felixalb/pvv-nixos-config
1
0
Fork 0
mirror of https://git.pvv.ntnu.no/Drift/pvv-nixos-config.git synced 2026-05-20 21:41:12 +02:00
Code Issues Projects Releases Wiki Activity

base/mitigations: blacklist modules for copyfail and pintheft

Browse Source
This commit is contained in:
h7x4
2026-05-20 16:33:07 +09:00
parent e5804c043a
commit 28b67c3578
1 changed files with 21 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
base/mitigations.nix
View File

@@ -1,17 +1,24 @@
{ ... }: { pkgs, lib, ... }:
let
modulesToBan = [
# copy.fail
"af_alg"
"algif_aead"
"algif_hash"
"algif_rng"
"algif_skcipher"
{ # dirtyfrag / Fragnesia
boot.blacklistedKernelModules = [ "esp4"
"rxrpc" # dirtyfrag "esp6"
"esp6" # dirtyfrag "rxrpc"
"esp4" # dirtyfrag
# PinTheft
"rds"
]; ];
boot.extraModprobeConfig = '' in
# dirtyfrag {
install esp4 /bin/false boot.blacklistedKernelModules = modulesToBan;
# dirtyfrag
install esp6 /bin/false boot.extraModprobeConfig = lib.concatMapStringsSep "\n" (mod: "install ${mod} ${lib.getExe' pkgs.coreutils "false"}") modulesToBan;
# dirtyfrag
install rxrpc /bin/false
'';
} }