From 00ac71ab1932b395452209627011a32a63d81897 Mon Sep 17 00:00:00 2001 From: Kyle Copperfield Date: Tue, 19 Nov 2019 09:57:23 +0000 Subject: [PATCH 1/2] nixos/hardened: build sandbox incompatible with namespaces Disables the build sandbox by default to avoid incompatibility with defaulting user namespaces to false. Ideally there would be some kind of linux kernel feature that allows us to trust nix-daemon builders to allow both nix sandbox builds and disabling untrusted naemspaces at the same time. --- nixos/modules/profiles/hardened.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index f7b2f5c7fc1e..33e4ddc3fb41 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -20,6 +20,8 @@ with lib; security.allowUserNamespaces = mkDefault false; + nix.useSandbox = mkDefault false; + security.protectKernelImage = mkDefault true; security.allowSimultaneousMultithreading = mkDefault false; From 759968a6126a9bf4962a3ddea4eaf6466baff122 Mon Sep 17 00:00:00 2001 From: Kyle Copperfield Date: Tue, 19 Nov 2019 09:26:49 +0000 Subject: [PATCH 2/2] nixos/hardened: scudo default allocator. zero by default allow override. --- nixos/modules/profiles/hardened.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 33e4ddc3fb41..da3de4447686 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -14,6 +14,9 @@ with lib; nix.allowedUsers = mkDefault [ "@users" ]; + environment.memoryAllocator.provider = mkDefault "scudo"; + environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; + security.hideProcessInformation = mkDefault true; security.lockKernelModules = mkDefault true;