Merge commit '22a3bf9fb9edad917fb6cd1066d58b5e426ee975'

1 files changed, 4 insertions, 38 deletions

diff --git a/nixpkgs/nixos/modules/profiles/hardened.nix b/nixpkgs/nixos/modules/profiles/hardened.nix
index f7b2f5c7fc1e..ef8c0d74f062 100644
--- a/nixpkgs/nixos/modules/profiles/hardened.nix
+++ b/nixpkgs/nixos/modules/profiles/hardened.nix
@@ -7,19 +7,20 @@ with lib;
 
 {
   meta = {
-    maintainers = [ maintainers.joachifm ];
+    maintainers = [ maintainers.joachifm maintainers.emily ];
   };
 
   boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
 
   nix.allowedUsers = mkDefault [ "@users" ];
 
+  environment.memoryAllocator.provider = mkDefault "scudo";
+  environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
+
   security.hideProcessInformation = mkDefault true;
 
   security.lockKernelModules = mkDefault true;
 
-  security.allowUserNamespaces = mkDefault false;
-
   security.protectKernelImage = mkDefault true;
 
   security.allowSimultaneousMultithreading = mkDefault false;
@@ -34,15 +35,9 @@ with lib;
     # Slab/slub sanity checks, redzoning, and poisoning
     "slub_debug=FZP"
 
-    # Disable slab merging to make certain heap overflow attacks harder
-    "slab_nomerge"
-
     # Overwrite free'd memory
     "page_poison=1"
 
-    # Disable legacy virtual syscalls
-    "vsyscall=none"
-
     # Enable page allocator randomization
     "page_alloc.shuffle=1"
   ];
@@ -79,38 +74,12 @@ with lib;
   # (e.g., parent/child)
   boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
 
-  # Restrict access to kernel ring buffer (information leaks)
-  boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
-
   # Hide kptrs even for processes with CAP_SYSLOG
   boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
 
-  # Unprivileged access to bpf() has been used for privilege escalation in
-  # the past
-  boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
-
   # Disable bpf() JIT (to eliminate spray attacks)
   boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
 
-  # ... or at least apply some hardening to it
-  boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
-
-  # Raise ASLR entropy for 64bit & 32bit, respectively.
-  #
-  # Note: mmap_rnd_compat_bits may not exist on 64bit.
-  boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32;
-  boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16;
-
-  # Allowing users to mmap() memory starting at virtual address 0 can turn a
-  # NULL dereference bug in the kernel into code execution with elevated
-  # privilege.  Mitigate by enforcing a minimum base addr beyond the NULL memory
-  # space.  This breaks applications that require mapping the 0 page, such as
-  # dosemu or running 16bit applications under wine.  It also breaks older
-  # versions of qemu.
-  #
-  # The value is taken from the KSPP recommendations (Debian uses 4096).
-  boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536;
-
   # Disable ftrace debugging
   boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
 
@@ -137,7 +106,4 @@ with lib;
   # Ignore outgoing ICMP redirects (this is ipv4 only)
   boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
   boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
-
-  # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability
-  boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false;
 }