nixos/hardened: blacklist old filesystems (#70482)

The rationale for this is that old filesystems have recieved little scrutiny wrt. security relevant bugs. Lifted from OpenSUSE[1]. [1]: https://github.com/openSUSE/suse-module-tools/pull/5/commits/8cb42fb6658f210cb8c955d584a65f7b041c0575 Co-Authored-By: Renaud <c0bw3b@users.noreply.github.com>
author: Joachim F <joachifm@users.noreply.github.com> 2019-10-12 10:08:44 +0000
committer: GitHub <noreply@github.com> 2019-10-12 10:08:44 +0000
commit: 5bea2997fe9b08f76de5ae41dc2e300598bc9556 (patch)
tree: f2d7b6cb9831294438b5ef7aa7631012a5ff9816 /nixos/modules/profiles
parent: 348fac7b529e17f20340ded5ac77ad473e568735 (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 626d8b1d2bde..f7b2f5c7fc1e 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -52,6 +52,27 @@ with lib;
     "ax25"
     "netrom"
     "rose"
+
+    # Old or rare or insufficiently audited filesystems
+    "adfs"
+    "affs"
+    "bfs"
+    "befs"
+    "cramfs"
+    "efs"
+    "erofs"
+    "exofs"
+    "freevxfs"
+    "f2fs"
+    "hfs"
+    "hpfs"
+    "jfs"
+    "minix"
+    "nilfs2"
+    "qnx4"
+    "qnx6"
+    "sysv"
+    "ufs"
   ];
 
   # Restrict ptrace() usage to processes with a pre-defined relationship
author	Joachim F <joachifm@users.noreply.github.com>	2019-10-12 10:08:44 +0000
committer	GitHub <noreply@github.com>	2019-10-12 10:08:44 +0000
commit	5bea2997fe9b08f76de5ae41dc2e300598bc9556 (patch)
tree	f2d7b6cb9831294438b5ef7aa7631012a5ff9816 /nixos/modules/profiles
parent	348fac7b529e17f20340ded5ac77ad473e568735 (diff)