From 5bea2997fe9b08f76de5ae41dc2e300598bc9556 Mon Sep 17 00:00:00 2001 From: Joachim F Date: Sat, 12 Oct 2019 10:08:44 +0000 Subject: [PATCH] nixos/hardened: blacklist old filesystems (#70482) The rationale for this is that old filesystems have recieved little scrutiny wrt. security relevant bugs. Lifted from OpenSUSE[1]. [1]: https://github.com/openSUSE/suse-module-tools/pull/5/commits/8cb42fb6658f210cb8c955d584a65f7b041c0575 Co-Authored-By: Renaud --- nixos/modules/profiles/hardened.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 626d8b1d2bd..f7b2f5c7fc1 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -52,6 +52,27 @@ with lib; "ax25" "netrom" "rose" + + # Old or rare or insufficiently audited filesystems + "adfs" + "affs" + "bfs" + "befs" + "cramfs" + "efs" + "erofs" + "exofs" + "freevxfs" + "f2fs" + "hfs" + "hpfs" + "jfs" + "minix" + "nilfs2" + "qnx4" + "qnx6" + "sysv" + "ufs" ]; # Restrict ptrace() usage to processes with a pre-defined relationship