878ad1ce6e
Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681
Nixpkgs is a collection of packages for the Nix package manager. It is periodically built and tested by the hydra build daemon as so-called channels. To get channel information via git, add nixpkgs-channels as a remote:
% git remote add channels git://github.com/NixOS/nixpkgs-channels.git
For stability and maximum binary package support, it is recommended to maintain
custom changes on top of one of the channels, e.g. nixos-17.03 for the latest
release and nixos-unstable for the latest successful build of master:
% git remote update channels
% git rebase channels/nixos-17.03
For pull-requests, please rebase onto nixpkgs master.
NixOS linux distribution source code is located inside
nixos/ folder.
- NixOS installation instructions
- Documentation (Nix Expression Language chapter)
- Manual (How to write packages for Nix)
- Manual (NixOS)
- Nix Wiki (deprecated, see milestone "Move the Wiki!")
- Continuous package builds for unstable/master
- Continuous package builds for 17.03 release
- Tests for unstable/master
- Tests for 17.03 release
Communication: