nixos/hardened: blacklist old filesystems (#70482)

The rationale for this is that old filesystems have recieved little scrutiny wrt. security relevant bugs. Lifted from OpenSUSE[1]. [1]: 8cb42fb665 Co-Authored-By: Renaud <c0bw3b@users.noreply.github.com>
2024-11-01 07:01:54 +00:00 · 2019-10-12 10:08:44 +00:00 · 2019-10-12 10:08:44 +00:00 · 5bea2997fe
commit 5bea2997fe
parent 348fac7b52
1 changed files with 21 additions and 0 deletions
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -52,6 +52,27 @@ with lib;
    "ax25"
    "netrom"
    "rose"
+
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    "erofs"
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "hfs"
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ufs"
  ];

  # Restrict ptrace() usage to processes with a pre-defined relationship