Permalink
Choose a base ref
{{ refName }}
default
Choose a head ref
{{ refName }}
default
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
base: 7ee05dff30a1
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
...
head repository: NixOS/nixpkgs
compare: 1dd3ba924bb7
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
- 7 commits
- 14 files changed
- 1 contributor
Commits on Apr 30, 2017
-
nixos: add option to lock kernel modules
Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes #24681
Configuration menu - View commit details
-
Copy full SHA for 878ad1c - Browse repository at this point
Copy the full SHA 878ad1cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 6a5a572 - Browse repository at this point
Copy the full SHA 6a5a572View commit details -
The rationale for this is to have a place to enable hardening features that are either too invasive or that may be speculative/yet proven to be worthwhile for general-purpose kernels.
Configuration menu - View commit details
-
Copy full SHA for 62f2a1c - Browse repository at this point
Copy the full SHA 62f2a1cView commit details -
Configuration menu - View commit details
-
Copy full SHA for 8c98e8c - Browse repository at this point
Copy the full SHA 8c98e8cView commit details -
tree-wide: prune some dead grsec leaves
The beginning of pruning grsecurity/PaX from the tree.
Configuration menu - View commit details
-
Copy full SHA for ab4fa1c - Browse repository at this point
Copy the full SHA ab4fa1cView commit details -
nixos/tests: add tests for exercising various hardening features
This test exercises the linux_hardened kernel along with the various hardening features (enabled via the hardened profile). Move hidepid test from misc, so that misc can go back to testing a vanilla configuration.
Configuration menu - View commit details
-
Copy full SHA for ffa83ed - Browse repository at this point
Copy the full SHA ffa83edView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1dd3ba9 - Browse repository at this point
Copy the full SHA 1dd3ba9View commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 7ee05dff30a1...1dd3ba924bb7