nixpkgs-suyu/nixos/modules/security
aszlig d13ad389b4
nixos/confinement: Explicitly set serviceConfig
My implementation was relying on PrivateDevices, PrivateTmp,
PrivateUsers and others to be false by default if chroot-only mode is
used.

However there is an ongoing effort[1] to change these defaults, which
then will actually increase the attack surface in chroot-only mode,
because it is expected that there is no /dev, /sys or /proc.

If for example PrivateDevices is enabled by default, there suddenly will
be a mounted /dev in the chroot and we wouldn't detect it.

Fortunately, our tests cover that, but I'm preparing for this anyway so
that we have a smoother transition without the need to fix our
implementation again.

Thanks to @Infinisil for the heads-up.

[1]: https://github.com/NixOS/nixpkgs/issues/14645

Signed-off-by: aszlig <aszlig@nix.build>
2019-03-15 04:13:01 +01:00
..
wrappers nixos/wrappers: remove outdated upgrade code 2018-10-21 15:12:36 +02:00
acme.nix
acme.xml docs: format 2018-09-29 20:51:11 -04:00
apparmor-suid.nix apparmor-suid: don't force glibc 2018-10-30 19:50:47 -05:00
apparmor.nix
audit.nix
auditd.nix
ca.nix nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
chromium-suid-sandbox.nix
dhparams.nix dhparams module: add self as maintainer 2018-10-31 01:05:35 +09:00
duosec.nix nixos/security: Fix pam configuration file generation. 2019-02-24 22:49:01 +00:00
google_oslogin.nix config.security.googleOsLogin: add module 2018-12-21 17:52:37 +01:00
hidepid.nix
hidepid.xml docs: format 2018-09-29 20:51:11 -04:00
lock-kernel-modules.nix nixos/lock-kernel-modules: add myself to maintainers 2018-10-15 01:33:30 +02:00
misc.nix nixos/security/misc: expose SMT control option 2018-12-27 15:00:49 +01:00
oath.nix
pam.nix nixos/security: Add duo-unix support to pam. 2019-02-24 22:48:56 +00:00
pam_mount.nix
pam_usb.nix
polkit.nix nixos/polkit: use tmpfiles to clean old dirs 2018-09-30 11:08:11 -07:00
prey.nix
rngd.nix nixos/rngd: do not pass --version flag 2018-11-05 10:41:38 +01:00
rtkit.nix
sudo.nix nixos: add preferLocalBuild=true; on derivations for config files 2019-02-22 20:11:27 +01:00
systemd-confinement.nix nixos/confinement: Explicitly set serviceConfig 2019-03-15 04:13:01 +01:00