linux/common-config: restrict access to dmesg

`SECURITY_DMESG_RESTRICT` is enabled by default by a lot of
other distributions for a quite a while now, NixOS is a bit of an outlier.
The main justification to enable it is that kernel log might leak kernel
pointers which can then be used by exploits to defeat KASLR (NixOS also
enables `kernel.kptr_restrict` by default since 2013).
This commit is contained in:
Thomas Gerbet 2024-05-31 14:24:56 +02:00 committed by John Titor
parent 391f0616a8
commit e54753495c
No known key found for this signature in database
GPG Key ID: 29B0514F4E3C1CC0
2 changed files with 5 additions and 0 deletions

View File

@ -262,6 +262,9 @@
The derivation now installs "impl" headers selectively instead of by a wildcard.
Use `imgui.src` if you just want to access the unpacked sources.
- Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an
unrestricted access to it can set `boot.kernel.sysctl."kernel.dmesg_restrict" = false`.
- The `i18n.inputMethod` module introduces two new properties:
`enable` and `type`, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in `type` are the same as the existing `enabled` option. `enabled` is now deprecated, and will be removed in a future release.

View File

@ -702,6 +702,8 @@ let
SECURITY_APPARMOR = yes;
DEFAULT_SECURITY_APPARMOR = yes;
SECURITY_DMESG_RESTRICT = yes;
RANDOM_TRUST_CPU = whenOlder "6.2" yes; # allow RDRAND to seed the RNG
RANDOM_TRUST_BOOTLOADER = whenOlder "6.2" (whenAtLeast "5.4" yes); # allow the bootloader to seed the RNG