alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity
90204 commits 217 branches 121 tags 4.5 GiB
Commit graph

5 commits

Author SHA1 Message Date
Joachim Fasting dab32a1fa6
nixos manual: move chapter on grsecurity to auto-generated module docs 2016-08-29 23:48:12 +02:00
Joachim Fasting f9c3076e58
grsecurity docs: mention chromium setuid sandbox 2016-08-15 20:36:47 +02:00
Joachim Fasting 567640d80c
grsecurity docs: add note about user namespaces 2016-08-15 20:36:46 +02:00
Joachim Fasting 43fc394a5c
grsecurity module: disable EFI runtime services by default 
Enabling EFI runtime services provides a venue for injecting code into
the kernel.

When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services.  The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).

This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).
 2016-08-02 10:24:49 +02:00
Joachim Fasting 190890cdac
nixos manual: add chapter on grsecurity/PaX 
Explain the "what", "why", and "how" of grsecurity/PaX
on NixOS.
 2016-07-23 19:09:43 +02:00