From 96df3f3c9ab83598b004d49fb91e816a888467c1 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Sun, 29 Dec 2024 14:17:01 +0100
Subject: [PATCH] nosuid and nodev

---
 common/tooling/opensnitch/default.nix         |  2 +-
 .../hardware-configuration.nix                | 48 +++++++++++++++++--
 2 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/common/tooling/opensnitch/default.nix b/common/tooling/opensnitch/default.nix
index 0e56c01..43adc0a 100644
--- a/common/tooling/opensnitch/default.nix
+++ b/common/tooling/opensnitch/default.nix
@@ -50,7 +50,7 @@ in
         DefaultAction = "deny";
         Firewall = "iptables";
         LogLevel = 1;
-        ProcMonitorMethod = "proc";
+        ProcMonitorMethod = "ftrace";
       };
 
       rules = {
diff --git a/specific/grimm-nixos-ssd/hardware-configuration.nix b/specific/grimm-nixos-ssd/hardware-configuration.nix
index 6982d1e..a5cbf50 100644
--- a/specific/grimm-nixos-ssd/hardware-configuration.nix
+++ b/specific/grimm-nixos-ssd/hardware-configuration.nix
@@ -52,6 +52,12 @@ in
 
   boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
 
+  systemd.tmpfiles.settings."mount"."/mnt".d = {
+    group = "root";
+    mode = "755";
+    user = "root";
+  };
+
   boot.zfs = {
     forceImportRoot = false;
     requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
@@ -72,23 +78,41 @@ in
       "size=2G"
       "mode=755"
       "noexec"
+      "nosuid"
+      # "nodev"
     ];
   };
 
   fileSystems."${persist}" = {
     device = "zpool/persistent";
     fsType = "zfs";
-    options = [ "noexec" ];
+    options = [
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
   };
 
   environment.etc."machine-id".source = "${persist}/etc/machine-id";
   environment.memoryAllocator.provider = "libc";
 
+#  fileSystems."/nix/var" = {
+#    device = "${persist}/nix/var";
+#    options = [
+#      "bind"
+#      "noexec"
+#      "nosuid"
+#      "nodev"
+#    ];
+#  };
+
   fileSystems."/nix/var" = {
-    device = "${persist}/nix/var";
+    device = "/nix/var";
     options = [
       "bind"
       "noexec"
+      "nosuid"
+      "nodev"
     ];
   };
 
@@ -97,19 +121,29 @@ in
     options = [
       "bind"
       "noexec"
+      "nosuid"
+      "nodev"
     ];
   };
 
   fileSystems."/nix" = {
     device = "zpool/nix";
     fsType = "zfs";
-    options = [ "exec" ];
+    options = [
+      "exec"
+      "suid"
+      "dev"
+    ];
   };
 
   fileSystems."/var" = {
     device = "zpool/var";
     fsType = "zfs";
-    options = [ "noexec" ];
+    options = [
+      "noexec"
+      "nosuid"
+      "nodev"
+    ];
   };
 
   fileSystems."${nix_build}" = {
@@ -121,6 +155,8 @@ in
       "size=30%"
       "mode=755"
       "exec"
+      "nosuid"
+      "nodev"
     ];
   };
 
@@ -132,6 +168,8 @@ in
     options = [
       "noacl"
       "noexec"
+      "nosuid"
+      "nodev"
     ];
   };
 
@@ -143,6 +181,8 @@ in
       "dmask=0022"
       "umask=077"
       "noexec"
+      "nosuid"
+      "nodev"
     ];
   };