diff options
Diffstat (limited to 'nixpkgs/nixos/modules/profiles/hardened.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/profiles/hardened.nix | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/nixpkgs/nixos/modules/profiles/hardened.nix b/nixpkgs/nixos/modules/profiles/hardened.nix index ef8c0d74f06..7bff79e8273 100644 --- a/nixpkgs/nixos/modules/profiles/hardened.nix +++ b/nixpkgs/nixos/modules/profiles/hardened.nix @@ -1,7 +1,7 @@ # A profile with most (vanilla) hardening options enabled by default, # potentially at the cost of features and performance. -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -27,6 +27,9 @@ with lib; security.forcePageTableIsolation = mkDefault true; + # This is required by podman to run containers in rootless mode. + security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable; + security.virtualisation.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; |