gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/lock-kernel-modules: reorder before/after

Browse Source 
Moving the service before multi-user.target (so the `hardened` test
continue to work the way it did before) can result in locking the kernel
too early. It's better to lock it a bit later and changing the test to
wait specifically for the disable-kernel-module-loading.service.
This commit is contained in:
rnhmjoj
2021-09-19 12:02:24 +02:00
parent 5aef5e8d1e
commit 1bd7260adb
2 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/security/lock-kernel-modules.nix
View File

@@ -35,10 +35,10 @@ with lib;
wants = [ "systemd-udevd.service" ]; wants = [ "systemd-udevd.service" ];
wantedBy = [ config.systemd.defaultUnit ]; wantedBy = [ config.systemd.defaultUnit ];
before = [ config.systemd.defaultUnit ];
after = after =
[ "firewall.service" [ "firewall.service"
"systemd-modules-load.service" "systemd-modules-load.service"
config.systemd.defaultUnit
]; ];
unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel"; unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";

1
nixos/tests/hardened.nix
View File

@@ -57,6 +57,7 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
# Test kernel module hardening # Test kernel module hardening
with subtest("No more kernel modules can be loaded"): with subtest("No more kernel modules can be loaded"):
# note: this better a be module we normally wouldn't load ... # note: this better a be module we normally wouldn't load ...
machine.wait_for_unit("disable-kernel-module-loading.service")
machine.fail("modprobe dccp") machine.fail("modprobe dccp")