linux/common-config: restrict access to dmesg
`SECURITY_DMESG_RESTRICT` is enabled by default by a lot of other distributions for a quite a while now, NixOS is a bit of an outlier. The main justification to enable it is that kernel log might leak kernel pointers which can then be used by exploits to defeat KASLR (NixOS also enables `kernel.kptr_restrict` by default since 2013).
This commit is contained in:
parent
391f0616a8
commit
e54753495c
@ -262,6 +262,9 @@
|
||||
The derivation now installs "impl" headers selectively instead of by a wildcard.
|
||||
Use `imgui.src` if you just want to access the unpacked sources.
|
||||
|
||||
- Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an
|
||||
unrestricted access to it can set `boot.kernel.sysctl."kernel.dmesg_restrict" = false`.
|
||||
|
||||
- The `i18n.inputMethod` module introduces two new properties:
|
||||
`enable` and `type`, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in `type` are the same as the existing `enabled` option. `enabled` is now deprecated, and will be removed in a future release.
|
||||
|
||||
|
@ -702,6 +702,8 @@ let
|
||||
SECURITY_APPARMOR = yes;
|
||||
DEFAULT_SECURITY_APPARMOR = yes;
|
||||
|
||||
SECURITY_DMESG_RESTRICT = yes;
|
||||
|
||||
RANDOM_TRUST_CPU = whenOlder "6.2" yes; # allow RDRAND to seed the RNG
|
||||
RANDOM_TRUST_BOOTLOADER = whenOlder "6.2" (whenAtLeast "5.4" yes); # allow the bootloader to seed the RNG
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user