nixpkgs/nixos/modules/security/lock-kernel-modules.nix

{ config, lib, ... }:

with lib;

{
  meta = {
    maintainers = [ maintainers.joachifm ];
  };

  options = {
    security.lockKernelModules = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Disable kernel module loading once the system is fully initialised.
        Module loading is disabled until the next reboot. Problems caused
        by delayed module loading can be fixed by adding the module(s) in
        question to {option}`boot.kernelModules`.
      '';
    };
  };

  config = mkIf config.security.lockKernelModules {
    boot.kernelModules = concatMap (x:
      optionals (x.device != null) (
        if x.fsType == "vfat"
        then [ "vfat" "nls-cp437" "nls-iso8859-1" ]
        else [ x.fsType ])
      ) config.system.build.fileSystems;

    systemd.services.disable-kernel-module-loading = {
      description = "Disable kernel module loading";

      wants = [ "systemd-udevd.service" ];
      wantedBy = [ config.systemd.defaultUnit ];

      after =
        [ "firewall.service"
          "systemd-modules-load.service"
           config.systemd.defaultUnit
        ];

      unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";

      serviceConfig =
        { Type = "oneshot";
          RemainAfterExit = true;
          TimeoutSec = 180;
        };

      script = ''
        ${config.systemd.package}/bin/udevadm settle
        echo -n 1 >/proc/sys/kernel/modules_disabled
      '';
    };
  };
}
treewide: replace broken udev paths with systemd 2023-11-21 14:09:31 +00:00			`{ config, lib, ... }:`
nixos: add option to lock kernel modules Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681 2017-04-06 14:12:21 +00:00
			`with lib;`

			`{`
nixos/lock-kernel-modules: add myself to maintainers 2018-10-14 20:42:01 +00:00			`meta = {`
			`maintainers = [ maintainers.joachifm ];`
			`};`

nixos: add option to lock kernel modules Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681 2017-04-06 14:12:21 +00:00			`options = {`
			`security.lockKernelModules = mkOption {`
			`type = types.bool;`
			`default = false;`
nixos/security: invariant option docs MD conversions 2022-07-20 10:32:04 +00:00			`description = ''`
nixos: add option to lock kernel modules Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681 2017-04-06 14:12:21 +00:00			`Disable kernel module loading once the system is fully initialised.`
nixos/lock-kernel-modules: use `udevadm settle` Instead of relying on systemd-udev-settle, which is deprecated, directly call `udevamd settle` to wait for hardware to settle. 2021-09-15 11:43:26 +00:00			`Module loading is disabled until the next reboot. Problems caused`
nixos: add option to lock kernel modules Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681 2017-04-06 14:12:21 +00:00			`by delayed module loading can be fixed by adding the module(s) in`
nixos/security: invariant option docs MD conversions 2022-07-20 10:32:04 +00:00			question to {option}`boot.kernelModules`.
nixos: add option to lock kernel modules Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681 2017-04-06 14:12:21 +00:00			`'';`
			`};`
			`};`

			`config = mkIf config.security.lockKernelModules {`
nixos/lock-kernel-modules: fix deferred fileSystem mounts Ensure that modules required by all declared fileSystems are explicitly loaded. A little ugly but fixes the deferred mount test. See also https://github.com/NixOS/nixpkgs/issues/29019 2017-09-22 21:45:04 +00:00			`boot.kernelModules = concatMap (x:`
treewide: use optional instead of 'then []' 2023-06-25 09:47:43 +00:00			`optionals (x.device != null) (`
			`if x.fsType == "vfat"`
			`then [ "vfat" "nls-cp437" "nls-iso8859-1" ]`
			`else [ x.fsType ])`
			`) config.system.build.fileSystems;`
nixos/lock-kernel-modules: fix deferred fileSystem mounts Ensure that modules required by all declared fileSystems are explicitly loaded. A little ugly but fixes the deferred mount test. See also https://github.com/NixOS/nixpkgs/issues/29019 2017-09-22 21:45:04 +00:00
nixos/lock-kernel-modules: use `udevadm settle` Instead of relying on systemd-udev-settle, which is deprecated, directly call `udevamd settle` to wait for hardware to settle. 2021-09-15 11:43:26 +00:00			`systemd.services.disable-kernel-module-loading = {`
nixos: add option to lock kernel modules Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681 2017-04-06 14:12:21 +00:00			`description = "Disable kernel module loading";`

nixos/lock-kernel-modules: use `udevadm settle` Instead of relying on systemd-udev-settle, which is deprecated, directly call `udevamd settle` to wait for hardware to settle. 2021-09-15 11:43:26 +00:00			`wants = [ "systemd-udevd.service" ];`
nixos: add option to lock kernel modules Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681 2017-04-06 14:12:21 +00:00			`wantedBy = [ config.systemd.defaultUnit ];`

nixos/lock-kernel-modules: use `udevadm settle` Instead of relying on systemd-udev-settle, which is deprecated, directly call `udevamd settle` to wait for hardware to settle. 2021-09-15 11:43:26 +00:00			`after =`
			`[ "firewall.service"`
			`"systemd-modules-load.service"`
nixos/lock-kernel-modules: reorder before/after Moving the service before multi-user.target (so the `hardened` test continue to work the way it did before) can result in locking the kernel too early. It's better to lock it a bit later and changing the test to wait specifically for the disable-kernel-module-loading.service. 2021-09-19 10:02:24 +00:00			`config.systemd.defaultUnit`
nixos/lock-kernel-modules: use `udevadm settle` Instead of relying on systemd-udev-settle, which is deprecated, directly call `udevamd settle` to wait for hardware to settle. 2021-09-15 11:43:26 +00:00			`];`
nixos: add option to lock kernel modules Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681 2017-04-06 14:12:21 +00:00
nixos/lock-kernel-modules: fix typo in unitConfig I managed to miss this one somehow ... meh 2017-04-30 12:42:15 +00:00			`unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";`
nixos: add option to lock kernel modules Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681 2017-04-06 14:12:21 +00:00
nixos/lock-kernel-modules: use `udevadm settle` Instead of relying on systemd-udev-settle, which is deprecated, directly call `udevamd settle` to wait for hardware to settle. 2021-09-15 11:43:26 +00:00			`serviceConfig =`
			`{ Type = "oneshot";`
			`RemainAfterExit = true;`
			`TimeoutSec = 180;`
			`};`

			`script = ''`
treewide: replace broken udev paths with systemd 2023-11-21 14:09:31 +00:00			`${config.systemd.package}/bin/udevadm settle`
nixos/lock-kernel-modules: use `udevadm settle` Instead of relying on systemd-udev-settle, which is deprecated, directly call `udevamd settle` to wait for hardware to settle. 2021-09-15 11:43:26 +00:00			`echo -n 1 >/proc/sys/kernel/modules_disabled`
			`'';`
nixos: add option to lock kernel modules Adds an option `security.lockKernelModules` that, when enabled, disables kernel module loading once the system reaches its normal operating state. The rationale for this over simply setting the sysctl knob is to allow some legitmate kernel module loading to occur; the naive solution breaks too much to be useful. The benefit to the user is to help ensure the integrity of the kernel runtime: only code loaded as part of normal system initialization will be available in the kernel for the duration of the boot session. This helps prevent injection of malicious code or unexpected loading of legitimate but normally unused modules that have exploitable bugs (e.g., DCCP use after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework CVE-2017-7184, L2TPv3 CVE-2016-10200). From an aestethic point of view, enabling this option helps make the configuration more "declarative". Closes https://github.com/NixOS/nixpkgs/pull/24681 2017-04-06 14:12:21 +00:00			`};`
			`};`
			`}`