diff options
author | Joachim F <joachifm@users.noreply.github.com> | 2018-10-15 21:25:42 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-15 21:25:42 +0000 |
commit | 205aff5a65bef05f19da323d19cf3899ba342645 (patch) | |
tree | c88a4b83fb112e5913d5becb6f6bd401bc9dc275 /nixos/modules/profiles | |
parent | a2294088021a836b26be0a0916098ea0e4a02088 (diff) | |
parent | f4ea22e5de572efa9babc7674fdc79fa637a7e31 (diff) |
Merge pull request #48439 from joachifm/hardened-misc
nixos/security/misc: init
Diffstat (limited to 'nixos/modules/profiles')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 14 |
1 files changed, 2 insertions, 12 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 38c5a42ba6f..d712fb2514b 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -16,6 +16,8 @@ with lib; security.lockKernelModules = mkDefault true; + security.allowUserNamespaces = mkDefault false; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ @@ -59,18 +61,6 @@ with lib; # ... or at least apply some hardening to it boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true; - # A recurring problem with user namespaces is that there are - # still code paths where the kernel's permission checking logic - # fails to account for namespacing, instead permitting a - # namespaced process to act outside the namespace with the - # same privileges as it would have inside it. This is particularly - # bad in the common case of running as root within the namespace. - # - # Setting the number of allowed user namespaces to 0 effectively disables - # the feature at runtime. Attempting to create a user namespace - # with unshare will then fail with "no space left on device". - boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0; - # Raise ASLR entropy for 64bit & 32bit, respectively. # # Note: mmap_rnd_compat_bits may not exist on 64bit. |