From be9cadd49f079f3e4a6cdd8bdee463436a21723b Mon Sep 17 00:00:00 2001
From: tzlil <tzlils@protonmail.com>
Date: Sun, 21 May 2023 19:20:18 +0300
Subject: fix nixinate, add mullvad firejail

---
 profiles/security.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'profiles/security.nix')

diff --git a/profiles/security.nix b/profiles/security.nix
index 9ae5cef..63c5fe4 100644
--- a/profiles/security.nix
+++ b/profiles/security.nix
@@ -7,16 +7,18 @@
 }: {
   imports = [];
   config = {
+    programs.firejail.enable = true;
     security.auditd.enable = true;
     security.audit.enable = true;
     security.audit.rules = [
       "-a exit,always -F arch=b64 -S execve"
     ];
 
+    # https://source.android.com/docs/security/test/scudo
     environment.memoryAllocator.provider = "scudo";
     environment.variables.SCUDO_OPTIONS = "ZeroContents=1";
 
-    # security.lockKernelModules = true;
+    security.lockKernelModules = true;
     security.protectKernelImage = true;
     security.allowSimultaneousMultithreading = false;
     security.forcePageTableIsolation = true;
-- 
cgit 1.4.1