diff options
Diffstat (limited to 'nixos/modules/profiles/hardened.nix')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index ef8c0d74f06..3f8f78f012a 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -1,7 +1,12 @@ # A profile with most (vanilla) hardening options enabled by default, -# potentially at the cost of features and performance. +# potentially at the cost of stability, features and performance. +# +# This profile enables options that are known to affect system +# stability. If you experience any stability issues when using the +# profile, try disabling it. If you report an issue and use this +# profile, always mention that you do. -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -17,8 +22,6 @@ with lib; environment.memoryAllocator.provider = mkDefault "scudo"; environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; - security.hideProcessInformation = mkDefault true; - security.lockKernelModules = mkDefault true; security.protectKernelImage = mkDefault true; @@ -27,9 +30,13 @@ with lib; security.forcePageTableIsolation = mkDefault true; + # This is required by podman to run containers in rootless mode. + security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable; + security.virtualisation.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; + security.apparmor.killUnconfinedConfinables = mkDefault true; boot.kernelParams = [ # Slab/slub sanity checks, redzoning, and poisoning @@ -64,6 +71,8 @@ with lib; "jfs" "minix" "nilfs2" + "ntfs" + "omfs" "qnx4" "qnx6" "sysv" |