NixOS Hardening: Difference between revisions
→Sysctl parameters: Add kernel.io_uring_disabled=2 |
m group sections |
||
| Line 1: | Line 1: | ||
== Kernel == | |||
=== linux-hardened === | === linux-hardened === | ||
[https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied. You can check for latest releases [https://github.com/anthraxx/linux-hardened/releases here].<syntaxhighlight lang="nix"> | [https://github.com/anthraxx/linux-hardened linux-hardened] is a Linux kernel with additional hardening patches applied. You can check for latest releases [https://github.com/anthraxx/linux-hardened/releases here].<syntaxhighlight lang="nix"> | ||
| Line 199: | Line 200: | ||
security.forcePageTableIsolation = true; | security.forcePageTableIsolation = true; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
=== Memory allocator === | === Memory allocator === | ||
| Line 219: | Line 222: | ||
}; | }; | ||
};</syntaxhighlight> | };</syntaxhighlight> | ||
== Nix settings == | |||
=== Nix allowed users === | === Nix allowed users === | ||
| Line 224: | Line 229: | ||
nix.settings.allowed-users = [ "@users" ]; | nix.settings.allowed-users = [ "@users" ]; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Other settings == | |||
=== Flush L1 data cache === | === Flush L1 data cache === | ||
| Line 237: | Line 244: | ||
security.apparmor.killUnconfinedConfinables = true; | security.apparmor.killUnconfinedConfinables = true; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Lower-level == | |||
=== Secure Boot === | === Secure Boot === | ||