public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/hardened: restrict access to nix daemon

This commit is contained in:
Joachim Fasting 2018-11-24 15:13:03 +01:00
parent 62623b60d5
commit 6a7f02d89d
No known key found for this signature in database
GPG Key ID: 5C204DF675C90294
2 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/profiles/hardened.nix
View File

@ -12,6 +12,8 @@ with lib;
boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;
nix.allowedUsers = mkDefault [ "@users" ];
security.hideProcessInformation = mkDefault true; security.hideProcessInformation = mkDefault true;
security.lockKernelModules = mkDefault true; security.lockKernelModules = mkDefault true;

6
nixos/tests/hardened.nix
View File

@ -64,5 +64,11 @@ import ./make-test.nix ({ pkgs, ...} : {
$machine->succeed("mount /dev/disk/by-label/EFISYS /efi"); $machine->succeed("mount /dev/disk/by-label/EFISYS /efi");
$machine->succeed("mountpoint -q /efi"); # now mounted $machine->succeed("mountpoint -q /efi"); # now mounted
}; };
# Test Nix dæmon usage
subtest "nix-daemon", sub {
$machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'");
$machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK";
};
''; '';
}) })