diff options
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/security/misc.nix | 15 | ||||
| -rw-r--r-- | nixos/tests/hardened.nix | 6 |
3 files changed, 23 insertions, 6 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 61e871bcaca5..bad4cb81639d 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -20,6 +20,8 @@ with lib; security.allowUserNamespaces = mkDefault false; + security.protectKernelImage = mkDefault true; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ @@ -28,9 +30,6 @@ with lib; # Disable legacy virtual syscalls "vsyscall=none" - - # Disable hibernation (allows replacing the running kernel) - "nohibernate" ]; boot.blacklistedKernelModules = [ @@ -44,9 +43,6 @@ with lib; # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; - # Prevent replacing the running kernel image w/o reboot - boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; - # Restrict access to kernel ring buffer (information leaks) boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index f3fc6db22ead..b1db0bc8da85 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -22,6 +22,14 @@ with lib; a user namespace fails with "no space left on device" (ENOSPC). ''; }; + + security.protectKernelImage = mkOption { + type = types.bool; + default = false; + description = '' + Whether to prevent replacing the running kernel image. + ''; + }; }; config = mkMerge [ @@ -37,5 +45,12 @@ with lib; } ]; }) + + (mkIf config.security.protectKernelImage { + # Disable hibernation (allows replacing the running kernel) + boot.kernelParams = [ "nohibernate" ]; + # Prevent replacing the running kernel image w/o reboot + boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; + }) ]; } diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index e10a6363164a..683f56c45af4 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -70,5 +70,11 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'"); $machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK"; }; + + # Test kernel image protection + subtest "kernelimage", sub { + $machine->fail("systemctl hibernate"); + $machine->fail("systemctl kexec"); + }; ''; }) |