diff options
Diffstat (limited to 'nixos/modules/profiles/hardened.nix')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 39 |
1 files changed, 1 insertions, 38 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 35743d83134..ef8c0d74f06 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -7,7 +7,7 @@ with lib; { meta = { - maintainers = [ maintainers.joachifm ]; + maintainers = [ maintainers.joachifm maintainers.emily ]; }; boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; @@ -21,8 +21,6 @@ with lib; security.lockKernelModules = mkDefault true; - security.allowUserNamespaces = mkDefault false; - security.protectKernelImage = mkDefault true; security.allowSimultaneousMultithreading = mkDefault false; @@ -37,15 +35,9 @@ with lib; # Slab/slub sanity checks, redzoning, and poisoning "slub_debug=FZP" - # Disable slab merging to make certain heap overflow attacks harder - "slab_nomerge" - # Overwrite free'd memory "page_poison=1" - # Disable legacy virtual syscalls - "vsyscall=none" - # Enable page allocator randomization "page_alloc.shuffle=1" ]; @@ -82,38 +74,12 @@ with lib; # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; - # Restrict access to kernel ring buffer (information leaks) - boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; - # Hide kptrs even for processes with CAP_SYSLOG boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; - # Unprivileged access to bpf() has been used for privilege escalation in - # the past - boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true; - # Disable bpf() JIT (to eliminate spray attacks) boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; - # ... or at least apply some hardening to it - boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true; - - # Raise ASLR entropy for 64bit & 32bit, respectively. - # - # Note: mmap_rnd_compat_bits may not exist on 64bit. - boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32; - boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16; - - # Allowing users to mmap() memory starting at virtual address 0 can turn a - # NULL dereference bug in the kernel into code execution with elevated - # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory - # space. This breaks applications that require mapping the 0 page, such as - # dosemu or running 16bit applications under wine. It also breaks older - # versions of qemu. - # - # The value is taken from the KSPP recommendations (Debian uses 4096). - boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536; - # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; @@ -140,7 +106,4 @@ with lib; # Ignore outgoing ICMP redirects (this is ipv4 only) boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; - - # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability - boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false; } |