Unverified Commit 1f69b214 authored by zowoq's avatar zowoq Committed by GitHub
Browse files

nixos/profiles: remove hardened (#501199)

parents 3ba90b35 18a45284

nixos/doc/manual/configuration/profiles.chapter.md

+0 −1
Original line number Diff line number Diff line
@@ -24,7 +24,6 @@ profiles/clone-config.section.md 
profiles/demo.section.md

profiles/docker-container.section.md

profiles/graphical.section.md

profiles/hardened.section.md

profiles/headless.section.md

profiles/installation-device.section.md

profiles/perlless.section.md

nixos/doc/manual/configuration/profiles/hardened.section.md

deleted100644 → 0
+0 −20
Original line number Diff line number Diff line 
# Hardened {#sec-profile-hardened}



A profile with most (vanilla) hardening options enabled by default,

potentially at the cost of stability, features and performance.



This includes a hardened kernel, and limiting the system information

available to processes through the `/sys` and

`/proc` filesystems. It also disables the User Namespaces

feature of the kernel, which stops Nix from being able to build anything

(this particular setting can be overridden via

[](#opt-security.allowUserNamespaces)). See the

[profile source](https://github.com/nixos/nixpkgs/tree/master/nixos/modules/profiles/hardened.nix)

for further detail on which settings are altered.



::: {.warning}

This profile enables options that are known to affect system

stability. If you experience any stability issues when using the

profile, try disabling it. If you report an issue and use this

profile, always mention that you do.

:::

nixos/doc/manual/redirects.json

+2 −1
Original line number Diff line number Diff line
@@ -1728,7 +1728,8 @@ 
  "sec-profile-graphical": [

    "index.html#sec-profile-graphical"

  ],

  "sec-profile-hardened": [

  "sec-release-26.05-incompatibilities-profiles-hardened-removed": [

    "release-notes.html#sec-release-26.05-incompatibilities-profiles-hardened-removed",

    "index.html#sec-profile-hardened"

  ],

  "sec-profile-headless": [

nixos/doc/manual/release-notes/rl-2605.section.md

+6 −0
Original line number Diff line number Diff line
@@ -88,6 +88,12 @@ 


- `opentrack`, `slushload`, `synthesia`, `vtfedit`, `winbox`, `wineasio`, and `yabridge` use wineWow64Packages instead of wineWowPackages as wine versions >= 11.0 have deprecated wineWowPackages. As such, the prefixes for these packages are NOT backwards compatible and need to be regenerated with potential for data loss.



- []{#sec-release-26.05-incompatibilities-profiles-hardened-removed} `profiles/hardened` has been removed, because:

   - It lacks a consistent and transparent baseline or standard,

   - It may introduce unexpected breakage or degrade performance without clear benefit,

   - It is difficult to manage user expectations, especially since the implications of enabling it are not always obvious,

   - and as multiple contributors have noted, it is often more of a “grab bag” of settings than a cohesive security policy.



- `services.crabfit` was removed because its upstream packages are unmaintained and insecure.



- `sing-box` has been updated to 1.13.0, which has removed some deprecated options.  See [upstream documentation](https://sing-box.sagernet.org/configuration/) for details and migration options.

nixos/modules/profiles/hardened.nix

+8 −133
Original line number Diff line number Diff line 
# A profile with most (vanilla) hardening options enabled by default,

# potentially at the cost of stability, features and performance.

#

# This profile enables options that are known to affect system

# stability. If you experience any stability issues when using the

# profile, try disabling it. If you report an issue and use this

# profile, always mention that you do.

# This profile included most standard hardening options enabled by default,

# which may have impacted system stability, feature availability, and performance.



{ lib, ... }:

{

  config,

  lib,

  pkgs,

  ...

}:

let

  inherit (lib)

    mkDefault

    mkOverride

    mkEnableOption

    mkIf

    maintainers

    ;

in

{

  options.profiles.hardened = mkEnableOption "hardened" // {

    default = true;

    example = false;

  };

  config = mkIf config.profiles.hardened {

    meta = {

      maintainers = [

        maintainers.emily

      ];

    };



    boot.kernelPackages = mkDefault pkgs.linuxKernel.packages.linux_hardened;



    nix.settings.allowed-users = mkDefault [ "@users" ];



    environment.memoryAllocator.provider = mkDefault "scudo";

    environment.variables.SCUDO_OPTIONS = mkDefault "zero_contents=true";



    security.lockKernelModules = mkDefault true;



    security.protectKernelImage = mkDefault true;



    security.allowSimultaneousMultithreading = mkDefault false;



    security.forcePageTableIsolation = mkDefault true;



    # This is required by podman to run containers in rootless mode.

    security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;



    security.virtualisation.flushL1DataCache = mkDefault "always";



    security.apparmor.enable = mkDefault true;

    security.apparmor.killUnconfinedConfinables = mkDefault true;



    boot.kernelParams = [

      # Don't merge slabs

      "slab_nomerge"



      # Overwrite free'd pages

      "page_poison=1"



      # Enable page allocator randomization

      "page_alloc.shuffle=1"



      # Disable debugfs

      "debugfs=off"

  imports = [

    (lib.mkRemovedOptionModule [ "profiles" "hardened" ] ''

      The hardened profile has been removed, see the backward incompatibilities section of the 26.05 release notes for more information.

    '')

  ];



    boot.blacklistedKernelModules = [

      # Obscure network protocols

      "ax25"

      "netrom"

      "rose"



      # Old or rare or insufficiently audited filesystems

      "adfs"

      "affs"

      "bfs"

      "befs"

      "cramfs"

      "efs"

      "erofs"

      "exofs"

      "freevxfs"

      "f2fs"

      "hfs"

      "hpfs"

      "jfs"

      "minix"

      "nilfs2"

      "ntfs"

      "omfs"

      "qnx4"

      "qnx6"

      "sysv"

      "ufs"

    ];



    # Hide kptrs even for processes with CAP_SYSLOG

    boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;



    # Disable bpf() JIT (to eliminate spray attacks)

    boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;



    # Disable ftrace debugging

    boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;



    # Enable strict reverse path filtering (that is, do not attempt to route

    # packets that "obviously" do not belong to the iface's network; dropped

    # packets are logged as martians).

    boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;

    boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";

    boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;

    boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";



    # Ignore broadcast ICMP (mitigate SMURF)

    boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;



    # Ignore incoming ICMP redirects (note: default is needed to ensure that the

    # setting is applied to interfaces added after the sysctls are set)

    boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;

    boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;

    boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;

    boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;

    boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;

    boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;



    # Ignore outgoing ICMP redirects (this is ipv4 only)

    boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;

    boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;

  };

}