summary refs log tree commit diff
path: root/profiles/security.nix
diff options
context:
space:
mode:
Diffstat (limited to 'profiles/security.nix')
-rw-r--r--profiles/security.nix4
1 files changed, 3 insertions, 1 deletions
diff --git a/profiles/security.nix b/profiles/security.nix
index 9ae5cef..63c5fe4 100644
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -7,16 +7,18 @@
 }: {
   imports = [];
   config = {
+    programs.firejail.enable = true;
     security.auditd.enable = true;
     security.audit.enable = true;
     security.audit.rules = [
       "-a exit,always -F arch=b64 -S execve"
     ];
 
+    # https://source.android.com/docs/security/test/scudo
     environment.memoryAllocator.provider = "scudo";
     environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
 
-    # security.lockKernelModules = true;
+    security.lockKernelModules = true;
     security.protectKernelImage = true;
     security.allowSimultaneousMultithreading = false;
     security.forcePageTableIsolation = true;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-09 23:55:09 +0000