63433537ce
This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289
40 lines
1.3 KiB
Nix
40 lines
1.3 KiB
Nix
# A profile with most (vanilla) hardening options enabled by default,
|
|
# potentially at the cost of features and performance.
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
{
|
|
security.hideProcessInformation = mkDefault true;
|
|
|
|
security.apparmor.enable = mkDefault true;
|
|
|
|
boot.kernelParams = [
|
|
# Disable legacy virtual syscalls
|
|
"vsyscall=none"
|
|
];
|
|
|
|
# Restrict ptrace() usage to processes with a pre-defined relationship
|
|
# (e.g., parent/child)
|
|
boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;
|
|
|
|
# Prevent replacing the running kernel image w/o reboot
|
|
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
|
|
|
|
# Restrict access to kernel ring buffer (information leaks)
|
|
boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true;
|
|
|
|
# Hide kptrs even for processes with CAP_SYSLOG
|
|
boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
|
|
|
|
# Unprivileged access to bpf() has been used for privilege escalation in
|
|
# the past
|
|
boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true;
|
|
|
|
# Disable bpf() JIT (to eliminate spray attacks)
|
|
boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
|
|
|
|
# ... or at least apply some hardening to it
|
|
boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
|
|
}
|