andy/linux-nixos-hyprland-config-dotfiles
Template
1
0
Fork 0
mirror of https://github.com/XNM1/linux-nixos-hyprland-config-dotfiles.git synced 2025-09-15 09:45:58 +03:00
Code Activity

update(security): simplify security configuration and enhance apparmor

Browse Source 
- Remove SELinux-related configurations (kernel params, systemd
override, packages)
- Disable kernel modules locking
- Streamline LSM modules list
- Enhance AppArmor with kill unconfined option and PAM integration
- Add AppArmor support for various services (login, sshd, sudo, etc.)
- Enable D-Bus AppArmor integration
- Remove unused hyprlock PAM service
This commit is contained in:
xnm
2025-04-27 16:56:47 +03:00
parent 78d6258bfe
commit 83faa6a5e1
2 changed files with 18 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
nixos/linux-kernel.nix
View File

@@ -3,7 +3,7 @@
{ {
# Linux Kernel # Linux Kernel
security.forcePageTableIsolation = true; security.forcePageTableIsolation = true;
security.lockKernelModules = true; # security.lockKernelModules = true;
# security.protectKernelImage = true; # security.protectKernelImage = true;
security.unprivilegedUsernsClone = true; security.unprivilegedUsernsClone = true;
security.virtualisation.flushL1DataCache = "cond"; security.virtualisation.flushL1DataCache = "cond";
@@ -17,11 +17,10 @@
"fbcon=nodefer" "fbcon=nodefer"
"vt.global_cursor_default=0" "vt.global_cursor_default=0"
"kernel.modules_disabled=1" "kernel.modules_disabled=1"
"lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux" "lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
"usbcore.autosuspend=-1" "usbcore.autosuspend=-1"
"video4linux" "video4linux"
"acpi_rev_override=5" "acpi_rev_override=5"
"security=selinux"
]; ];
# boot.kernelPatches = [ { # boot.kernelPatches = [ {
# name = "selinux-config"; # name = "selinux-config";
@@ -35,9 +34,9 @@
# ''; # '';
# } ]; # } ];
systemd.package = pkgs.systemd.override { withSelinux = true; }; # systemd.package = pkgs.systemd.override { withSelinux = true; };
environment.systemPackages = with pkgs; [ # environment.systemPackages = with pkgs; [
policycoreutils # policycoreutils
]; # ];
} }

13
nixos/security-services.nix
View File

@@ -18,13 +18,24 @@
}; };
security.apparmor = { security.apparmor = {
enable = true; enable = true;
killUnconfinedConfinables = true;
packages = with pkgs; [ packages = with pkgs; [
apparmor-utils apparmor-utils
apparmor-profiles apparmor-profiles
]; ];
}; };
security.pam.services = {
login.enableAppArmor = true;
sshd.enableAppArmor = true;
sudo.enableAppArmor = true;
su.enableAppArmor = true;
greetd.enableAppArmor = true;
u2f.enableAppArmor = true;
};
services.dbus.apparmor = "enabled";
services.fail2ban.enable = true; services.fail2ban.enable = true;
security.pam.services.hyprlock = {};
# security.polkit.enable = true; # security.polkit.enable = true;
programs.browserpass.enable = true; programs.browserpass.enable = true;
services.clamav = { services.clamav = {