config: Add a hardened module that uses a few of the ideas from:

https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/profiles/hardened.nix
2022-10-04 21:46:11 -06:00 · 2022-10-04 21:46:11 -06:00 · c9dbb04091
commit c9dbb04091
parent 00d2eeaa89
1 changed files with 72 additions and 0 deletions
--- a/configs/hardened.nix
+++ b/configs/hardened.nix
@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  environment = {
+    memoryAllocator.provider = mkDefault "scudo";
+    variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
+  };
+
+  security = {
+    lockKernelModules = mkDefault true;
+    protectKernelImage = mkDefault true;
+    allowSimultaneousMultithreading = mkDefault false;
+    forcePageTableIsolation = mkDefault true;
+    apparmor = {
+      enable = mkDefault true;
+      killUnconfinedConfinables = mkDefault true;
+    };
+  };
+
+  boot = {
+    kernelParams = [
+      # Slab/slub sanity checks, redzoning, and poisoning
+      "slub_debug=FZP"
+
+      # Overwrite free'd memory
+      "page_poison=1"
+
+      # Enable page allocator randomization
+      "page_alloc.shuffle=1"
+    ];
+
+    blacklistedKernelModules = [
+      # Virtualization
+      "kvm"
+
+      # Obscure network protocols
+      "ax25"
+      "netrom"
+      "rose"
+
+      # Old or rare or insufficiently audited filesystems
+      "adfs"
+      "affs"
+      "bfs"
+      "befs"
+      "cramfs"
+      "efs"
+      "erofs"
+      "exofs"
+      "freevxfs"
+      "f2fs"
+      "hfs"
+      "hpfs"
+      "jfs"
+      "minix"
+      "nilfs2"
+      "ntfs"
+      "omfs"
+      "qnx4"
+      "qnx6"
+      "sysv"
+      "ufs"
+    ];
+
+    kernel = {
+      sysctl."kernel.ftrace_enabled" = mkDefault false;
+      sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
+    };
+  };
+}