xin/configs/hardened.nix

70 lines
1.3 KiB
Nix
Raw Permalink Normal View History

2023-07-11 09:12:50 -06:00
{lib, ...}:
with lib; {
environment = {
memoryAllocator.provider = mkDefault "scudo";
variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
};
security = {
lockKernelModules = mkDefault true;
protectKernelImage = mkDefault true;
allowSimultaneousMultithreading = mkDefault false;
forcePageTableIsolation = mkDefault true;
apparmor = {
enable = mkDefault true;
killUnconfinedConfinables = mkDefault true;
};
};
boot = {
kernelParams = [
# Slab/slub sanity checks, redzoning, and poisoning
"slub_debug=FZP"
# Overwrite free'd memory
"page_poison=1"
# Enable page allocator randomization
"page_alloc.shuffle=1"
];
blacklistedKernelModules = [
# Virtualization
"kvm"
# Obscure network protocols
"ax25"
"netrom"
"rose"
# Old or rare or insufficiently audited filesystems
"adfs"
"affs"
"bfs"
"befs"
"cramfs"
"efs"
"erofs"
"exofs"
"freevxfs"
"f2fs"
"hfs"
"hpfs"
"jfs"
"minix"
"nilfs2"
"ntfs"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
];
kernel = {
sysctl."kernel.ftrace_enabled" = mkDefault false;
sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
};
};
}