linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f.
This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.
We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.
Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:
boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
As far as I can tell, this has never defaulted to on upstream, and our
common kernel configuration doesn't turn it on, so the attack surface
reduction here is somewhat homeopathic.
This is an updated version of the former upstream,
https://github.com/AndroidHardeningArchive/linux-hardened, and provides
a minimal set of additional hardening patches on top of upstream.
The patch already incorporates many of our hardened profile defaults,
and releases are timely (Linux 5.5.15 and 5.6.2 were released on
2020-04-02; linux-hardened patches for them came out on 2020-04-03 and
2020-04-04 respectively).
* nixos/k3s: simplify config expression
* nixos/k3s: add config assertions and trim unneeded bits
* nixos/k3s: add a test that k3s works; minor module improvements
This is a single-node test. Eventually we should also have a multi-node
test to verify the agent bit works, but that one's more involved.
* nixos/k3s: add option description
* nixos/k3s: add defaults for token/serveraddr
Now that the assertion enforces their presence, we dont' need to use the typesystem for it.
* nixos/k3s: remove unneeded sudo in test
* nixos/k3s: add to test list
The patch phase runs after the build phase. Which means than when
using an override to override both 'conf' and 'patches' to provide
a custom config file and apply some patches, it doesn't work:
- first the patches applied (optionally changing config.def.h)
- then preBuild is run which overrides config.def.h with the user
supplied one (effectively cancelling previously applied patches)
By copying the config file in the prePatch phase instead, changes
are kept and applied in order.
Unfortunately, the upstream changelog consists of just the following:
* Update to the Reiner-SCT repository rev cyberJack@1374
This is not very helpful since I haven't found a public SVN (I assume,
since it's using integer revisions) repository, so I decided to diff the
tarball against the old one, here's what I've found:
* No longer ship generated files from autotools
* Add support for REINER SCT cyberJack comfort PL
* Add support for tanJack USB
* Allow to override secoder information
* Lots of whitespace and coding style changes
As mentioned above, the autotools-generated files are no longer shipped,
so I've added autoreconfHook to nativeBuildInputs.
I also verified the source tarball using the upstream hashes found here:
http://downloads.reiner-sct.de/LINUX/Hashwerte/Hashwerte.txt
Signed-off-by: aszlig <aszlig@nix.build>
Merges: https://github.com/NixOS/nixpkgs/pull/84749