pyrox.dev
1# A profile with most (vanilla) hardening options enabled by default,
2# potentially at the cost of features and performance.
3
4{ lib, pkgs, ... }:
5
6with lib;
7
8{
9 boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
10
11 security.hideProcessInformation = mkDefault true;
12
13 security.lockKernelModules = mkDefault true;
14
15 security.apparmor.enable = mkDefault true;
16
17 boot.kernelParams = [
18 # Overwrite free'd memory
19 "page_poison=1"
20
21 # Disable legacy virtual syscalls
22 "vsyscall=none"
23
24 # Disable hibernation (allows replacing the running kernel)
25 "nohibernate"
26 ];
27
28 boot.blacklistedKernelModules = [
29 # Obscure network protocols
30 "ax25"
31 "netrom"
32 "rose"
33 ];
34
35 # Restrict ptrace() usage to processes with a pre-defined relationship
36 # (e.g., parent/child)
37 boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
38
39 # Prevent replacing the running kernel image w/o reboot
40 boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
41
42 # Restrict access to kernel ring buffer (information leaks)
43 boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
44
45 # Hide kptrs even for processes with CAP_SYSLOG
46 boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
47
48 # Unprivileged access to bpf() has been used for privilege escalation in
49 # the past
50 boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
51
52 # Disable bpf() JIT (to eliminate spray attacks)
53 boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
54
55 # ... or at least apply some hardening to it
56 boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
57
58 # A recurring problem with user namespaces is that there are
59 # still code paths where the kernel's permission checking logic
60 # fails to account for namespacing, instead permitting a
61 # namespaced process to act outside the namespace with the
62 # same privileges as it would have inside it. This is particularly
63 # bad in the common case of running as root within the namespace.
64 #
65 # Setting the number of allowed user namespaces to 0 effectively disables
66 # the feature at runtime. Attempting to create a user namespace
67 # with unshare will then fail with "no space left on device".
68 boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
69
70 # Raise ASLR entropy for 64bit & 32bit, respectively.
71 #
72 # Note: mmap_rnd_compat_bits may not exist on 64bit.
73 boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
74 boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
75
76 # Allowing users to mmap() memory starting at virtual address 0 can turn a
77 # NULL dereference bug in the kernel into code execution with elevated
78 # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory
79 # space. This breaks applications that require mapping the 0 page, such as
80 # dosemu or running 16bit applications under wine. It also breaks older
81 # versions of qemu.
82 #
83 # The value is taken from the KSPP recommendations (Debian uses 4096).
84 boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
85}