nixos/hardened profile: use the linux_hardened kernel

2017-04-30 01:22:32 +02:00 · 2017-04-30 01:22:32 +02:00 · 8c98e8ca2f
commit 8c98e8ca2f
parent 62f2a1c2be
1 changed files with 5 additions and 0 deletions
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -6,6 +6,8 @@
 with lib;

 {
+  boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
+
  security.hideProcessInformation = mkDefault true;

  security.lockKernelModules = mkDefault true;
@ -13,6 +15,9 @@ with lib;
  security.apparmor.enable = mkDefault true;

  boot.kernelParams = [
+    # Overwrite free'd memory
+    "page_poison=1"
+
    # Disable legacy virtual syscalls
    "vsyscall=none"
  ];