nixpkgs

mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-09-20 12:29:02 +02:00

History

Joachim Fasting 43fc394a5c grsecurity module: disable EFI runtime services by default Enabling EFI runtime services provides a venue for injecting code into the kernel. When grsecurity is enabled, we close this by default by disabling access to EFI runtime services. The upshot of this is that /sys/firmware/efi/efivars will be unavailable by default (and attempts to mount it will fail). This is not strictly a grsecurity related option, it could be made into a general option, but it seems to be of particular interest to grsecurity users (for non-grsecurity users, there are other, more immediate kernel injection attack dangers to contend with anyway).	2016-08-02 10:24:49 +02:00
..
manual	grsecurity module: disable EFI runtime services by default	2016-08-02 10:24:49 +02:00

Joachim Fasting 43fc394a5c

grsecurity module: disable EFI runtime services by default

Enabling EFI runtime services provides a venue for injecting code into
the kernel.

When grsecurity is enabled, we close this by default by disabling access
to EFI runtime services.  The upshot of this is that
/sys/firmware/efi/efivars will be unavailable by default (and attempts
to mount it will fail).

This is not strictly a grsecurity related option, it could be made into
a general option, but it seems to be of particular interest to
grsecurity users (for non-grsecurity users, there are other, more
immediate kernel injection attack dangers to contend with anyway).

2016-08-02 10:24:49 +02:00

manual

grsecurity module: disable EFI runtime services by default

2016-08-02 10:24:49 +02:00