diff --git a/configuration.nix b/configuration.nix index 59a0c4e..6b12195 100644 --- a/configuration.nix +++ b/configuration.nix @@ -133,8 +133,8 @@ boot.kernel.sysctl."vm.nr_hugepages" = service_configs.hugepages_2m.total_pages; boot = { - # 6.12 LTS until 2026 - kernelPackages = pkgs.linuxPackages_6_12_hardened; + # 6.18 LTS until 2027 + kernelPackages = pkgs.linuxPackages_6_18; loader = { # Use the systemd-boot EFI boot loader. diff --git a/modules/security.nix b/modules/security.nix index 52d0a28..947bd7c 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -13,12 +13,78 @@ # disable coredumps systemd.coredump.enable = false; - # The hardened kernel defaults kernel.unprivileged_userns_clone to 0, which - # prevents the Nix sandbox from mapping UIDs/GIDs. Without this, any derivation - # that calls `id` in its build phase (e.g. logrotate checkPhase) fails when not - # served from the binary cache. See https://github.com/NixOS/nixpkgs/issues/287194 + # Needed for Nix sandbox UID/GID mapping inside derivation builds. + # See https://github.com/NixOS/nixpkgs/issues/287194 security.unprivilegedUsernsClone = true; + # Disable kexec to prevent replacing the running kernel at runtime. + security.protectKernelImage = true; + + # Kernel hardening boot parameters. These recover most of the runtime- + # configurable protections that the linux-hardened patchset provided. + boot.kernelParams = [ + # Zero all page allocator pages on free / alloc. Prevents info leaks + # and use-after-free from seeing stale data. Modest CPU overhead. + "init_on_alloc=1" + "init_on_free=1" + + # Prevent SLUB allocator from merging caches with similar size/flags. + # Keeps different kernel object types in separate slabs, making heap + # exploitation (type confusion, spray, use-after-free) significantly harder. + "slab_nomerge" + + # Randomize order of pages returned by the buddy allocator. + "page_alloc.shuffle=1" + + # Disable debugfs entirely (exposes kernel internals). + "debugfs=off" + + # Disable legacy vsyscall emulation (unused by any modern glibc). + "vsyscall=none" + + # Strict IOMMU TLB invalidation (no batching). Prevents DMA-capable + # devices from accessing stale mappings after unmap. + "iommu.strict=1" + ]; + + boot.kernel.sysctl = { + # Immediately reboot on kernel oops (don't leave a compromised + # kernel running). Negative value = reboot without delay. + "kernel.panic" = -1; + + # Hide kernel pointers from all processes, including CAP_SYSLOG. + # Prevents info leaks used to defeat KASLR. + "kernel.kptr_restrict" = 2; + + # Disable bpf() JIT compiler (eliminates JIT spray attack vector). + "net.core.bpf_jit_enable" = false; + + # Disable ftrace (kernel function tracer) at runtime. + "kernel.ftrace_enabled" = false; + + # Strict reverse-path filtering: drop packets arriving on an interface + # where the source address isn't routable back via that interface. + "net.ipv4.conf.all.rp_filter" = 1; + "net.ipv4.conf.default.rp_filter" = 1; + "net.ipv4.conf.all.log_martians" = true; + "net.ipv4.conf.default.log_martians" = true; + + # Ignore ICMP redirects (prevents route table poisoning). + "net.ipv4.conf.all.accept_redirects" = false; + "net.ipv4.conf.all.secure_redirects" = false; + "net.ipv4.conf.default.accept_redirects" = false; + "net.ipv4.conf.default.secure_redirects" = false; + "net.ipv6.conf.all.accept_redirects" = false; + "net.ipv6.conf.default.accept_redirects" = false; + + # Don't send ICMP redirects (we are not a router). + "net.ipv4.conf.all.send_redirects" = false; + "net.ipv4.conf.default.send_redirects" = false; + + # Ignore broadcast ICMP (SMURF amplification mitigation). + "net.ipv4.icmp_echo_ignore_broadcasts" = true; + }; + services = { dbus.implementation = "broker"; /*