diff options
Diffstat (limited to 'nixos/modules/security/grsecurity.nix')
-rw-r--r-- | nixos/modules/security/grsecurity.nix | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 11668162808fb..3f24118ea1cbc 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -126,6 +126,19 @@ in ''; }; + denyChrootCaps = mkOption { + type = types.bool; + default = false; + description = '' + Whether to lower capabilities of all processes within a chroot, + preventing commands that require <literal>CAP_SYS_ADMIN</literal>. + + This protection is disabled by default because it breaks + <literal>nixos-rebuild</literal>. Whenever possible, it is + highly recommended to enable this protection. + ''; + }; + denyUSB = mkOption { type = types.bool; default = false; @@ -194,6 +207,23 @@ in ''; }; + disableSimultConnect = mkOption { + type = types.bool; + default = false; + description = '' + Disable TCP simultaneous connect. The TCP simultaneous connect + feature allows two clients to connect without either of them + entering the listening state. This feature of the TCP specification + is claimed to enable an attacker to deny the target access to a given + server by guessing the source port the target would use to make the + connection. + + This option is OFF by default because TCP simultaneous connect has + some legitimate uses. Enable this option if you know what this TCP + feature is for and know that you do not need it. + ''; + }; + verboseVersion = mkOption { type = types.bool; default = false; |