initial commit

2026-04-15 18:26:05 -04:00 · 2026-04-15 18:26:05 -04:00 · ebc1be5217
commit ebc1be5217
143 changed files with 7721 additions and 0 deletions
--- a/modules/features/security/security-kernel-hardened.nix
+++ b/modules/features/security/security-kernel-hardened.nix
@ -0,0 +1,102 @@
+{ ... }:
+{
+  config.dendritic.features.security-kernel-hardened = {
+    nixosModules = [
+      (
+        { pkgs, ... }:
+        {
+          boot.kernelPackages = pkgs.linuxPackages_hardened;
+
+          security = {
+            protectKernelImage = true;
+            lockKernelModules = false; # this breaks iptables, wireguard, and virtd
+
+            # force-enable the Page Table Isolation (PTI) Linux kernel feature
+            forcePageTableIsolation = true;
+
+            # User namespaces are required for sandboxing.
+            # this means you cannot set `"user.max_user_namespaces" = 0;` in sysctl
+            allowUserNamespaces = true;
+
+            # Disable unprivileged user namespaces, unless containers are enabled
+            # unprivilegedUsernsClone = true;
+            allowSimultaneousMultithreading = true;
+          };
+
+          boot.kernelParams = [
+            # make it harder to influence slab cache layout
+            "slab_nomerge"
+            # enables zeroing of memory during allocation and free time
+            # helps mitigate use-after-free vulnerabilaties
+            "init_on_alloc=1"
+            "init_on_free=1"
+            # randomizes page allocator freelist, improving security by
+            # making page allocations less predictable
+            "page_alloc.shuffel=1"
+            # enables Kernel Page Table Isolation, which mitigates Meltdown and
+            # prevents some KASLR bypasses
+            "pti=on"
+            # randomizes the kernel stack offset on each syscall
+            # making attacks that rely on a deterministic stack layout difficult
+            "randomize_kstack_offset=on"
+            # disables vsyscalls, they've been replaced with vDSO
+            "vsyscall=none"
+            # disables debugfs, which exposes sensitive info about the kernel
+            "debugfs=off"
+            # certain exploits cause an "oops", this makes the kernel panic if an "oops" occurs
+            "oops=panic"
+            # only alows kernel modules that have been signed with a valid key to be loaded
+            # making it harder to load malicious kernel modules
+            # can make VirtualBox or Nvidia drivers unusable
+            "module.sig_enforce=1"
+            # prevents user space code excalation
+            "lockdown=confidentiality"
+            # "rd.udev.log_level=3"
+            # "udev.log_priority=3"
+          ];
+          boot.blacklistedKernelModules = [
+            # Obscure networking protocols
+            "dccp"
+            "sctp"
+            "rds"
+            "tipc"
+            "n-hdlc"
+            "ax25"
+            "netrom"
+            "x25"
+            "rose"
+            "decnet"
+            "econet"
+            "af_802154"
+            "ipx"
+            "appletalk"
+            "psnap"
+            "p8023"
+            "p8022"
+            "can"
+            "atm"
+            # Various rare filesystems
+            "cramfs"
+            "freevxfs"
+            "jffs2"
+            "hfs"
+            "hfsplus"
+            "udf"
+
+            # Not so rare filesystems
+            "squashfs"
+            "cifs"
+            "nfs"
+            "nfsv3"
+            "nfsv4"
+            "ksmbd"
+            "gfs2"
+            # vivid driver is only useful for testing purposes and has been the
+            # cause of privilege escalation vulnerabilities
+            "vivid"
+          ];
+        }
+      )
+    ];
+  };
+}