fix: mitigate Dirty Frag LPE vulnerabilities

2026-05-14 20:01:00 +02:00 · 2026-05-14 11:54:36 +08:00
parent 26f4f86ad8
commit 6a12b600a1
1 changed files with 20 additions and 0 deletions
--- a/modules/nixos/base/kernel-hardening.nix
+++ b/modules/nixos/base/kernel-hardening.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  # Kernel module blacklisting to mitigate Dirty Frag LPE (Local Privilege Escalation) vulnerabilities.
+  boot.blacklistedKernelModules = [
+    "esp4"
+    "esp6"
+    "rxrpc"
+  ];
+
+  boot.extraModprobeConfig = ''
+    install esp4 ${pkgs.coreutils}/bin/false
+    install esp6 ${pkgs.coreutils}/bin/false
+    install rxrpc ${pkgs.coreutils}/bin/false
+  '';
+}