102 lines
3.3 KiB
Nix
102 lines
3.3 KiB
Nix
{ ... }:
|
|
{
|
|
config.dendritic.features.security-kernel-hardened = {
|
|
nixosModules = [
|
|
(
|
|
{ pkgs, ... }:
|
|
{
|
|
boot.kernelPackages = pkgs.linuxPackages_hardened;
|
|
|
|
security = {
|
|
protectKernelImage = true;
|
|
lockKernelModules = false; # this breaks iptables, wireguard, and virtd
|
|
|
|
# force-enable the Page Table Isolation (PTI) Linux kernel feature
|
|
forcePageTableIsolation = true;
|
|
|
|
# User namespaces are required for sandboxing.
|
|
# this means you cannot set `"user.max_user_namespaces" = 0;` in sysctl
|
|
allowUserNamespaces = true;
|
|
|
|
# Disable unprivileged user namespaces, unless containers are enabled
|
|
# unprivilegedUsernsClone = true;
|
|
allowSimultaneousMultithreading = true;
|
|
};
|
|
|
|
boot.kernelParams = [
|
|
# make it harder to influence slab cache layout
|
|
"slab_nomerge"
|
|
# enables zeroing of memory during allocation and free time
|
|
# helps mitigate use-after-free vulnerabilaties
|
|
"init_on_alloc=1"
|
|
"init_on_free=1"
|
|
# randomizes page allocator freelist, improving security by
|
|
# making page allocations less predictable
|
|
"page_alloc.shuffel=1"
|
|
# enables Kernel Page Table Isolation, which mitigates Meltdown and
|
|
# prevents some KASLR bypasses
|
|
"pti=on"
|
|
# randomizes the kernel stack offset on each syscall
|
|
# making attacks that rely on a deterministic stack layout difficult
|
|
"randomize_kstack_offset=on"
|
|
# disables vsyscalls, they've been replaced with vDSO
|
|
"vsyscall=none"
|
|
# disables debugfs, which exposes sensitive info about the kernel
|
|
"debugfs=off"
|
|
# certain exploits cause an "oops", this makes the kernel panic if an "oops" occurs
|
|
"oops=panic"
|
|
# only alows kernel modules that have been signed with a valid key to be loaded
|
|
# making it harder to load malicious kernel modules
|
|
# can make VirtualBox or Nvidia drivers unusable
|
|
"module.sig_enforce=1"
|
|
# prevents user space code excalation
|
|
"lockdown=confidentiality"
|
|
# "rd.udev.log_level=3"
|
|
# "udev.log_priority=3"
|
|
];
|
|
boot.blacklistedKernelModules = [
|
|
# Obscure networking protocols
|
|
"dccp"
|
|
"sctp"
|
|
"rds"
|
|
"tipc"
|
|
"n-hdlc"
|
|
"ax25"
|
|
"netrom"
|
|
"x25"
|
|
"rose"
|
|
"decnet"
|
|
"econet"
|
|
"af_802154"
|
|
"ipx"
|
|
"appletalk"
|
|
"psnap"
|
|
"p8023"
|
|
"p8022"
|
|
"can"
|
|
"atm"
|
|
# Various rare filesystems
|
|
"cramfs"
|
|
"freevxfs"
|
|
"jffs2"
|
|
"hfs"
|
|
"hfsplus"
|
|
"udf"
|
|
|
|
# Not so rare filesystems
|
|
"squashfs"
|
|
"cifs"
|
|
# "nfs"
|
|
# "nfsv3"
|
|
# "nfsv4"
|
|
"ksmbd"
|
|
"gfs2"
|
|
# vivid driver is only useful for testing purposes and has been the
|
|
# cause of privilege escalation vulnerabilities
|
|
"vivid"
|
|
];
|
|
}
|
|
)
|
|
];
|
|
};
|
|
}
|