1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-17 18:34:41 +00:00
nixpkgs/nixos
Emily ad9bfe2254 nixos/hardened: enable user namespaces for root
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f.

This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.

We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.

Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:

    boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
2020-04-17 16:13:39 +01:00
..
doc Merge pull request #85085 from Ericson2314/document-haskell-env-changes 2020-04-12 16:33:53 -04:00
lib treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
maintainers nixos/azure: clarify how users work in basic example 2020-03-29 13:56:55 -07:00
modules nixos/hardened: enable user namespaces for root 2020-04-17 16:13:39 +01:00
tests nixos/hardened: enable user namespaces for root 2020-04-17 16:13:39 +01:00
COPYING
default.nix
README
release-combined.nix nixos/release-combined.nix: test hibernate only on x86_64 2020-04-08 14:30:53 +02:00
release-small.nix nixos: try to fix channel eval 2020-04-06 00:25:11 +02:00
release.nix

*** NixOS ***

NixOS is a Linux distribution based on the purely functional package
management system Nix.  More information can be found at
http://nixos.org/nixos and in the manual in doc/manual.