harden some stuff

2025-03-30 17:26:25 +02:00 · 2025-03-30 17:26:25 +02:00 · 98bfe91812
commit 98bfe91812
parent 6d91f31027
1 changed files with 6 additions and 0 deletions
--- a/share/common.nix
+++ b/share/common.nix
@ -60,6 +60,12 @@ in

    # allow proper perf usage
    "kernel.perf_event_mlock_kb" = 16777216;
+
+    # harden some stuff
+    "kernel.sysrq" = 0;
+    "kernel.kptr_restrict" = 2;
+    "kernel.unprivileged_bpf_disabled" = 1;
+    "net.core.bpf_jit_harden" = 2;
  };

  # Use the systemd-boot EFI boot loader.