base/hardening: ban a few more modules

base/mitigations: blacklist modules for copyfail and pintheft
2026-05-21 05:51:12 +02:00 · 2026-05-20 16:33:55 +09:00 · 2026-05-20 16:33:55 +09:00
2 changed files with 23 additions and 13 deletions
--- a/base/hardening.nix
+++ b/base/hardening.nix
@@ -7,7 +7,13 @@
    "ax25"
    "batman-adv"
    "can"
+    "dccp"
+    "ipx"
+    "llc"
+    "n-hdlc"
    "netrom"
+    "p8022"
+    "p8023"
    "psnap"
    "rds"
    "rose"
@@ -23,7 +29,6 @@
    "cramfs"
    "efs"
    "exofs"
-    "orangefs"
    "freevxfs"
    "gfs2"
    "hfs"
@@ -35,10 +40,12 @@
    "nilfs2"
    "ntfs"
    "omfs"
+    "orangefs"
    "qnx4"
    "qnx6"
    "sysv"
    "ubifs"
+    "udf"
    "ufs"

    # Legacy hardware
--- a/base/mitigations.nix
+++ b/base/mitigations.nix
@@ -2,16 +2,19 @@

 {
  boot.blacklistedKernelModules = [
-  "rxrpc" # dirtyfrag
-  "esp6" # dirtyfrag
-  "esp4" # dirtyfrag
-];
-boot.extraModprobeConfig = ''
-  # dirtyfrag
-  install esp4 /bin/false
-  # dirtyfrag
-  install esp6 /bin/false
-  # dirtyfrag
-  install rxrpc /bin/false
-'';
+    # copy.fail
+    "af_alg"
+    "algif_aead"
+    "algif_hash"
+    "algif_rng"
+    "algif_skcipher"
+
+    # dirtyfrag / Fragnesia
+    "esp4"
+    "esp6"
+    "rxrpc"
+
+    # PinTheft
+    "rds"
+  ];
 }
Author	SHA1	Message	Date
h7x4	ecc4417e0f	base/hardening: ban a few more modules	2026-05-20 16:33:55 +09:00
h7x4	ffce1bd607	base/mitigations: blacklist modules for copyfail and pintheft	2026-05-20 16:33:55 +09:00