initial commit

modules/features/security/sysctl/security-sysctl-kernel.nix

@@ -0,0 +1,29 @@
+{ ... }:
+{
+  config.dendritic.features.security-sysctl-kernel = {
+    nixosModules = [
+      (
+        { ... }:
+        {
+          boot.kernel.sysctl = {
+            "fs.suid_dumpable" = 0;
+            # prevent pointer leaks
+            # Note: certian container runtimes or browser sandboxes might rely on the following
+            # restrict loading TTY line disciplines to the CAP_SYS_MODULE
+            "dev.tty.ldisk_autoload" = 0;
+            # prevent exploit of use-after-free flaws
+            "vm.unprivileged_userfaultfd" = 0;
+            # kexec is used to boot another kernel during runtime and can be abused
+            "kernel.kexec_load_disabled" = 1;
+            # Kernel self-protection
+            # SysRq exposes a lot of potentially dangerous debugging functionality to unprivileged users
+            # 4 makes it so a user can only use the secure attention key. A value of 0 would disable completely
+            "kernel.sysrq" = 4;
+            # restrict all usage of performance events to the CAP_PERFMON capability
+            "kernel.perf_event_paranoid" = 3;
+          };
+        }
+      )
+    ];
+  };
+}