From 6a12b600a15c0cd6305cf8a13a939f2af8e3095e Mon Sep 17 00:00:00 2001
From: Ryan Yin <xiaoyin_c@qq.com>
Date: Thu, 14 May 2026 11:54:36 +0800
Subject: [PATCH] fix: mitigate Dirty Frag LPE vulnerabilities

---
 modules/nixos/base/kernel-hardening.nix | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 modules/nixos/base/kernel-hardening.nix

diff --git a/modules/nixos/base/kernel-hardening.nix b/modules/nixos/base/kernel-hardening.nix
new file mode 100644
index 00000000..7f05ac51
--- /dev/null
+++ b/modules/nixos/base/kernel-hardening.nix
@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  # Kernel module blacklisting to mitigate Dirty Frag LPE (Local Privilege Escalation) vulnerabilities.
+  boot.blacklistedKernelModules = [
+    "esp4"
+    "esp6"
+    "rxrpc"
+  ];
+
+  boot.extraModprobeConfig = ''
+    install esp4 ${pkgs.coreutils}/bin/false
+    install esp6 ${pkgs.coreutils}/bin/false
+    install rxrpc ${pkgs.coreutils}/bin/false
+  '';
+}