Questions regarding hardened.nix profile

I employed hardened.nix as much as possible, leaving out options that noticeably degrade performance (as far as i understand it).

Enabling security.lockKernelModules = mkDefault true; leads to my system not being able to access the internet which i find strange, as this is enabled by default in the hardened.nix profile.

Anyway, my main question is regarding the following options (i’m fairly new to Nixos and still don’t really understand its inner workings):

  # Restrict ptrace() usage to processes with a pre-defined relationship
  # (e.g., parent/child)
  boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;

  # Hide kptrs even for processes with CAP_SYSLOG
  boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;

Why does it say mkOverride? Why does it have the number 500 in it?

The trailing number (1 and 2) is what i want to set and i don’t know what mkOverride 500 does and why it is 500 by default.

Thank you for your explanation!

mkOverride weight value is a mechanism to over a default value that can be superseeded by another module with a lower weight.

Here, this mean if you load the profile, you can still use boot.kernel.sysctl."kernal.yama.ptrace_scope" = mkOverride 499 0; if you want it to have value 0, because it will be prioritary against the one with weight 500.

1 Like

Thank you for your explanation and quick reply!

as for your issue with the lockKernelModules, I wonder if your wifi card is slow to be discovered by your system, so the kernel doesn’t see it before locking the modules :thinking:

I’m using ethernet…

It’s not a big issue, just wondering why this is the case.

that’s curious :confused: Could you open a new topic about it?

Sure, but i guess the first question posed would be “please provide further information/logs”.

What is pertinent information for this issue?