diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-16 10:37:36 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-27 15:00:47 +0100 |
commit | 84fb8820db6226a6e5333813d47da6d876243064 (patch) | |
tree | e213da41f9e8d4e974fe71e724442b8155578bd5 /nixos/modules/profiles | |
parent | 9db84f6fcdb2616471abb6a427a2b21fe8a8255f (diff) | |
download | nixlib-84fb8820db6226a6e5333813d47da6d876243064.tar nixlib-84fb8820db6226a6e5333813d47da6d876243064.tar.gz nixlib-84fb8820db6226a6e5333813d47da6d876243064.tar.bz2 nixlib-84fb8820db6226a6e5333813d47da6d876243064.tar.lz nixlib-84fb8820db6226a6e5333813d47da6d876243064.tar.xz nixlib-84fb8820db6226a6e5333813d47da6d876243064.tar.zst nixlib-84fb8820db6226a6e5333813d47da6d876243064.zip |
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work.
Diffstat (limited to 'nixos/modules/profiles')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 61e871bcaca5..bad4cb81639d 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -20,6 +20,8 @@ with lib; security.allowUserNamespaces = mkDefault false; + security.protectKernelImage = mkDefault true; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ @@ -28,9 +30,6 @@ with lib; # Disable legacy virtual syscalls "vsyscall=none" - - # Disable hibernation (allows replacing the running kernel) - "nohibernate" ]; boot.blacklistedKernelModules = [ @@ -44,9 +43,6 @@ with lib; # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; - # Prevent replacing the running kernel image w/o reboot - boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; - # Restrict access to kernel ring buffer (information leaks) boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; |