While #NixOS should not be affected by #CopyFail as it uses recent kernels, here are additional fixes you can apply:
Disabling setuid does not mitigate it, but reduces the attack surfaces overall significantly.
Instead of #sudo, #su, #pkexec and other #setuid binaries you can use #run0 or a dedicated root account.
I have disabled setuid for a bunch of binaries I don't need, they still work when ran as root, with run0 or #sudo-rs.
```nix
boot.blacklistedKernelModules = [
"algif_aead"
];
security.sudo.enable = false;
security.wrappers = {
su.enable = false;
pkexec.enable = false;
# example setuid binary
chsh = {
source = "${pkgs.shadow}/bin/chsh";
setuid = lib.mkForce false;
owner = "root";
group = "root";
};
};
```