diff options
author | Joachim F <joachifm@users.noreply.github.com> | 2020-04-03 18:48:12 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-03 18:48:12 +0000 |
commit | 18b89e7abddc90e8dcdb616c5a6321dd46de7631 (patch) | |
tree | fe66a860ae39277e3ace5156626ac07dab76ca26 /nixos | |
parent | 9e55da14fee564f9f9730111e579bd257dce4319 (diff) | |
parent | 759968a6126a9bf4962a3ddea4eaf6466baff122 (diff) | |
download | nixlib-18b89e7abddc90e8dcdb616c5a6321dd46de7631.tar nixlib-18b89e7abddc90e8dcdb616c5a6321dd46de7631.tar.gz nixlib-18b89e7abddc90e8dcdb616c5a6321dd46de7631.tar.bz2 nixlib-18b89e7abddc90e8dcdb616c5a6321dd46de7631.tar.lz nixlib-18b89e7abddc90e8dcdb616c5a6321dd46de7631.tar.xz nixlib-18b89e7abddc90e8dcdb616c5a6321dd46de7631.tar.zst nixlib-18b89e7abddc90e8dcdb616c5a6321dd46de7631.zip |
Merge pull request #73763 from kmcopper/hardening-profile
Improvements to the NixOS Hardened Profile
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index f7b2f5c7fc1e..da3de4447686 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -14,12 +14,17 @@ with lib; nix.allowedUsers = mkDefault [ "@users" ]; + environment.memoryAllocator.provider = mkDefault "scudo"; + environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; + security.hideProcessInformation = mkDefault true; security.lockKernelModules = mkDefault true; security.allowUserNamespaces = mkDefault false; + nix.useSandbox = mkDefault false; + security.protectKernelImage = mkDefault true; security.allowSimultaneousMultithreading = mkDefault false; |