98 lines
2.7 KiB
Nix
98 lines
2.7 KiB
Nix
{ modulesPath, config, lib, ... }: {
|
|
imports = [
|
|
(modulesPath + "/profiles/hardened.nix")
|
|
];
|
|
|
|
boot.kernel.sysctl = {
|
|
"dev.tty.ldisc_autoload" = lib.mkDefault false;
|
|
"fs.protected_fifos" = lib.mkDefault "2";
|
|
"fs.protected_regular" = lib.mkDefault "2";
|
|
"fs.suid_dumpable" = lib.mkDefault false;
|
|
"kernel.printk" = lib.mkForce "3 3 3 3";
|
|
"kernel.sysrq" = lib.mkDefault false;
|
|
"kernel.yama.ptrace_scope" = "2";
|
|
"net.ipv4.tcp_timestamps" = lib.mkDefault false;
|
|
"syskernel.core_pattern" = lib.mkDefault "|/bin/false";
|
|
|
|
"net.ipv4.tcp_congestion_control" = lib.mkDefault "bbr";
|
|
"net.core.default_qdisc" = lib.mkDefault "cake";
|
|
"net.ipv4.conf.all.accept_source_route" = lib.mkDefault false;
|
|
"net.ipv4.conf.all.log_martians" = false;
|
|
"net.ipv4.conf.all.rp_filter" = "0";
|
|
"net.ipv4.conf.default.log_martians" = false;
|
|
"net.ipv4.conf.default.rp_filter" = "0";
|
|
"net.ipv4.icmp_ignore_bogus_error_responses" = lib.mkDefault true;
|
|
"net.ipv4.tcp_dsack" = lib.mkDefault false;
|
|
"net.ipv4.tcp_fastopen" = lib.mkDefault 3;
|
|
"net.ipv4.tcp_rfc1337" = lib.mkDefault true;
|
|
"net.ipv4.tcp_sack" = lib.mkDefault false;
|
|
"net.ipv4.tcp_syncookies" = lib.mkDefault true;
|
|
"net.ipv6.conf.all.accept_ra" = lib.mkDefault false;
|
|
"net.ipv6.conf.all.accept_source_route" = lib.mkDefault false;
|
|
"net.ipv6.default.accept_ra" = lib.mkDefault false;
|
|
};
|
|
|
|
boot.kernelParams = [
|
|
"debugfs=off"
|
|
"lockdown=confidentiality"
|
|
"module.sig_enforce=1"
|
|
"oops=panic"
|
|
"loglevel=0"
|
|
"slab_nomerge"
|
|
"vsyscall=none"
|
|
];
|
|
|
|
boot.blacklistedKernelModules = [
|
|
# Obscure networking protocols
|
|
"dccp"
|
|
"sctp"
|
|
"rds"
|
|
"tipc"
|
|
"n-hdlc"
|
|
"x25"
|
|
"decnet"
|
|
"econet"
|
|
"af_802154"
|
|
"ipx"
|
|
"appletalk"
|
|
"psnap"
|
|
"p8023"
|
|
"p8022"
|
|
"can"
|
|
"atm"
|
|
# Various rare filesystems
|
|
"jffs2"
|
|
"hfsplus"
|
|
"squashfs"
|
|
"udf"
|
|
"cifs"
|
|
"nfs"
|
|
"nfsv3"
|
|
"gfs2"
|
|
"vivid"
|
|
# Disable Bluetooth
|
|
"bluetooth"
|
|
"btusb"
|
|
# Disable webcam
|
|
"uvcvideo"
|
|
# Disable Thunderbolt and FireWire to prevent DMA attacks
|
|
"thunderbolt"
|
|
"firewire-core"
|
|
];
|
|
|
|
# security.lockKernelModules = false;
|
|
security.allowSimultaneousMultithreading = true;
|
|
security.virtualisation.flushL1DataCache = "cond";
|
|
# security.forcePageTableIsolation = false;
|
|
|
|
# scudo memalloc is unstable
|
|
environment.memoryAllocator.provider = lib.mkDefault "scudo";
|
|
# environment.memoryAllocator.provider = lib.mkDefault "graphene-hardened";
|
|
|
|
# dhcpcd broken with scudo or graphene malloc
|
|
nixpkgs.overlays = lib.optionals (config.environment.memoryAllocator.provider != "libc") [
|
|
(_final: prev: {
|
|
dhcpcd = prev.dhcpcd.override { enablePrivSep = false; };
|
|
})
|
|
];
|
|
} |