43fc394a5c
Enabling EFI runtime services provides a venue for injecting code into the kernel. When grsecurity is enabled, we close this by default by disabling access to EFI runtime services. The upshot of this is that /sys/firmware/efi/efivars will be unavailable by default (and attempts to mount it will fail). This is not strictly a grsecurity related option, it could be made into a general option, but it seems to be of particular interest to grsecurity users (for non-grsecurity users, there are other, more immediate kernel injection attack dangers to contend with anyway). |
||
---|---|---|
.. | ||
config | ||
hardware | ||
i18n/input-method | ||
installer | ||
misc | ||
profiles | ||
programs | ||
security | ||
services | ||
system | ||
tasks | ||
testing | ||
virtualisation | ||
module-list.nix | ||
rename.nix |