grsecurity: Add denyUSB option to grsec NixOS module

The option had been added to the grsec build-support code, but it hadn't been added to the grsec module. After this commit, grsec module users will be able to change the default value. It also serves to document that this option exists and that NixOS will disable it by default.
2015-01-19 18:11:54 +01:00 · 2015-01-19 18:11:54 +01:00 · a11dc2f0a3
commit a11dc2f0a3
parent 1df8208839
1 changed files with 18 additions and 0 deletions
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -156,6 +156,24 @@ in
          '';
        };

+        denyUSB = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            If true, then set <literal>GRKERNSEC_DENYUSB y</literal>.
+
+            This enables a sysctl with name
+            <literal>kernel.grsecurity.deny_new_usb</literal>. Setting
+            its value to <literal>1</literal> will prevent any new USB
+            devices from being recognized by the OS.  Any attempted
+            USB device insertion will be logged.
+
+            This option is intended to be used against custom USB
+            devices designed to exploit vulnerabilities in various USB
+            device drivers.
+          '';
+        };
+
        restrictProc = mkOption {
          type = types.bool;
          default = false;