2017-04-06 07:12:21 -07:00
|
|
|
{ config, lib, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
{
|
|
|
|
options = {
|
|
|
|
security.lockKernelModules = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = false;
|
|
|
|
description = ''
|
|
|
|
Disable kernel module loading once the system is fully initialised.
|
|
|
|
Module loading is disabled until the next reboot. Problems caused
|
|
|
|
by delayed module loading can be fixed by adding the module(s) in
|
|
|
|
question to <option>boot.kernelModules</option>.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = mkIf config.security.lockKernelModules {
|
|
|
|
systemd.services.disable-kernel-module-loading = rec {
|
|
|
|
description = "Disable kernel module loading";
|
|
|
|
|
|
|
|
wantedBy = [ config.systemd.defaultUnit ];
|
|
|
|
|
2017-09-09 16:10:29 -07:00
|
|
|
after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy;
|
2017-04-06 07:12:21 -07:00
|
|
|
|
2017-04-30 05:42:15 -07:00
|
|
|
unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";
|
2017-04-06 07:12:21 -07:00
|
|
|
|
|
|
|
serviceConfig = {
|
|
|
|
Type = "oneshot";
|
|
|
|
RemainAfterExit = true;
|
2017-09-09 16:10:29 -07:00
|
|
|
ExecStart = "/bin/sh -c 'echo -n 1 >/proc/sys/kernel/modules_disabled'";
|
2017-04-06 07:12:21 -07:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|