JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
106,396 Commits 1 Branch 0 Tags 12 GiB
Nix 95.4%
Shell 2%
Python 1.3%
Perl 0.3%
C 0.2%
Other 0.3%
878ad1ce6e
Go to file
Joachim Fasting 878ad1ce6e
nixos: add option to lock kernel modules 
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.

The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.

The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session.  This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).

From an aestethic point of view, enabling this option helps make the
configuration more "declarative".

Closes https://github.com/NixOS/nixpkgs/pull/24681
2017-04-30 12:05:37 +02:00
.github CONTRIBUTING.md: improve commit message guidelines 2017-02-06 22:26:32 +02:00
doc nixpkgs manual: Remove obsolete warning (#21117) 2017-04-23 22:40:35 +02:00
lib lib platform parsing: Fix windows 2017-04-27 14:30:42 -04:00
maintainers/scripts all-tarballs: fixup evaluation (and the tarball job) 2017-04-14 10:31:31 +02:00
nixos nixos: add option to lock kernel modules 2017-04-30 12:05:37 +02:00
pkgs Merge: efl: 1.18.x -> 1.19.0 (close #25095) 2017-04-30 11:36:36 +02:00
.editorconfig Do not trim trailing whitespace in patch files 2017-01-12 23:44:26 +01:00
.gitignore kde5: consolidate packages into desktops/kde-5 2016-03-01 10:36:00 -06:00
.mention-bot Remove bbenoist from maintainers 2017-03-23 03:03:04 +01:00
.travis.yml Fix a missed sudo: true line 2017-03-24 16:38:42 +00:00
.version version: it's 17.09 not 17.10 2017-02-27 20:46:35 +01:00
COPYING Time passing by 2017-01-01 21:35:52 +01:00
default.nix default.nix: Provide correct instructions how to upgrade Nix 2017-03-18 21:04:07 +02:00
README.md docs: 16.09 -> 17.03 2017-03-30 17:36:44 +02:00

README.md

logo

Build Status Code Triagers Badge

Nixpkgs is a collection of packages for the Nix package manager. It is periodically built and tested by the hydra build daemon as so-called channels. To get channel information via git, add nixpkgs-channels as a remote:

% git remote add channels git://github.com/NixOS/nixpkgs-channels.git

For stability and maximum binary package support, it is recommended to maintain custom changes on top of one of the channels, e.g. nixos-17.03 for the latest release and nixos-unstable for the latest successful build of master:

% git remote update channels
% git rebase channels/nixos-17.03

For pull-requests, please rebase onto nixpkgs master.

NixOS linux distribution source code is located inside nixos/ folder.

Communication: