nixos/profiles: remove hardened (#501199)

Author: zowoq

nixos/doc/manual/configuration/profiles.chapter.md

@@ -24,7 +24,6 @@ profiles/clone-config.section.md
 profiles/demo.section.md
 profiles/docker-container.section.md
 profiles/graphical.section.md
-profiles/hardened.section.md
 profiles/headless.section.md
 profiles/installation-device.section.md
 profiles/perlless.section.md

nixos/doc/manual/configuration/profiles/hardened.section.md

@@ -1728,7 +1728,8 @@
   "sec-profile-graphical": [
     "index.html#sec-profile-graphical"
   ],
-  "sec-profile-hardened": [
+  "sec-release-26.05-incompatibilities-profiles-hardened-removed": [
+    "release-notes.html#sec-release-26.05-incompatibilities-profiles-hardened-removed",
     "index.html#sec-profile-hardened"
   ],
   "sec-profile-headless": [

nixos/doc/manual/redirects.json

@@ -88,6 +88,12 @@
 
 - `opentrack`, `slushload`, `synthesia`, `vtfedit`, `winbox`, `wineasio`, and `yabridge` use wineWow64Packages instead of wineWowPackages as wine versions >= 11.0 have deprecated wineWowPackages. As such, the prefixes for these packages are NOT backwards compatible and need to be regenerated with potential for data loss.
 
+- []{#sec-release-26.05-incompatibilities-profiles-hardened-removed} `profiles/hardened` has been removed, because:
+   - It lacks a consistent and transparent baseline or standard,
+   - It may introduce unexpected breakage or degrade performance without clear benefit,
+   - It is difficult to manage user expectations, especially since the implications of enabling it are not always obvious,
+   - and as multiple contributors have noted, it is often more of a “grab bag” of settings than a cohesive security policy.
+
 - `services.crabfit` was removed because its upstream packages are unmaintained and insecure.
 
 - `sing-box` has been updated to 1.13.0, which has removed some deprecated options.  See [upstream documentation](https://sing-box.sagernet.org/configuration/) for details and migration options.

nixos/doc/manual/release-notes/rl-2605.section.md

@@ -1,136 +1,11 @@
-# A profile with most (vanilla) hardening options enabled by default,
-# potentially at the cost of stability, features and performance.
-#
-# This profile enables options that are known to affect system
-# stability. If you experience any stability issues when using the
-# profile, try disabling it. If you report an issue and use this
-# profile, always mention that you do.
+# This profile included most standard hardening options enabled by default,
+# which may have impacted system stability, feature availability, and performance.
 
+{ lib, ... }:
 {
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  inherit (lib)
-    mkDefault
-    mkOverride
-    mkEnableOption
-    mkIf
-    maintainers
-    ;
-in
-{
-  options.profiles.hardened = mkEnableOption "hardened" // {
-    default = true;
-    example = false;
-  };
-  config = mkIf config.profiles.hardened {
-    meta = {
-      maintainers = [
-        maintainers.emily
-      ];
-    };
-
-    boot.kernelPackages = mkDefault pkgs.linuxKernel.packages.linux_hardened;
-
-    nix.settings.allowed-users = mkDefault [ "@users" ];
-
-    environment.memoryAllocator.provider = mkDefault "scudo";
-    environment.variables.SCUDO_OPTIONS = mkDefault "zero_contents=true";
-
-    security.lockKernelModules = mkDefault true;
-
-    security.protectKernelImage = mkDefault true;
-
-    security.allowSimultaneousMultithreading = mkDefault false;
-
-    security.forcePageTableIsolation = mkDefault true;
-
-    # This is required by podman to run containers in rootless mode.
-    security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
-
-    security.virtualisation.flushL1DataCache = mkDefault "always";
-
-    security.apparmor.enable = mkDefault true;
-    security.apparmor.killUnconfinedConfinables = mkDefault true;
-
-    boot.kernelParams = [
-      # Don't merge slabs
-      "slab_nomerge"
-
-      # Overwrite free'd pages
-      "page_poison=1"
-
-      # Enable page allocator randomization
-      "page_alloc.shuffle=1"
-
-      # Disable debugfs
-      "debugfs=off"
-    ];
-
-    boot.blacklistedKernelModules = [
-      # Obscure network protocols
-      "ax25"
-      "netrom"
-      "rose"
-
-      # Old or rare or insufficiently audited filesystems
-      "adfs"
-      "affs"
-      "bfs"
-      "befs"
-      "cramfs"
-      "efs"
-      "erofs"
-      "exofs"
-      "freevxfs"
-      "f2fs"
-      "hfs"
-      "hpfs"
-      "jfs"
-      "minix"
-      "nilfs2"
-      "ntfs"
-      "omfs"
-      "qnx4"
-      "qnx6"
-      "sysv"
-      "ufs"
-    ];
-
-    # Hide kptrs even for processes with CAP_SYSLOG
-    boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;
-
-    # Disable bpf() JIT (to eliminate spray attacks)
-    boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;
-
-    # Disable ftrace debugging
-    boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
-
-    # Enable strict reverse path filtering (that is, do not attempt to route
-    # packets that "obviously" do not belong to the iface's network; dropped
-    # packets are logged as martians).
-    boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
-    boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
-    boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
-    boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
-
-    # Ignore broadcast ICMP (mitigate SMURF)
-    boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
-
-    # Ignore incoming ICMP redirects (note: default is needed to ensure that the
-    # setting is applied to interfaces added after the sysctls are set)
-    boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
-    boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
-    boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
-    boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
-    boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
-    boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;
-
-    # Ignore outgoing ICMP redirects (this is ipv4 only)
-    boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
-    boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
-  };
+  imports = [
+    (lib.mkRemovedOptionModule [ "profiles" "hardened" ] ''
+      The hardened profile has been removed, see the backward incompatibilities section of the 26.05 release notes for more information.
+    '')
+  ];
 }

nixos/modules/profiles/hardened.nix

@@ -701,7 +701,6 @@ in
     package = pkgs.hadoop_3_3;
   };
   haproxy = runTest ./haproxy.nix;
-  hardened = runTest ./hardened.nix;
   harmonia = runTest ./harmonia.nix;
   haste-server = runTest ./haste-server.nix;
   hbase2 = runTest {

nixos/tests/all-tests.nix

@@ -6,8 +6,6 @@
 # boot via sysctl or kernel cmdline are left enabled here, for improved
 # flexibility.
 #
-# See also <nixos/modules/profiles/hardened.nix>
-
 {
   stdenv,
   lib,