diff options
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 14 | ||||
| -rw-r--r-- | nixos/modules/security/misc.nix | 39 |
3 files changed, 42 insertions, 12 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index f55c32fa511d..2bb41767b0b2 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -149,6 +149,7 @@ ./security/duosec.nix ./security/hidepid.nix ./security/lock-kernel-modules.nix + ./security/misc.nix ./security/oath.nix ./security/pam.nix ./security/pam_usb.nix diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 2af8bf1f8e30..da47313f180a 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -12,6 +12,8 @@ with lib; security.lockKernelModules = mkDefault true; + security.allowUserNamespaces = mkDefault false; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ @@ -55,18 +57,6 @@ with lib; # ... or at least apply some hardening to it boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true; - # A recurring problem with user namespaces is that there are - # still code paths where the kernel's permission checking logic - # fails to account for namespacing, instead permitting a - # namespaced process to act outside the namespace with the - # same privileges as it would have inside it. This is particularly - # bad in the common case of running as root within the namespace. - # - # Setting the number of allowed user namespaces to 0 effectively disables - # the feature at runtime. Attempting to create a user namespace - # with unshare will then fail with "no space left on device". - boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0; - # Raise ASLR entropy for 64bit & 32bit, respectively. # # Note: mmap_rnd_compat_bits may not exist on 64bit. diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix new file mode 100644 index 000000000000..42f872b7b088 --- /dev/null +++ b/nixos/modules/security/misc.nix @@ -0,0 +1,39 @@ +{ config, lib, ... }: + +with lib; + +{ + meta = { + maintainers = [ maintainers.joachifm ]; + }; + + options = { + security.allowUserNamespaces = mkOption { + type = types.bool; + default = true; + description = '' + Whether to allow creation of user namespaces. A recurring problem + with user namespaces is the presence of code paths where the kernel's + permission checking logic fails to account for namespacing, instead + permitting a namespaced process to act outside the namespace with the + same privileges as it would have inside it. This is particularly + damaging in the common case of running as root within the namespace. + When user namespace creation is disallowed, attempting to create + a user namespace fails with "no space left on device" (ENOSPC). + ''; + }; + }; + + config = mkIf (!config.security.allowUserNamespaces) { + # Setting the number of allowed user namespaces to 0 effectively disables + # the feature at runtime. Note that root may raise the limit again + # at any time. + boot.kernel.sysctl."user.max_user_namespaces" = 0; + + assertions = [ + { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; + message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; + } + ]; + }; +} |