history

  6. nixos/tests: add tests for exercising various hardening features 

    This test exercises the linux_hardened kernel along with the various
hardening features (enabled via the hardened profile).

Move hidepid test from misc, so that misc can go back to testing a vanilla
configuration.
    @joachifm
    joachifm committed Apr 30, 2017
    Configuration menu
    Copy the full SHA
    ffa83ed View commit details
    Browse the repository at this point in the history

  7. nixos/hardened profile: disable hibernation 

    Recommended by KSPP
    @joachifm
    joachifm committed Apr 30, 2017
    Configuration menu
    Copy the full SHA
    1dd3ba9 View commit details
    Browse the repository at this point in the history