nixos/hardened: restrict access to nix daemon

2018-11-24 15:13:03 +01:00 · 2018-11-24 15:13:03 +01:00 · 6a7f02d89d
parent 62623b60d5
commit 6a7f02d89d
2 changed files with 8 additions and 0 deletions
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -12,6 +12,8 @@ with lib;

  boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;

+  nix.allowedUsers = mkDefault [ "@users" ];
+
  security.hideProcessInformation = mkDefault true;

  security.lockKernelModules = mkDefault true;
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@ -64,5 +64,11 @@ import ./make-test.nix ({ pkgs, ...} : {
        $machine->succeed("mount /dev/disk/by-label/EFISYS /efi");
        $machine->succeed("mountpoint -q /efi"); # now mounted
      };
+
+      # Test Nix dæmon usage
+      subtest "nix-daemon", sub {
+        $machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'");
+        $machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK";
+      };
    '';
 })