base/mitigations: blacklist modules for copyfail and pintheft

2026-05-20 21:41:12 +02:00 · 2026-05-20 16:33:07 +09:00
parent e5804c043a
commit ffce1bd607
1 changed files with 15 additions and 12 deletions
--- a/base/mitigations.nix
+++ b/base/mitigations.nix
@@ -2,16 +2,19 @@

 {
  boot.blacklistedKernelModules = [
-  "rxrpc" # dirtyfrag
-  "esp6" # dirtyfrag
-  "esp4" # dirtyfrag
+    # copy.fail
+    "af_alg"
+    "algif_aead"
+    "algif_hash"
+    "algif_rng"
+    "algif_skcipher"
+
+    # dirtyfrag / Fragnesia
+    "esp4"
+    "esp6"
+    "rxrpc"
+
+    # PinTheft
+    "rds"
  ];
-boot.extraModprobeConfig = ''
-  # dirtyfrag
-  install esp4 /bin/false
-  # dirtyfrag
-  install esp6 /bin/false
-  # dirtyfrag
-  install rxrpc /bin/false
-'';
 }