From 8aa0618cf0a0fe2ae12fe463b57243d13028a6e8 Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sun, 3 Sep 2017 01:49:01 +0200
Subject: [PATCH] nixos/hardened: blacklist a few obscure net protocols

---
 nixos/modules/profiles/hardened.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index c8d306ef3ca..456538742f5 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -25,6 +25,13 @@ with lib;
     "nohibernate"
   ];
 
+  boot.blacklistedKernelModules = [
+    # Obscure network protocols
+    "ax25"
+    "netrom"
+    "rose"
+  ];
+
   # Restrict ptrace() usage to processes with a pre-defined relationship
   # (e.g., parent/child)
   boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;