commit 345e0e679457d839bb2e23b5ed64947372d94fea

pyrox.dev / nixpkgs

lol

hardened-config: enable read-only LSM hooks

Implies that SELinux can no longer be disabled at runtime (only at boot
time, via selinux=0).

See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d

Joachim Fasting 8 years ago 345e0e67 723bd8b9

1 changed file

expand all

unified split

pkgs

os-specific

linux

kernel

hardened-config.nix

pkgs/os-specific/linux/kernel/hardened-config.nix

··· 46 46 DEBUG_SET_MODULE_RONX y 47 47 ''} 48 48 49 + # Mark LSM hooks read-only after init. Conflicts with SECURITY_SELINUX_DISABLE 50 + # (disabling SELinux at runtime); hence, SELinux can only be disabled at boot 51 + # via the selinux=0 boot parameter. 52 + ${optionalString (versionAtLeast version "4.12") '' 53 + SECURITY_SELINUX_DISABLE n 54 + SECURITY_WRITABLE_HOOKS n 55 + ''} 56 + 49 57 DEBUG_WX y # boot-time warning on RWX mappings 50 58 51 59 # Stricter /dev/mem