pyrox.dev
1# A profile with most (vanilla) hardening options enabled by default,
2# potentially at the cost of stability, features and performance.
3#
4# This profile enables options that are known to affect system
5# stability. If you experience any stability issues when using the
6# profile, try disabling it. If you report an issue and use this
7# profile, always mention that you do.
8
9{
10 config,
11 lib,
12 pkgs,
13 ...
14}:
15let
16 inherit (lib)
17 mkDefault
18 mkOverride
19 mkEnableOption
20 mkIf
21 maintainers
22 ;
23in
24{
25 options.profiles.hardened = mkEnableOption "hardened" // {
26 default = true;
27 example = false;
28 };
29 config = mkIf config.profiles.hardened {
30 meta = {
31 maintainers = [
32 maintainers.joachifm
33 maintainers.emily
34 ];
35 };
36
37 boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
38
39 nix.settings.allowed-users = mkDefault [ "@users" ];
40
41 environment.memoryAllocator.provider = mkDefault "scudo";
42 environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
43
44 security.lockKernelModules = mkDefault true;
45
46 security.protectKernelImage = mkDefault true;
47
48 security.allowSimultaneousMultithreading = mkDefault false;
49
50 security.forcePageTableIsolation = mkDefault true;
51
52 # This is required by podman to run containers in rootless mode.
53 security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
54
55 security.virtualisation.flushL1DataCache = mkDefault "always";
56
57 security.apparmor.enable = mkDefault true;
58 security.apparmor.killUnconfinedConfinables = mkDefault true;
59
60 boot.kernelParams = [
61 # Don't merge slabs
62 "slab_nomerge"
63
64 # Overwrite free'd pages
65 "page_poison=1"
66
67 # Enable page allocator randomization
68 "page_alloc.shuffle=1"
69
70 # Disable debugfs
71 "debugfs=off"
72 ];
73
74 boot.blacklistedKernelModules = [
75 # Obscure network protocols
76 "ax25"
77 "netrom"
78 "rose"
79
80 # Old or rare or insufficiently audited filesystems
81 "adfs"
82 "affs"
83 "bfs"
84 "befs"
85 "cramfs"
86 "efs"
87 "erofs"
88 "exofs"
89 "freevxfs"
90 "f2fs"
91 "hfs"
92 "hpfs"
93 "jfs"
94 "minix"
95 "nilfs2"
96 "ntfs"
97 "omfs"
98 "qnx4"
99 "qnx6"
100 "sysv"
101 "ufs"
102 ];
103
104 # Hide kptrs even for processes with CAP_SYSLOG
105 boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
106
107 # Disable bpf() JIT (to eliminate spray attacks)
108 boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
109
110 # Disable ftrace debugging
111 boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
112
113 # Enable strict reverse path filtering (that is, do not attempt to route
114 # packets that "obviously" do not belong to the iface's network; dropped
115 # packets are logged as martians).
116 boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
117 boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
118 boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
119 boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
120
121 # Ignore broadcast ICMP (mitigate SMURF)
122 boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
123
124 # Ignore incoming ICMP redirects (note: default is needed to ensure that the
125 # setting is applied to interfaces added after the sysctls are set)
126 boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
127 boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
128 boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
129 boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
130 boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
131 boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
132
133 # Ignore outgoing ICMP redirects (this is ipv4 only)
134 boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
135 boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
136 };
137}