~cyplo/dotfiles

ref: 0f34b9d1bf61e8be3e61351814603e01c8bf42cd dotfiles/nixos/security-kernel.nix -rw-r--r-- 918 bytes
0f34b9d1 — Cyryl Płotnicki upgrade rust-analyzer 5 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
{ config, pkgs, ... }:
{
  boot.kernelPatches = [ {
    name = "cyplo-hardened";
    patch = null;
    extraConfig = ''
      LOCKUP_DETECTOR y
      HARDLOCKUP_DETECTOR y
      BUG y

      SECURITY_SELINUX_DISABLE  n

      STRICT_KERNEL_RWX  y

      DEBUG_CREDENTIALS      y
      DEBUG_NOTIFIERS        y
      DEBUG_SG               y
      SCHED_STACK_END_CHECK  y

      SHUFFLE_PAGE_ALLOCATOR  y

      SLUB_DEBUG  y

      PAGE_POISONING            y
      PAGE_POISONING_NO_SANITY  y
      PAGE_POISONING_ZERO       y

      SECURITY_SAFESETID  y

      PANIC_TIMEOUT  -1

      GCC_PLUGINS  y
      GCC_PLUGIN_LATENT_ENTROPY  y

      GCC_PLUGIN_STRUCTLEAK  y
      GCC_PLUGIN_STRUCTLEAK_BYREF_ALL  y
      GCC_PLUGIN_STACKLEAK  y
      GCC_PLUGIN_RANDSTRUCT y
      GCC_PLUGIN_RANDSTRUCT_PERFORMANCE  y

      ACPI_CUSTOM_METHOD  n
      PROC_KCORE          n
      INET_DIAG           n
    '';
  } ];
}