Commit graph

179 commits

Author SHA1 Message Date
Izorkin
e21e5a9483 nixos/security/misc: add option unprivilegedUsernsClone 2020-08-25 14:18:24 +03:00
davidak
5a3738d22b
nixos/systemPackages: clean up (#91213)
* nixos/systemPackages: clean up

* Update nixos/doc/manual/release-notes/rl-2009.xml

Co-authored-by: Jan Tojnar <jtojnar@gmail.com>

* Update nixos/doc/manual/release-notes/rl-2009.xml

Co-authored-by: 8573 <8573@users.noreply.github.com>

Co-authored-by: Jan Tojnar <jtojnar@gmail.com>
Co-authored-by: 8573 <8573@users.noreply.github.com>
2020-08-20 13:45:54 +00:00
worldofpeace
490cd7889e nixos/displayManager: make autoLogin options independent of DM type
Co-authored-by: volth <volth@volth.com>
2020-07-09 21:15:35 -04:00
adisbladis
1ca6909514
Merge pull request #74378 from ttuegel/lxc-container
docker-container: Remove /etc symlink
2020-04-25 16:25:15 +02:00
Emily
b0d5032ee4 nixos/hardened: add emily to maintainers 2020-04-17 16:13:39 +01:00
Emily
ad9bfe2254 nixos/hardened: enable user namespaces for root
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f.

This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.

We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.

Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:

    boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
2020-04-17 16:13:39 +01:00
Emily
84f258bf09 nixos/hardened: don't set vm.unprivileged_userfaultfd
Upstreamed in anthraxx/linux-hardened@a712392b88.
2020-04-17 16:13:39 +01:00
Emily
cc28d51237 nixos/hardened: don't set vm.mmap_min_addr
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
2020-04-17 16:13:39 +01:00
Emily
46d12cca56 nixos/hardened: don't set vm.mmap_rnd{,_compat}_bits
Upstreamed in anthraxx/linux-hardened@ae6d85f437.
2020-04-17 16:13:39 +01:00
Emily
af4f57b2c4 nixos/hardened: don't set net.core.bpf_jit_harden
Upstreamed in anthraxx/linux-hardened@82e384401d.
2020-04-17 16:13:39 +01:00
Emily
71bbd876b7 nixos/hardened: don't set kernel.unprivileged_bpf_disabled
Upstreamed in anthraxx/linux-hardened@1a3e0c2830.
2020-04-17 16:13:39 +01:00
Emily
9da578a78f nixos/hardened: don't set kernel.dmesg_restrict
Upstreamed in anthraxx/linux-hardened@e3d3f13ffb.
2020-04-17 16:13:39 +01:00
Emily
cf1bce6a7a nixos/hardened: don't set vsyscall=none
Upstreamed in anthraxx/linux-hardened@d300b0fdad.
2020-04-17 16:13:39 +01:00
Emily
3b32cd2a5b nixos/hardened: don't set slab_nomerge
Upstreamed in anthraxx/linux-hardened@df29f9248c.
2020-04-17 16:13:39 +01:00
Florian Klink
a8989b353a Revert "nixos/hardened: build sandbox incompatible with namespaces"
As discussed in https://github.com/NixOS/nixpkgs/pull/73763, prevailing
consensus is to revert that commit. People use the hardened profile on
machines and run nix builds, and there's no good reason to use
unsandboxed builds at all unless you're in a platform that doesn't
support them.

This reverts commit 00ac71ab19.
2020-04-05 17:38:15 +02:00
Joachim F
18b89e7abd
Merge pull request #73763 from kmcopper/hardening-profile
Improvements to the NixOS Hardened Profile
2020-04-03 18:48:12 +00:00
Eelco Dolstra
bd379be538
Remove unused 'rogue' service 2020-03-24 15:25:20 +01:00
Eelco Dolstra
aebf9a4709
services/misc/nixos-manual.nix: Remove
Running the manual on a TTY is useless in the graphical ISOs and not
particularly useful in non-graphical ISOs (since you can also run
'nixos-help').

Fixes #83157.
2020-03-24 15:25:20 +01:00
Thomas Tuegel
757c7f3773
docker-container: Remove /etc symlink
The system output usually contains a symlink from /etc to the static
configuration for the benefit of the stage-1 script in the initrd. The stage-2
script is usually started in the real root without such a symlink. In a
container, there is no stage-1 and the system output is used directly as a real
root. If the symlink is present, setup-etc.pl will create a symlink cycle and
the system cannot boot. There is no reason for the /etc link to exist in a
container because setup-etc.pl will create the necessary files. The container
module will now remove the /etc symlink and create an empty directory. The empty
/etc is for container managers to populate it with site-specific settings; for
example, to set the hostname. This is required to boot NixOS in an LXC container
on another host.

See also: #9735
2019-11-27 15:51:19 -06:00
Kyle Copperfield
759968a612 nixos/hardened: scudo default allocator. zero by default allow override. 2019-11-26 08:50:35 +00:00
Jan Tojnar
77661f8cfd
nixos/plasma5: drop enableQt4Support option
Phonon no longer supports Qt4 so this is useless.
2019-11-22 09:01:05 +01:00
Kyle Copperfield
00ac71ab19 nixos/hardened: build sandbox incompatible with namespaces
Disables the build sandbox by default to avoid incompatibility with
defaulting user namespaces to false. Ideally there would be some kind of
linux kernel feature that allows us to trust nix-daemon builders to
allow both nix sandbox builds and disabling untrusted naemspaces at the
same time.
2019-11-19 14:56:09 +00:00
Elis Hirwing
4403cd16f9
profiles/graphical.nix: Drop systemWide pulseaudio in iso
It's not needed since #66338 and should have been done earlier.

This is based on a follow-up on #56167.
2019-11-11 17:07:42 +01:00
Franz Pletz
ec6224b6cd Revert "installer: Disable udisks"
This reverts commit 571fb74f44.

The dependency on gtk2 was removed.

Co-authored-by: Florian Klink <flokli@flokli.de>
2019-10-16 20:31:24 -04:00
Joachim F
5bea2997fe
nixos/hardened: blacklist old filesystems (#70482)
The rationale for this is that old filesystems have recieved little scrutiny
wrt. security relevant bugs.

Lifted from OpenSUSE[1].

[1]: 8cb42fb665

Co-Authored-By: Renaud <c0bw3b@users.noreply.github.com>
2019-10-12 10:08:44 +00:00
Matthieu Coudron
c27360ae47 qemu-guest: allow to override security.rngd
... otherwise enabling it causes a merge conflict.

Enabling it was necessary to give enough entropy for the sshd daemon in
my libvirt/nixops VM to generate keys see
https://github.com/NixOS/nixops/issues/1199.
2019-09-18 00:35:04 +09:00
Florian Klink
4e586dea50
Merge pull request #63773 from flokli/installation-device-fixes
installation-device.nix: explain sshd usage, don't include clone-config
2019-08-31 02:59:23 +02:00
Marek Mahut
7a4b296c8d
Merge pull request #66687 from joachifm/feat/hardened-nixos-revert-graphene-malloc
Revert "nixos/hardened: use graphene-hardened malloc by default"
2019-08-19 20:56:07 +02:00
Florian Klink
f71fd79ff0 nixos/installation-device.nix: explain sshd usage 2019-08-19 16:34:06 +02:00
Florian Klink
9be0327a49 nixos/systemd: install sysctl snippets
systemd provides two sysctl snippets, 50-coredump.conf and
50-default.conf.

These enable:
 - Loose reverse path filtering
 - Source route filtering
 - `fq_codel` as a packet scheduler (this helps to fight bufferbloat)

This also configures the kernel to pass coredumps to `systemd-coredump`.
These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`,
and overridden via `boot.kernel.sysctl`
(which will place the parameters in `/etc/sysctl.d/60-nixos.conf`.

Let's start using these, like other distros already do for quite some
time, and remove those duplicate `boot.kernel.sysctl` options we
previously did set.

In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
2019-08-18 17:54:26 +02:00
Joachim Fasting
4ead3d2ec3
Revert "nixos/hardened: use graphene-hardened malloc by default"
This reverts commit 48ff4f1197.

Causes too much breakage to be enabled by default [1][2].

[1]: https://github.com/NixOS/nixpkgs/issues/61489
[2]: https://github.com/NixOS/nixpkgs/issues/65000
2019-08-15 18:49:57 +02:00
Joachim Fasting
da0b67c946
nixos-hardened: disable unprivileged userfaultfd syscalls
New in 5.2 [1]

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
2019-08-15 18:43:34 +02:00
Joachim Fasting
4b21d1ac8c
nixos-hardened: enable page alloc randomization 2019-08-15 18:43:32 +02:00
worldofpeace
397c7d26fc installer: Don't run as root
There's many reason why it is and is going to
continue to be difficult to do this:

1. All display-managers (excluding slim) default PAM rules
   disallow root auto login.

2. We can't use wayland

3. We have to use system-wide pulseaudio

4. It could break applications in the session.
   This happened to dolphin in plasma5
   in the past.

This is a growing technical debt, let's just use
passwordless sudo.
2019-08-12 14:45:27 -04:00
Pierre Bourdon
67b7e70865
nixos/hardened: make pti=on overridable
Introduces a new security.forcePageTableIsolation option (default false
on !hardened, true on hardened) that forces pti=on.
2019-07-30 02:24:56 +02:00
Marek Mahut
e72f25673d Renaming security.virtualization.flushL1DataCache to virtualisation
Fixes #65044
2019-07-19 15:49:37 +02:00
Joachim Fasting
c3cc7034e2
nixos/hardened: harder inet defaults
See e.g., https://github.com/NixOS/nixpkgs/issues/63768

Forwarding remains enabled for now, need to determine its effects on
virtualization, if any.
2019-07-04 19:24:44 +02:00
Joachim Fasting
c233e24d54
nixos/hardened: disable ftrace by default 2019-07-04 19:24:41 +02:00
Joachim Fasting
48ff4f1197
nixos/hardened: use graphene-hardened malloc by default 2019-05-07 13:45:39 +02:00
Elis Hirwing
d1c2805eb5
profiles/graphical.nix: Enable pulseaudio for virtualbox appliances 2019-02-22 07:23:59 +01:00
danbst
27982b408e types.optionSet: deprecate and remove last usages 2019-01-31 00:41:10 +02:00
Profpatsch
c8c53fcb11 modules/profiles/minimal: sound is disabled by default
The option is `false` by default since
e349ccc77f, so we don’t need to mention
it explicitely in these minimal configs.
2019-01-13 13:47:36 +01:00
Joachim Fasting
167578163a
nixos/hardened profile: always enable pti 2019-01-05 14:07:39 +01:00
Joachim Fasting
3f1f443125
nixos/hardened profile: slab/slub hardening
slab_nomerge may reduce surface somewhat

slub_debug is used to enable additional sanity checks and "red zones" around
allocations to detect read/writes beyond the allocated area, as well as
poisoning to overwrite free'd data.

The cost is yet more memory fragmentation ...
2019-01-05 14:07:37 +01:00
Joachim Fasting
ea4f371627
nixos/security/misc: expose SMT control option
For the hardened profile disable symmetric multi threading.  There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however.  This is in keeping with OpenBSD
defaults.

TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation.  Write to
/sys/devices/system/cpu/smt/control
2018-12-27 15:00:49 +01:00
Joachim Fasting
e9761fa327
nixos/security/misc: expose l1tf mitigation option
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
2018-12-27 15:00:48 +01:00
Joachim Fasting
84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Graham Christensen
6db866cbd2
Revert "zfs cannot be distributed. Disabling it in the isos."
ZFS's popularity is growing, and not including it by default is a
bit frustrating. On top of that, the base iso includes ZFS
_anyway_ due to other packages depending upon it.

I think we're in the clear to do this on the basis that Oracle
probably doesn't care, it is probably fine (the SFLC agrees) and
we're a small fish. If a copyright holder asks us to, we can
definitely revert it again.

This reverts commit 33d07c7ea9.
2018-11-26 17:51:18 -05:00
Ding Xiang Fei
b011049cf6 Merge branch 'master' of https://github.com/nixos/nixpkgs into tarball-closureinfo 2018-11-26 12:04:07 +08:00
Joachim Fasting
6a7f02d89d
nixos/hardened: restrict access to nix daemon 2018-11-24 16:06:21 +01:00