| blob | 62a9bb90e747cf27dc0c83c4fdd26106cdd5aacd |
1 # A profile with most (vanilla) hardening options enabled by default,
2 # potentially at the cost of stability, features and performance.
3 #
4 # This profile enables options that are known to affect system
5 # stability. If you experience any stability issues when using the
6 # profile, try disabling it. If you report an issue and use this
7 # profile, always mention that you do.
9 {
10 config,
11 lib,
12 pkgs,
13 ...
14 }:
16 with lib;
18 {
19 meta = {
20 maintainers = [
21 maintainers.joachifm
22 maintainers.emily
23 ];
24 };
26 boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
28 nix.settings.allowed-users = mkDefault [ "@users" ];
30 environment.memoryAllocator.provider = mkDefault "scudo";
31 environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
33 security.lockKernelModules = mkDefault true;
35 security.protectKernelImage = mkDefault true;
37 security.allowSimultaneousMultithreading = mkDefault false;
39 security.forcePageTableIsolation = mkDefault true;
41 # This is required by podman to run containers in rootless mode.
42 security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
44 security.virtualisation.flushL1DataCache = mkDefault "always";
46 security.apparmor.enable = mkDefault true;
47 security.apparmor.killUnconfinedConfinables = mkDefault true;
49 boot.kernelParams = [
50 # Don't merge slabs
51 "slab_nomerge"
53 # Overwrite free'd pages
54 "page_poison=1"
56 # Enable page allocator randomization
57 "page_alloc.shuffle=1"
59 # Disable debugfs
60 "debugfs=off"
61 ];
63 boot.blacklistedKernelModules = [
64 # Obscure network protocols
65 "ax25"
66 "netrom"
67 "rose"
69 # Old or rare or insufficiently audited filesystems
70 "adfs"
71 "affs"
72 "bfs"
73 "befs"
74 "cramfs"
75 "efs"
76 "erofs"
77 "exofs"
78 "freevxfs"
79 "f2fs"
80 "hfs"
81 "hpfs"
82 "jfs"
83 "minix"
84 "nilfs2"
85 "ntfs"
86 "omfs"
87 "qnx4"
88 "qnx6"
89 "sysv"
90 "ufs"
91 ];
93 # Hide kptrs even for processes with CAP_SYSLOG
94 boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
96 # Disable bpf() JIT (to eliminate spray attacks)
97 boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
99 # Disable ftrace debugging
100 boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
102 # Enable strict reverse path filtering (that is, do not attempt to route
103 # packets that "obviously" do not belong to the iface's network; dropped
104 # packets are logged as martians).
105 boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
106 boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
107 boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
108 boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
110 # Ignore broadcast ICMP (mitigate SMURF)
111 boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
113 # Ignore incoming ICMP redirects (note: default is needed to ensure that the
114 # setting is applied to interfaces added after the sysctls are set)
115 boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
116 boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
117 boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
118 boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
119 boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
120 boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
122 # Ignore outgoing ICMP redirects (this is ipv4 only)
123 boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
124 boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
125 }