aviallon/nixos-lib
1
0
Fork 0
mirror of https://github.com/aviallon/nixos-lib.git synced 2026-04-06 01:38:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

[Hardening] update to new hardening features

Browse source
This commit is contained in:
Antoine Viallon 2022-11-28 21:11:32 +01:00
parent 97ab180e3b
commit 292b8d5f48
Signed by: aviallon
GPG key ID: 186FC35EDEB25716
1 changed files with 3 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

8
hardening.nix
View file

@ -55,9 +55,9 @@ in
aviallon.boot.cmdline = { aviallon.boot.cmdline = {
"lsm" = [ "landlock" ] "lsm" = [ "landlock" ]
++ optional cfg.hardcore "lockdown" ++ optional cfg.hardcore "lockdown"
++ [ "yama" ]
# Apparmor https://wiki.archlinux.org/title/AppArmor#Installation # Apparmor https://wiki.archlinux.org/title/AppArmor#Installation
++ optionals config.security.apparmor.enable [ "apparmor" ] ++ optionals config.security.apparmor.enable [ "apparmor" ]
++ [ "yama" ]
++ [ "bpf" ] ++ [ "bpf" ]
; ;
"lockdown" = if cfg.hardcore then "confidentiality" else "integrity"; "lockdown" = if cfg.hardcore then "confidentiality" else "integrity";
@ -66,7 +66,8 @@ in
vsyscall = mkIf cfg.hardcore "xonly"; vsyscall = mkIf cfg.hardcore "xonly";
} // (ifEnable cfg.expensive { } // (ifEnable cfg.expensive {
# Slab/slub sanity checks, redzoning, and poisoning # Slab/slub sanity checks, redzoning, and poisoning
"slub_debug" = "FZP"; "init_on_alloc" = 1;
"init_on_free" = 1;
# Overwrite free'd memory # Overwrite free'd memory
"page_poison" = 1; "page_poison" = 1;
@ -85,9 +86,6 @@ in
# https://lwn.net/Articles/420403/ # https://lwn.net/Articles/420403/
"kernel.kptr_restrict" = mkOverride 999 2; "kernel.kptr_restrict" = mkOverride 999 2;
# Can have dire impact on performance if BPF network filtering is used.
"net.core.bpf_jit_enable" = mkIf cfg.expensive (mkOverride 999 false);
# Can be used by developers. Should be disabled on regular desktops. # Can be used by developers. Should be disabled on regular desktops.
# https://www.kernel.org/doc/html/latest/trace/ftrace.html # https://www.kernel.org/doc/html/latest/trace/ftrace.html
"kernel.ftrace_enabled" = mkIf cfg.hardcore (mkOverride 999 false); "kernel.ftrace_enabled" = mkIf cfg.hardcore (mkOverride 999 false);