Add BPF hardening

cynicsketch · cynicsketch · commit 9a25ad02eb8c · 2025-11-22T13:47:10.000-05:00
diff --git a/settings/kernel/default.nix b/settings/kernel/default.nix
@@ -41,6 +41,8 @@ let
         ./sysrq.nix
         ./tcp-timestamps.nix
         ./restrict-line-disciplines.nix
+        ./harden-bpf.nix
+        ./restrict-bpf.nix
       ]
       {
         inherit
diff --git a/settings/kernel/harden-bpf.nix b/settings/kernel/harden-bpf.nix
@@ -0,0 +1,38 @@
+# This file is part of nix-mineral (https://github.com/cynicsketch/nix-mineral/).
+# Copyright (c) 2025 cynicsketch
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+{
+  l,
+  cfg,
+  ...
+}:
+
+{
+  options = {
+    harden-bpf = l.mkBoolOption ''
+      Harden eBPF against JIT spraying attacks, to reduce the risk of abuse
+      because eBPF allows executing potentially dangerous code in the kernel.
+
+      See https://en.wikipedia.org/wiki/EBPF#Security for more info.
+    '' true;
+  };
+
+  config = l.mkIf cfg {
+    boot.kernel.sysctl = {
+      "net.core.bpf_jit_harden" = l.mkDefault "2";
+    };
+  };
+}
diff --git a/settings/kernel/restrict-bpf.nix b/settings/kernel/restrict-bpf.nix
@@ -0,0 +1,37 @@
+# This file is part of nix-mineral (https://github.com/cynicsketch/nix-mineral/).
+# Copyright (c) 2025 cynicsketch
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+{
+  l,
+  cfg,
+  ...
+}:
+
+{
+  options = {
+    restrict-bpf = l.mkBoolOption ''
+      Restrict eBPF to CAP_BPF in order to prevent abuse by unprivileged users.
+
+      See https://en.wikipedia.org/wiki/EBPF#Security for more info.
+    '' true;
+  };
+
+  config = l.mkIf cfg {
+    boot.kernel.sysctl = {
+      "kernel.unprivileged_bpf_disabled" = l.mkDefault "1";
+    };
+  };
+}

Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,8 @@ let`
`41`	`41`	`./sysrq.nix`
`42`	`42`	`./tcp-timestamps.nix`
`43`	`43`	`./restrict-line-disciplines.nix`
	`44`	`+ ./harden-bpf.nix`
	`45`	`+ ./restrict-bpf.nix`
`44`	`46`	`]`
`45`	`47`	`{`
`46`	`48`	`inherit`