nixpkgs/nixos/modules/security
Joachim Fasting 43fc394a5c
grsecurity module: disable EFI runtime services by default
Enabling EFI runtime services provides a venue for injecting code into
the kernel.

When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services.  The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).

This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
2016-08-02 10:24:49 +02:00
..
acme.nix Escape all shell arguments uniformly 2016-06-12 18:11:37 +01:00
acme.xml acme: added option security.acme.preliminarySelfsigned (#15562) 2016-06-01 11:39:46 +01:00
apparmor-suid.nix apparmor-suid module: fix libcap lib output reference 2016-05-07 21:48:29 +02:00
apparmor.nix
audit.nix audit: Disable in containers 2016-01-26 16:25:40 +01:00
ca.nix cacert: fix formatting of example 2016-02-27 22:25:39 +13:00
duosec.nix
grsecurity.nix grsecurity module: disable EFI runtime services by default 2016-08-02 10:24:49 +02:00
hidepid.nix nixos: add optional process information hiding 2016-04-10 12:27:06 +02:00
oath.nix config.security.oath: new module 2016-02-25 13:52:45 +00:00
pam.nix nixos/i3lock-color: added to pam 2016-05-15 07:47:31 +02:00
pam_mount.nix
pam_usb.nix
polkit.nix nixos systemPackages: rework default outputs 2016-01-28 11:24:18 +01:00
prey.nix
rngd.nix
rtkit.nix
setuid-wrapper.c
setuid-wrappers.nix setuid-wrappers: remove config.system.path from the closure 2016-05-23 13:47:23 +01:00
sudo.nix