faukah/nichts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nichts/nyx/hosts/enyo/kernel/config/security.nix
vali 236b8c2a6b added stuff
2024-04-09 23:11:33 +02:00

26 lines
665 B
Nix
Raw Blame History

{lib, ...}: let
inherit (lib.kernel) yes;
inherit (lib.attrsets) mapAttrs;
inherit (lib.modules) mkForce;
in {
boot.kernelPatches = [
{
# enable lockdown LSM
name = "kernel-lockdown-lsm";
patch = null;
extraStructuredConfig = mapAttrs (_: mkForce) {
SECURITY_LOCKDOWN_LSM = yes;
LOCKDOWN_LSM_EARLY = yes;
LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY = yes;
MODULE_SIG = yes;
MODULE_SIG_SHA512 = yes;
MODULE_SIG_FORCE = yes;
# used to avoid a systemd error:
# systemd[1]: bpf-lsm: Failed to load BPF object: Invalid argument
BPF_LSM = yes;
};
}
];
}
Reference in a new issue View git blame Copy permalink