29 lines
1.1 KiB
Nix
29 lines
1.1 KiB
Nix
{ ... }:
|
|
{
|
|
config.dendritic.features.security-sysctl-kernel = {
|
|
nixosModules = [
|
|
(
|
|
{ ... }:
|
|
{
|
|
boot.kernel.sysctl = {
|
|
"fs.suid_dumpable" = 0;
|
|
# prevent pointer leaks
|
|
# Note: certian container runtimes or browser sandboxes might rely on the following
|
|
# restrict loading TTY line disciplines to the CAP_SYS_MODULE
|
|
"dev.tty.ldisk_autoload" = 0;
|
|
# prevent exploit of use-after-free flaws
|
|
"vm.unprivileged_userfaultfd" = 0;
|
|
# kexec is used to boot another kernel during runtime and can be abused
|
|
"kernel.kexec_load_disabled" = 1;
|
|
# Kernel self-protection
|
|
# SysRq exposes a lot of potentially dangerous debugging functionality to unprivileged users
|
|
# 4 makes it so a user can only use the secure attention key. A value of 0 would disable completely
|
|
"kernel.sysrq" = 4;
|
|
# restrict all usage of performance events to the CAP_PERFMON capability
|
|
"kernel.perf_event_paranoid" = 3;
|
|
};
|
|
}
|
|
)
|
|
];
|
|
};
|
|
}
|