f4ea22e5de
A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module.
76 lines
2.4 KiB
Nix
76 lines
2.4 KiB
Nix
# A profile with most (vanilla) hardening options enabled by default,
|
|
# potentially at the cost of features and performance.
|
|
|
|
{ lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
{
|
|
boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
|
|
|
|
security.hideProcessInformation = mkDefault true;
|
|
|
|
security.lockKernelModules = mkDefault true;
|
|
|
|
security.allowUserNamespaces = mkDefault false;
|
|
|
|
security.apparmor.enable = mkDefault true;
|
|
|
|
boot.kernelParams = [
|
|
# Overwrite free'd memory
|
|
"page_poison=1"
|
|
|
|
# Disable legacy virtual syscalls
|
|
"vsyscall=none"
|
|
|
|
# Disable hibernation (allows replacing the running kernel)
|
|
"nohibernate"
|
|
];
|
|
|
|
boot.blacklistedKernelModules = [
|
|
# Obscure network protocols
|
|
"ax25"
|
|
"netrom"
|
|
"rose"
|
|
];
|
|
|
|
# Restrict ptrace() usage to processes with a pre-defined relationship
|
|
# (e.g., parent/child)
|
|
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
|
|
|
|
# Prevent replacing the running kernel image w/o reboot
|
|
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
|
|
|
|
# Restrict access to kernel ring buffer (information leaks)
|
|
boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
|
|
|
|
# Hide kptrs even for processes with CAP_SYSLOG
|
|
boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
|
|
|
|
# Unprivileged access to bpf() has been used for privilege escalation in
|
|
# the past
|
|
boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
|
|
|
|
# Disable bpf() JIT (to eliminate spray attacks)
|
|
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
|
|
|
|
# ... or at least apply some hardening to it
|
|
boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
|
|
|
|
# Raise ASLR entropy for 64bit & 32bit, respectively.
|
|
#
|
|
# Note: mmap_rnd_compat_bits may not exist on 64bit.
|
|
boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
|
|
boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
|
|
|
|
# Allowing users to mmap() memory starting at virtual address 0 can turn a
|
|
# NULL dereference bug in the kernel into code execution with elevated
|
|
# privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory
|
|
# space. This breaks applications that require mapping the 0 page, such as
|
|
# dosemu or running 16bit applications under wine. It also breaks older
|
|
# versions of qemu.
|
|
#
|
|
# The value is taken from the KSPP recommendations (Debian uses 4096).
|
|
boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
|
|
}
|