summary refs log tree commit diff
path: root/nixos/modules/profiles/hardened.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/profiles/hardened.nix')
-rw-r--r--nixos/modules/profiles/hardened.nix39
1 files changed, 1 insertions, 38 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 35743d83134..ef8c0d74f06 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -7,7 +7,7 @@ with lib;
 
 {
   meta = {
-    maintainers = [ maintainers.joachifm ];
+    maintainers = [ maintainers.joachifm maintainers.emily ];
   };
 
   boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
@@ -21,8 +21,6 @@ with lib;
 
   security.lockKernelModules = mkDefault true;
 
-  security.allowUserNamespaces = mkDefault false;
-
   security.protectKernelImage = mkDefault true;
 
   security.allowSimultaneousMultithreading = mkDefault false;
@@ -37,15 +35,9 @@ with lib;
     # Slab/slub sanity checks, redzoning, and poisoning
     "slub_debug=FZP"
 
-    # Disable slab merging to make certain heap overflow attacks harder
-    "slab_nomerge"
-
     # Overwrite free'd memory
     "page_poison=1"
 
-    # Disable legacy virtual syscalls
-    "vsyscall=none"
-
     # Enable page allocator randomization
     "page_alloc.shuffle=1"
   ];
@@ -82,38 +74,12 @@ with lib;
   # (e.g., parent/child)
   boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
 
-  # Restrict access to kernel ring buffer (information leaks)
-  boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
-
   # Hide kptrs even for processes with CAP_SYSLOG
   boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
 
-  # Unprivileged access to bpf() has been used for privilege escalation in
-  # the past
-  boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
-
   # Disable bpf() JIT (to eliminate spray attacks)
   boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
 
-  # ... or at least apply some hardening to it
-  boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
-
-  # Raise ASLR entropy for 64bit & 32bit, respectively.
-  #
-  # Note: mmap_rnd_compat_bits may not exist on 64bit.
-  boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
-  boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
-
-  # Allowing users to mmap() memory starting at virtual address 0 can turn a
-  # NULL dereference bug in the kernel into code execution with elevated
-  # privilege.  Mitigate by enforcing a minimum base addr beyond the NULL memory
-  # space.  This breaks applications that require mapping the 0 page, such as
-  # dosemu or running 16bit applications under wine.  It also breaks older
-  # versions of qemu.
-  #
-  # The value is taken from the KSPP recommendations (Debian uses 4096).
-  boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
-
   # Disable ftrace debugging
   boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
 
@@ -140,7 +106,4 @@ with lib;
   # Ignore outgoing ICMP redirects (this is ipv4 only)
   boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
   boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
-
-  # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability
-  boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false;
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-09 12:05:13 +0000