From 5bea2997fe9b08f76de5ae41dc2e300598bc9556 Mon Sep 17 00:00:00 2001
From: Joachim F <joachifm@users.noreply.github.com>
Date: Sat, 12 Oct 2019 10:08:44 +0000
Subject: [PATCH] nixos/hardened: blacklist old filesystems (#70482)

The rationale for this is that old filesystems have recieved little scrutiny
wrt. security relevant bugs.

Lifted from OpenSUSE[1].

[1]: https://github.com/openSUSE/suse-module-tools/pull/5/commits/8cb42fb6658f210cb8c955d584a65f7b041c0575

Co-Authored-By: Renaud <c0bw3b@users.noreply.github.com>
---
 nixos/modules/profiles/hardened.nix | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 626d8b1d2bd..f7b2f5c7fc1 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -52,6 +52,27 @@ with lib;
     "ax25"
     "netrom"
     "rose"
+
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    "erofs"
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "hfs"
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ufs"
   ];
 
   # Restrict ptrace() usage to processes with a pre-defined relationship