The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
Adds an option `security.lockKernelModules` that, when enabled, disables
kernel module loading once the system reaches its normal operating state.
The rationale for this over simply setting the sysctl knob is to allow
some legitmate kernel module loading to occur; the naive solution breaks
too much to be useful.
The benefit to the user is to help ensure the integrity of the kernel
runtime: only code loaded as part of normal system initialization will be
available in the kernel for the duration of the boot session. This helps
prevent injection of malicious code or unexpected loading of legitimate
but normally unused modules that have exploitable bugs (e.g., DCCP use
after free CVE-2017-6074, n_hldc CVE-2017-2636, XFRM framework
CVE-2017-7184, L2TPv3 CVE-2016-10200).
From an aestethic point of view, enabling this option helps make the
configuration more "declarative".
Closes https://github.com/NixOS/nixpkgs/pull/24681
Pyside requires several tools that do not provide Python modules. They
therefore do not need to be build Python-version dependent and so we
move them out of `python-packages.nix`.
Furthermore, shiboken needs libxml2 and libxslt libraries but not their
Python bindings.
After upgrade `qapitrace` have working "Buffers" tab where the data
can be inspected (it was always empty before).
There is no tags after `7.1`, but I think that fixing pretty important
piece of functionality warrants an upgrade to current `master` tip.
This package is broken since 0a3b7f994e5995f414b1db3e1d7ca2244220b4e1
(python-sip: 4.18.1 -> 4.19.1). Removing it seems reasonable since we're
dropping KDE4 anyway.
Fixes#24548.
Use a solid black background when no background image (via
~/.background-image) is provided. In my case this fixes the really
strange behaviour when i3 without a desktop manager starts with the SDDM
login screen as background image.
This eliminates a theoretical risk of ASLR bypass due to the fixed address
mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7)
instead so there is no loss of functionality, but some programs may fail
to run in this configuration. Programs that fail to run because vsyscall
has been disabled will be logged to dmesg.
For background on virtual syscalls see https://lwn.net/Articles/446528/
Closes https://github.com/NixOS/nixpkgs/pull/25289