Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nosuid and nodev

Browse source
This commit is contained in:
Grimmauld 2024-12-29 14:17:01 +01:00
parent 883d5edcd9
commit 96df3f3c9a
No known key found for this signature in database
2 changed files with 45 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/tooling/opensnitch/default.nix
View file

@ -50,7 +50,7 @@ in
DefaultAction = "deny"; DefaultAction = "deny";
Firewall = "iptables"; Firewall = "iptables";
LogLevel = 1; LogLevel = 1;
ProcMonitorMethod = "proc"; ProcMonitorMethod = "ftrace";
}; };
rules = { rules = {

48
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -52,6 +52,12 @@ in
boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work? boot.specialFileSystems."/dev/shm".options = [ "noexec" ]; # TODO: does this work?
systemd.tmpfiles.settings."mount"."/mnt".d = {
group = "root";
mode = "755";
user = "root";
};
boot.zfs = { boot.zfs = {
forceImportRoot = false; forceImportRoot = false;
requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later. requestEncryptionCredentials = false; # none of the zfs datasets that should be mounted are encrypted. User homes happen later.
@ -72,23 +78,41 @@ in
"size=2G" "size=2G"
"mode=755" "mode=755"
"noexec" "noexec"
"nosuid"
# "nodev"
]; ];
}; };
fileSystems."${persist}" = { fileSystems."${persist}" = {
device = "zpool/persistent"; device = "zpool/persistent";
fsType = "zfs"; fsType = "zfs";
options = [ "noexec" ]; options = [
"noexec"
"nosuid"
"nodev"
];
}; };
environment.etc."machine-id".source = "${persist}/etc/machine-id"; environment.etc."machine-id".source = "${persist}/etc/machine-id";
environment.memoryAllocator.provider = "libc"; environment.memoryAllocator.provider = "libc";
# fileSystems."/nix/var" = {
# device = "${persist}/nix/var";
# options = [
# "bind"
# "noexec"
# "nosuid"
# "nodev"
# ];
# };
fileSystems."/nix/var" = { fileSystems."/nix/var" = {
device = "${persist}/nix/var"; device = "/nix/var";
options = [ options = [
"bind" "bind"
"noexec" "noexec"
"nosuid"
"nodev"
]; ];
}; };
@ -97,19 +121,29 @@ in
options = [ options = [
"bind" "bind"
"noexec" "noexec"
"nosuid"
"nodev"
]; ];
}; };
fileSystems."/nix" = { fileSystems."/nix" = {
device = "zpool/nix"; device = "zpool/nix";
fsType = "zfs"; fsType = "zfs";
options = [ "exec" ]; options = [
"exec"
"suid"
"dev"
];
}; };
fileSystems."/var" = { fileSystems."/var" = {
device = "zpool/var"; device = "zpool/var";
fsType = "zfs"; fsType = "zfs";
options = [ "noexec" ]; options = [
"noexec"
"nosuid"
"nodev"
];
}; };
fileSystems."${nix_build}" = { fileSystems."${nix_build}" = {
@ -121,6 +155,8 @@ in
"size=30%" "size=30%"
"mode=755" "mode=755"
"exec" "exec"
"nosuid"
"nodev"
]; ];
}; };
@ -132,6 +168,8 @@ in
options = [ options = [
"noacl" "noacl"
"noexec" "noexec"
"nosuid"
"nodev"
]; ];
}; };
@ -143,6 +181,8 @@ in
"dmask=0022" "dmask=0022"
"umask=077" "umask=077"
"noexec" "noexec"
"nosuid"
"nodev"
]; ];
}; };