diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2017-09-03 01:49:01 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-09-09 17:37:17 +0200 |
commit | 8aa0618cf0a0fe2ae12fe463b57243d13028a6e8 (patch) | |
tree | daa9a4ece59e5c458fdfbde237cfc0b8d1950d8c /nixos | |
parent | 2bce0b13e70ac1e63f9ffefa9d81daee8b834dc9 (diff) |
nixos/hardened: blacklist a few obscure net protocols
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index c8d306ef3caee..456538742f517 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -25,6 +25,13 @@ with lib; "nohibernate" ]; + boot.blacklistedKernelModules = [ + # Obscure network protocols + "ax25" + "netrom" + "rose" + ]; + # Restrict ptrace() usage to processes with a pre-defined relationship # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; |