base: mitigate dirtyfrag

2026-05-12 17:41:15 +02:00 · 2026-05-08 00:55:45 +02:00
parent f2752ee9a6
commit 14994485c5
4 changed files with 38 additions and 16 deletions
--- a/base/default.nix
+++ b/base/default.nix
@@ -10,6 +10,8 @@
    (fp /users)
    (fp /modules/snakeoil-certs.nix)

+    ./mitigations.nix
+
    ./flake-input-exporter.nix
    ./networking.nix
    ./nix.nix
--- a/base/mitigations.nix
+++ b/base/mitigations.nix
@@ -0,0 +1,17 @@
+{ ... }:
+
+{
+  boot.blacklistedKernelModules = [
+  "rxrpc" # dirtyfrag
+  "esp6" # dirtyfrag
+  "esp4" # dirtyfrag
+];
+boot.extraModprobeConfig = ''
+  # dirtyfrag
+  install esp4 /bin/false
+  # dirtyfrag
+  install esp6 /bin/false
+  # dirtyfrag
+  install rxrpc /bin/false
+'';
+}