public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/security
History
Joachim Fasting 43fc394a5c
grsecurity module: disable EFI runtime services by default 
Enabling EFI runtime services provides a venue for injecting code into
the kernel.

When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services.  The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).

This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
2016-08-02 10:24:49 +02:00
..
acme.nix
Escape all shell arguments uniformly
2016-06-12 18:11:37 +01:00
acme.xml
acme: added option security.acme.preliminarySelfsigned (#15562)
2016-06-01 11:39:46 +01:00
apparmor-suid.nix
apparmor-suid module: fix libcap lib output reference
2016-05-07 21:48:29 +02:00
apparmor.nix
nixos: add AppArmor PAM support
2015-07-15 12:40:06 +02:00
audit.nix
audit: Disable in containers
2016-01-26 16:25:40 +01:00
ca.nix
cacert: fix formatting of example
2016-02-27 22:25:39 +13:00
duosec.nix
Fix user-facing typos (mainly in descriptions)
2014-12-30 03:31:03 +01:00
grsecurity.nix
grsecurity module: disable EFI runtime services by default
2016-08-02 10:24:49 +02:00
hidepid.nix
nixos: add optional process information hiding
2016-04-10 12:27:06 +02:00
oath.nix
config.security.oath: new module
2016-02-25 13:52:45 +00:00
pam_mount.nix
pam_mount module: integrate pam_mount into PAM of NixOS
2015-07-04 23:42:31 +02:00
pam_usb.nix
Rewrite ‘with pkgs.lib’ -> ‘with lib’
2014-04-14 16:26:48 +02:00
pam.nix
nixos/i3lock-color: added to pam
2016-05-15 07:47:31 +02:00
polkit.nix
nixos systemPackages: rework default outputs
2016-01-28 11:24:18 +01:00
prey.nix
nixos: fix some types
2015-09-18 18:48:50 +00:00
rngd.nix
nixos/rngd: some fixes
2015-01-06 17:27:07 +03:00
rtkit.nix
rtkit: Update from 0.10 to 0.11
2014-04-21 23:22:10 +02:00
setuid-wrapper.c
setuid-wrapper: Fix broken string comparison
2014-04-19 10:58:30 +02:00
setuid-wrappers.nix
setuid-wrappers: remove config.system.path from the closure
2016-05-23 13:47:23 +01:00
sudo.nix
sg: add setuid wrapper. (newgrp is a symlink to sg and was already setuid).
2015-03-30 23:50:45 +01:00