grsecurity: enable module hardening

This commit is contained in:
Joachim Fasting 2016-12-05 19:19:33 +01:00
parent 31d79afbe5
commit 0e765c72e5
No known key found for this signature in database
GPG key ID: 7544761007FE4E08
2 changed files with 6 additions and 7 deletions

View file

@ -153,10 +153,6 @@
<listitem><para>Trusted path execution: a desirable feature, but
requires some more work to operate smoothly on NixOS.</para></listitem>
<listitem><para>Module hardening: would break user initiated module
loading. Might enable this at some point, depending on the potential
breakage.</para></listitem>
</itemizedlist>
</para></listitem>
@ -292,6 +288,10 @@
<option>security.grsecurity.disableEfiRuntimeServices</option> to override
this behavior.</para></listitem>
<listitem><para>User initiated autoloading of modules (e.g., when
using fuse or loop devices) is disallowed; either load requisite modules
as root or add them to<option>boot.kernelModules</option>.</para></listitem>
<listitem><para>Virtualization: KVM is the preferred virtualization
solution. Xen, Virtualbox, and VMWare are
<emphasis>unsupported</emphasis> and most likely require a custom kernel.

View file

@ -31,6 +31,8 @@ PAX_KERNEXEC_PLUGIN_METHOD_BTS y
GRKERNSEC_IO y
GRKERNSEC_SYSFS_RESTRICT y
GRKERNSEC_MODHARDEN y
# Disable protections rendered useless by redistribution
GRKERNSEC_HIDESYM n
GRKERNSEC_RANDSTRUCT n
@ -51,9 +53,6 @@ GRKERNSEC_FORKFAIL y
# Wishlist: support trusted path execution
GRKERNSEC_TPE n
# Wishlist: enable this, but breaks user initiated module loading
GRKERNSEC_MODHARDEN n
GRKERNSEC_SYSCTL y
GRKERNSEC_SYSCTL_DISTRO y
# Assume that appropriate sysctls are toggled once the system is up