Merge pull request #48439 from joachifm/hardened-misc
nixos/security/misc: init
This commit is contained in:
commit
205aff5a65
|
@ -149,6 +149,7 @@
|
|||
./security/duosec.nix
|
||||
./security/hidepid.nix
|
||||
./security/lock-kernel-modules.nix
|
||||
./security/misc.nix
|
||||
./security/oath.nix
|
||||
./security/pam.nix
|
||||
./security/pam_usb.nix
|
||||
|
|
|
@ -16,6 +16,8 @@ with lib;
|
|||
|
||||
security.lockKernelModules = mkDefault true;
|
||||
|
||||
security.allowUserNamespaces = mkDefault false;
|
||||
|
||||
security.apparmor.enable = mkDefault true;
|
||||
|
||||
boot.kernelParams = [
|
||||
|
@ -59,18 +61,6 @@ with lib;
|
|||
# ... or at least apply some hardening to it
|
||||
boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
|
||||
|
||||
# A recurring problem with user namespaces is that there are
|
||||
# still code paths where the kernel's permission checking logic
|
||||
# fails to account for namespacing, instead permitting a
|
||||
# namespaced process to act outside the namespace with the
|
||||
# same privileges as it would have inside it. This is particularly
|
||||
# bad in the common case of running as root within the namespace.
|
||||
#
|
||||
# Setting the number of allowed user namespaces to 0 effectively disables
|
||||
# the feature at runtime. Attempting to create a user namespace
|
||||
# with unshare will then fail with "no space left on device".
|
||||
boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
|
||||
|
||||
# Raise ASLR entropy for 64bit & 32bit, respectively.
|
||||
#
|
||||
# Note: mmap_rnd_compat_bits may not exist on 64bit.
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
meta = {
|
||||
maintainers = [ maintainers.joachifm ];
|
||||
};
|
||||
|
||||
options = {
|
||||
security.allowUserNamespaces = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Whether to allow creation of user namespaces. A recurring problem
|
||||
with user namespaces is the presence of code paths where the kernel's
|
||||
permission checking logic fails to account for namespacing, instead
|
||||
permitting a namespaced process to act outside the namespace with the
|
||||
same privileges as it would have inside it. This is particularly
|
||||
damaging in the common case of running as root within the namespace.
|
||||
When user namespace creation is disallowed, attempting to create
|
||||
a user namespace fails with "no space left on device" (ENOSPC).
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf (!config.security.allowUserNamespaces) {
|
||||
# Setting the number of allowed user namespaces to 0 effectively disables
|
||||
# the feature at runtime. Note that root may raise the limit again
|
||||
# at any time.
|
||||
boot.kernel.sysctl."user.max_user_namespaces" = 0;
|
||||
|
||||
assertions = [
|
||||
{ assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
|
||||
message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue