systemd-boot: allow setting editor security option (#21853)

author: Linus Heckemann <git@sphalerite.org> 2017-01-21 13:24:26 +0000
committer: Franz Pletz <fpletz@fnordicwalking.de> 2017-01-21 14:24:26 +0100
commit: 98bd722d1dae747c5786497b8689415d2bebf78f (patch)
tree: a9ebc46f42244f1525fb4e113fc698d034db5c23 /nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
parent: 140d135ee2e2f2ea538591fe25719c9c91d4651e (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
index cc43fb8bab4c..39a9ffdb7a39 100644
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
@@ -20,6 +20,8 @@ let
 
     timeout = if config.boot.loader.timeout != null then config.boot.loader.timeout else "";
 
+    editor = if cfg.editor then "True" else "False";
+
     inherit (efi) efiSysMountPoint canTouchEfiVariables;
   };
 in {
@@ -36,6 +38,20 @@ in {
 
       description = "Whether to enable the systemd-boot (formerly gummiboot) EFI boot manager";
     };
+
+    editor = mkOption {
+      default = true;
+
+      type = types.bool;
+
+      description = ''
+        Whether to allow editing the kernel command-line before
+        boot. It is recommended to set this to false, as it allows
+        gaining root access by passing init=/bin/sh as a kernel
+        parameter. However, it is enabled by default for backwards
+        compatibility.
+      ''
+    };
   };
 
   config = mkIf cfg.enable {
author	Linus Heckemann <git@sphalerite.org>	2017-01-21 13:24:26 +0000
committer	Franz Pletz <fpletz@fnordicwalking.de>	2017-01-21 14:24:26 +0100
commit	98bd722d1dae747c5786497b8689415d2bebf78f (patch)
tree	a9ebc46f42244f1525fb4e113fc698d034db5c23 /nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
parent	140d135ee2e2f2ea538591fe25719c9c91d4651e (diff)