2017-04-06 14:54:45 +02:00
|
|
|
# A profile with most (vanilla) hardening options enabled by default,
|
|
|
|
# potentially at the cost of features and performance.
|
|
|
|
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
|
|
|
with lib;
|
|
|
|
|
|
|
|
{
|
2017-04-30 01:22:32 +02:00
|
|
|
boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
|
|
|
|
|
2017-04-06 14:54:45 +02:00
|
|
|
security.hideProcessInformation = mkDefault true;
|
|
|
|
|
2017-04-29 22:46:20 +02:00
|
|
|
security.lockKernelModules = mkDefault true;
|
|
|
|
|
2017-04-06 14:54:45 +02:00
|
|
|
security.apparmor.enable = mkDefault true;
|
|
|
|
|
2017-04-29 17:27:08 +02:00
|
|
|
boot.kernelParams = [
|
2017-04-30 01:22:32 +02:00
|
|
|
# Overwrite free'd memory
|
|
|
|
"page_poison=1"
|
|
|
|
|
2017-04-29 17:27:08 +02:00
|
|
|
# Disable legacy virtual syscalls
|
|
|
|
"vsyscall=none"
|
2017-04-30 11:57:12 +02:00
|
|
|
|
|
|
|
# Disable hibernation (allows replacing the running kernel)
|
|
|
|
"nohibernate"
|
2017-04-29 17:27:08 +02:00
|
|
|
];
|
|
|
|
|
2017-04-06 14:54:45 +02:00
|
|
|
# Restrict ptrace() usage to processes with a pre-defined relationship
|
|
|
|
# (e.g., parent/child)
|
|
|
|
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
|
|
|
|
|
|
|
|
# Prevent replacing the running kernel image w/o reboot
|
|
|
|
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
|
|
|
|
|
|
|
|
# Restrict access to kernel ring buffer (information leaks)
|
|
|
|
boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
|
|
|
|
|
|
|
|
# Hide kptrs even for processes with CAP_SYSLOG
|
|
|
|
boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
|
|
|
|
|
|
|
|
# Unprivileged access to bpf() has been used for privilege escalation in
|
|
|
|
# the past
|
|
|
|
boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
|
|
|
|
|
|
|
|
# Disable bpf() JIT (to eliminate spray attacks)
|
|
|
|
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
|
|
|
|
|
|
|
|
# ... or at least apply some hardening to it
|
|
|
|
boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
|
2017-04-30 14:41:56 +02:00
|
|
|
|
|
|
|
# A recurring problem with user namespaces is that there are
|
|
|
|
# still code paths where the kernel's permission checking logic
|
|
|
|
# fails to account for namespacing, instead permitting a
|
|
|
|
# namespaced process to act outside the namespace with the
|
|
|
|
# same privileges as it would have inside it. This is particularly
|
|
|
|
# bad in the common case of running as root within the namespace.
|
|
|
|
#
|
|
|
|
# Setting the number of allowed userns to 0 effectively disables
|
|
|
|
# the feature at runtime. Attempting to create a user namespace
|
|
|
|
# with unshare will then fail with "no space left on device".
|
|
|
|
boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
|
2017-04-06 14:54:45 +02:00
|
|
|
}
|