1 files changed, 13 insertions, 4 deletions

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index ef8c0d74f06..3f8f78f012a 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -1,7 +1,12 @@
 # A profile with most (vanilla) hardening options enabled by default,
-# potentially at the cost of features and performance.
+# potentially at the cost of stability, features and performance.
+#
+# This profile enables options that are known to affect system
+# stability. If you experience any stability issues when using the
+# profile, try disabling it. If you report an issue and use this
+# profile, always mention that you do.
 
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
@@ -17,8 +22,6 @@ with lib;
   environment.memoryAllocator.provider = mkDefault "scudo";
   environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
 
-  security.hideProcessInformation = mkDefault true;
-
   security.lockKernelModules = mkDefault true;
 
   security.protectKernelImage = mkDefault true;
@@ -27,9 +30,13 @@ with lib;
 
   security.forcePageTableIsolation = mkDefault true;
 
+  # This is required by podman to run containers in rootless mode.
+  security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
+
   security.virtualisation.flushL1DataCache = mkDefault "always";
 
   security.apparmor.enable = mkDefault true;
+  security.apparmor.killUnconfinedConfinables = mkDefault true;
 
   boot.kernelParams = [
     # Slab/slub sanity checks, redzoning, and poisoning
@@ -64,6 +71,8 @@ with lib;
     "jfs"
     "minix"
     "nilfs2"
+    "ntfs"
+    "omfs"
     "qnx4"
     "qnx6"
     "sysv"