From b99106d42263217a2df755a84f602522c9abd07a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyryl=20P=C5=82otnicki?= Date: Sat, 2 May 2020 20:20:22 +0100 Subject: [PATCH] disable hardened kernel temporarily --- nixos/boot.nix | 1 - nixos/boxes/foureighty.nix | 5 ++-- nixos/common.nix | 2 +- nixos/security.nix | 60 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 63 insertions(+), 5 deletions(-) create mode 100644 nixos/security.nix diff --git a/nixos/boot.nix b/nixos/boot.nix index 626e2385..811ff03d 100644 --- a/nixos/boot.nix +++ b/nixos/boot.nix @@ -1,7 +1,6 @@ { config, pkgs, ... }: { fileSystems."/".options = [ "noatime" "nodiratime" "discard" ]; - security.lockKernelModules = false; boot = { kernel.sysctl = { diff --git a/nixos/boxes/foureighty.nix b/nixos/boxes/foureighty.nix index e742abec..a325ce86 100644 --- a/nixos/boxes/foureighty.nix +++ b/nixos/boxes/foureighty.nix @@ -3,12 +3,11 @@ networking.hostName = "foureighty"; boot = { - kernelPackages = pkgs.linuxPackagesFor pkgs.linux_hardened; + kernelPackages = pkgs.linuxPackagesFor pkgs.linux_latest; initrd.luks.devices = { root = { device = "/dev/disk/by-uuid/a9e8a44f-15be-4844-a0a1-46892cc5e44e"; - preLVM = true; allowDiscards = true; }; }; @@ -42,10 +41,10 @@ ../gfx-intel.nix ../zerotier.nix ../i3/system.nix - ../virtualbox.nix ../distributed-builds.nix ]; + nix.maxJobs = 2; nix.buildCores = 6; } diff --git a/nixos/common.nix b/nixos/common.nix index 1d3505e7..5dbf430c 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -6,11 +6,11 @@ in { imports = [ - ./syncthing.nix ./gsconnect.nix ./common-hardware.nix ./common-services.nix + ./security.nix ]; security.allowUserNamespaces = true; diff --git a/nixos/security.nix b/nixos/security.nix new file mode 100644 index 00000000..6ec0c68c --- /dev/null +++ b/nixos/security.nix @@ -0,0 +1,60 @@ +{ config, pkgs, ... }: +{ + nix.allowedUsers = [ "@users" ]; + environment.memoryAllocator.provider = "scudo"; + environment.variables.SCUDO_OPTIONS = "ZeroContents=1"; + security.lockKernelModules = true; + security.protectKernelImage = true; + security.forcePageTableIsolation = true; + security.virtualisation.flushL1DataCache = "always"; + security.apparmor.enable = true; + boot.kernelParams = [ + "slub_debug=FZP" + "page_poison=1" + "page_alloc.shuffle=1" + ]; + + boot.blacklistedKernelModules = [ + # Obscure network protocols + "ax25" + "netrom" + "rose" + + # Old or rare or insufficiently audited filesystems + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "qnx4" + "qnx6" + "sysv" + "ufs" + ]; + + boot.kernel.sysctl."net.core.bpf_jit_enable" = false; + boot.kernel.sysctl."kernel.ftrace_enabled" = false; + boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "1"; + boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = true; + boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "1"; + boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = true; + boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = false; + boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = false; + boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = false; +}