test more hardening for hypervisor

machines/Home-Hypervisor/default.nix

@@ -4,7 +4,7 @@ let
 in {
   imports = with inputs.self; [
     ./boot.nix
-    ./hardening.nix
+    ./hardened-extended.nix
     ./hardware-configuration.nix
     ./virtualisation.nix
     ./disks.nix
@@ -114,9 +114,6 @@ in {
   networking.firewall.allowedUDPPorts = lib.mkDefault [];
   systemd.coredump.enable = false;
   programs.firejail.enable = true;
-  # scudo memalloc is unstable
-  environment.memoryAllocator.provider = lib.mkForce "libc";
-  # environment.memoryAllocator.provider = "graphene-hardened";
 
   networking.wireless.enable = false;
   networking.networkmanager.enable = false;

machines/Home-Hypervisor/hardened-extended.nix

@@ -0,0 +1,117 @@
+# This preset adds additional hardening settings on top of the
+# default ./hardened.nix preset.
+# These settings trade even more functionality and performance for increased security.
+#
+# See madaidan's Linux Hardening Guide for detailed explanations:
+# https://madaidans-insecurities.github.io/guides/linux-hardening.html
+
+{
+  imports = [
+    # Build on standard hardened preset
+    ./hardened.nix
+  ];
+
+  boot.kernel.sysctl = {
+    # Prevent boot console kernel log information leaks
+    "kernel.printk" = "3 3 3 3";
+    # Restrict loading TTY line disciplines to the CAP_SYS_MODULE capability to
+    # prevent unprivileged attackers from loading vulnerable line disciplines with
+    # the TIOCSETD ioctl
+    "dev.tty.ldisc_autoload" = false;
+    # The SysRq key exposes a lot of potentially dangerous debugging functionality
+    # to unprivileged users
+    "kernel.sysrq" = false;
+    # Disable accepting IPv6 router advertisements
+    "net.ipv6.conf.all.accept_ra" = false;
+    "net.ipv6.default.accept_ra" = false;
+    # Disable TCP SACK. SACK is commonly exploited and unnecessary for many
+    # circumstances so it should be disabled if you don't require it
+    "net.ipv4.tcp_sack" = false;
+    "net.ipv4.tcp_dsack" = false;
+    # Restrict usage of ptrace to only processes with the CAP_SYS_PTRACE
+    # capability
+    "kernel.yama.ptrace_scope" = "2";
+    # Prevent creating files in potentially attacker-controlled environments such
+    # as world-writable directories to make data spoofing attacks more difficult
+    "fs.protected_fifos" = "2";
+    "fs.protected_regular" = "2";
+    # Avoid leaking system time with TCP timestamps
+    "net.ipv4.tcp_timestamps" = false;
+    # Disable core dumps
+    "syskernel.core_pattern" = "|/bin/false";
+    "fs.suid_dumpable" = false;
+  };
+
+  boot.kernelParams = [
+    # Disable slab merging which significantly increases the difficulty of heap
+    # exploitation by preventing overwriting objects from merged caches and by
+    # making it harder to influence slab cache layout
+    "slab_nomerge"
+    # Disable vsyscalls as they are obsolete and have been replaced with vDSO.
+    # vsyscalls are also at fixed addresses in memory, making them a potential
+    # target for ROP attacks
+    "vsyscall=none"
+    # Disable debugfs which exposes a lot of sensitive information about the
+    # kernel
+    "debugfs=off"
+    # Sometimes certain kernel exploits will cause what is known as an "oops".
+    # This parameter will cause the kernel to panic on such oopses, thereby
+    # preventing those exploits
+    "oops=panic"
+    # Only allow kernel modules that have been signed with a valid key to be
+    # loaded, which increases security by making it much harder to load a
+    # malicious kernel module
+    "module.sig_enforce=1"
+    # The kernel lockdown LSM can eliminate many methods that user space code
+    # could abuse to escalate to kernel privileges and extract sensitive
+    # information. This LSM is necessary to implement a clear security boundary
+    # between user space and the kernel
+    "lockdown=confidentiality"
+    # These parameters prevent information leaks during boot and must be used
+    # in combination with the kernel.printk
+    "quiet" "loglevel=0"
+  ];
+
+  boot.blacklistedKernelModules = [
+    # Obscure networking protocols
+    "dccp"
+    "sctp"
+    "rds"
+    "tipc"
+    "n-hdlc"
+    "x25"
+    "decnet"
+    "econet"
+    "af_802154"
+    "ipx"
+    "appletalk"
+    "psnap"
+    "p8023"
+    "p8022"
+    "can"
+    "atm"
+    # Various rare filesystems
+    "jffs2"
+    "hfsplus"
+    "squashfs"
+    "udf"
+    "cifs"
+    "nfs"
+    "nfsv3"
+    # "nfsv4"
+    "gfs2"
+    # vivid driver is only useful for testing purposes and has been the cause
+    # of privilege escalation vulnerabilities
+    "vivid"
+    # Disable Bluetooth
+    "bluetooth"
+    "btusb"
+    # Disable webcam
+    "uvcvideo"
+    # Disable Thunderbolt and FireWire to prevent DMA attacks
+    "thunderbolt"
+    "firewire-core"
+  ];
+
+  # services.usbguard.enable = true;
+}

machines/Home-Hypervisor/hardened.nix

@@ -4,7 +4,7 @@
   ];
 
   boot.kernel.sysctl = {
-    "kernel.sysrq" = false;
+    # "kernel.sysrq" = false;
     "net.core.default_qdisc" = "sch_fq_codel";
     "net.ipv4.conf.all.accept_source_route" = false;
     "net.ipv4.icmp_ignore_bogus_error_responses" = true;
@@ -18,13 +18,17 @@
     "net.ipv6.conf.default.disable_ipv6" = true;
   };
 
-  security.lockKernelModules = false;
+  # security.lockKernelModules = false;
   security.allowSimultaneousMultithreading = true;
   security.virtualisation.flushL1DataCache = "cond";
   # security.forcePageTableIsolation = false;
 
-  # boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = false;
+  # scudo memalloc is unstable
-  # boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "0";
+  # environment.memoryAllocator.provider = lib.mkForce "libc";
-  # boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = false;
+  environment.memoryAllocator.provider = lib.mkForce "graphene-hardened";
-  # boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "0";
+
+  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = false;
+  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "0";
+  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = false;
+  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "0";
 }

profiles/overlay.nix

@@ -7,6 +7,7 @@ let
   };
   nur = import inputs.nur {
     nurpkgs = import inputs.nixpkgs {
+      # inherit system;
       system = "x86_64-linux";
     };
   };
@@ -17,6 +18,11 @@ with lib; {
     nur.repos.ataraxiasjel.overlays.grub2-argon2
     (final: prev:
       {
+        attic = inputs.attic.packages.${system}.attic;
+        attic-static = inputs.attic.packages.${system}.attic-static;
+        cassowary-py = inputs.cassowary.packages.${system}.cassowary;
+        dhcpcd = prev.dhcpcd.override { enablePrivSep = false; };
+        hoyolab-daily-bot = inputs.hoyolab-daily-bot.packages.${system}.default;
         nix-alien = inputs.nix-alien.packages.${system}.nix-alien;
         nix-index-update = inputs.nix-alien.packages.${system}.nix-index-update;
         prismlauncher = inputs.prismlauncher.packages.${system}.default;
@@ -35,11 +41,6 @@ with lib; {
         });
         nix-direnv = inputs.nix-direnv.packages.${system}.default.override { nix = final.nix; };
 
-        attic = inputs.attic.packages.${system}.attic;
-        attic-static = inputs.attic.packages.${system}.attic-static;
-        cassowary-py = inputs.cassowary.packages.${system}.cassowary;
-        hoyolab-daily-bot = inputs.hoyolab-daily-bot.packages.${system}.default;
-
         pass-secret-service = prev.pass-secret-service.overrideAttrs (_: {
           installCheckPhase = null;
           postInstall = ''