nixpkgs/nixos/modules/profiles/hardened.nix

# A profile with most (vanilla) hardening options enabled by default,
# potentially at the cost of stability, features and performance.
#
# This profile enables options that are known to affect system
# stability. If you experience any stability issues when using the
# profile, try disabling it. If you report an issue and use this
# profile, always mention that you do.

{ config, lib, pkgs, ... }:

with lib;

{
  meta = {
    maintainers = [ maintainers.joachifm maintainers.emily ];
  };

  boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;

  nix.settings.allowed-users = mkDefault [ "@users" ];

  environment.memoryAllocator.provider = mkDefault "scudo";
  environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";

  security.lockKernelModules = mkDefault true;

  security.protectKernelImage = mkDefault true;

  security.allowSimultaneousMultithreading = mkDefault false;

  security.forcePageTableIsolation = mkDefault true;

  # This is required by podman to run containers in rootless mode.
  security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;

  security.virtualisation.flushL1DataCache = mkDefault "always";

  security.apparmor.enable = mkDefault true;
  security.apparmor.killUnconfinedConfinables = mkDefault true;

  boot.kernelParams = [
    # Slab/slub sanity checks, redzoning, and poisoning
    "slub_debug=FZP"

    # Overwrite free'd memory
    "page_poison=1"

    # Enable page allocator randomization
    "page_alloc.shuffle=1"
  ];

  boot.blacklistedKernelModules = [
    # Obscure network protocols
    "ax25"
    "netrom"
    "rose"

    # Old or rare or insufficiently audited filesystems
    "adfs"
    "affs"
    "bfs"
    "befs"
    "cramfs"
    "efs"
    "erofs"
    "exofs"
    "freevxfs"
    "f2fs"
    "hfs"
    "hpfs"
    "jfs"
    "minix"
    "nilfs2"
    "ntfs"
    "omfs"
    "qnx4"
    "qnx6"
    "sysv"
    "ufs"
  ];

  # Restrict ptrace() usage to processes with a pre-defined relationship
  # (e.g., parent/child)
  boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;

  # Hide kptrs even for processes with CAP_SYSLOG
  boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;

  # Disable bpf() JIT (to eliminate spray attacks)
  boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;

  # Disable ftrace debugging
  boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;

  # Enable strict reverse path filtering (that is, do not attempt to route
  # packets that "obviously" do not belong to the iface's network; dropped
  # packets are logged as martians).
  boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
  boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
  boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
  boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";

  # Ignore broadcast ICMP (mitigate SMURF)
  boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;

  # Ignore incoming ICMP redirects (note: default is needed to ensure that the
  # setting is applied to interfaces added after the sysctls are set)
  boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;

  # Ignore outgoing ICMP redirects (this is ipv4 only)
  boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;
  boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;
}
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00			`# A profile with most (vanilla) hardening options enabled by default,`
profiles/hardened: Add note about potential instability Enabling the profile can lead to hard-to-debug issues, which should be warned about in addition to the cost in features and performance. See https://github.com/NixOS/nixpkgs/issues/108262 for an example. 2021-01-04 15:03:29 +00:00			`# potentially at the cost of stability, features and performance.`
			`#`
			`# This profile enables options that are known to affect system`
			`# stability. If you experience any stability issues when using the`
			`# profile, try disabling it. If you report an issue and use this`
			`# profile, always mention that you do.`
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00
nixos/security/misc: add option unprivilegedUsernsClone 2020-08-23 10:17:53 +00:00			`{ config, lib, pkgs, ... }:`
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00
			`with lib;`

			`{`
nixos/hardened: add myself to maintainers 2018-10-14 22:18:33 +00:00			`meta = {`
nixos/hardened: add emily to maintainers 2020-04-04 22:58:54 +00:00			`maintainers = [ maintainers.joachifm maintainers.emily ];`
nixos/hardened: add myself to maintainers 2018-10-14 22:18:33 +00:00			`};`

nixos/hardened profile: use the linux_hardened kernel 2017-04-29 23:22:32 +00:00			`boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened;`

nixos/nix-daemon: use structural settings The `nix.*` options, apart from options for setting up the daemon itself, currently provide a lot of setting mappings for the Nix daemon configuration. The scope of the mapping yields convience, but the line where an option is considered essential is blurry. For instance, the `extra-sandbox-paths` mapping is provided without its primary consumer, and the corresponding `sandbox-paths` option is also not mapped. The current system increases the maintenance burden as maintainers have to closely follow upstream changes. In this case, there are two state versions of Nix which have to be maintained collectively, with different options avaliable. This commit aims to following the standard outlined in RFC 42[1] to implement a structural setting pattern. The Nix configuration is encoded at its core as key-value pairs which maps nicely to attribute sets, making it feasible to express in the Nix language itself. Some existing options are kept such as `buildMachines` and `registry` which present a simplified interface to managing the respective settings. The interface is exposed as `nix.settings`. Legacy configurations are mapped to their corresponding options under `nix.settings` for backwards compatibility. Various options settings in other nixos modules and relevant tests have been updated to use structural setting for consistency. The generation and validation of the configration file has been modified to use `writeTextFile` instead of `runCommand` for clarity. Note that validation is now mandatory as strict checking of options has been pushed down to the derivation level due to freeformType consuming unmatched options. Furthermore, validation can not occur when cross-compiling due to current limitations. A new option `publicHostKey` was added to the `buildMachines` submodule corresponding to the base64 encoded public host key settings exposed in the builder syntax. The build machine generation was subsequently rewritten to use `concatStringsSep` for better performance by grouping concatenations. [1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md 2021-11-19 22:36:26 +00:00			`nix.settings.allowed-users = mkDefault [ "@users" ];`
nixos/hardened: restrict access to nix daemon 2018-11-24 14:13:03 +00:00
nixos/hardened: scudo default allocator. zero by default allow override. 2019-11-19 09:26:49 +00:00			`environment.memoryAllocator.provider = mkDefault "scudo";`
			`environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";`

nixos/hardened profile: lock kernel modules 2017-04-29 20:46:20 +00:00			`security.lockKernelModules = mkDefault true;`

nixos/security/misc: factor out protectKernelImage Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work. 2018-12-16 09:37:36 +00:00			`security.protectKernelImage = mkDefault true;`

nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no proven method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control 2018-12-26 21:24:04 +00:00			`security.allowSimultaneousMultithreading = mkDefault false;`

nixos/hardened: make pti=on overridable Introduces a new security.forcePageTableIsolation option (default false on !hardened, true on hardened) that forces pti=on. 2019-07-30 00:24:56 +00:00			`security.forcePageTableIsolation = mkDefault true;`

nixos/security/misc: add option unprivilegedUsernsClone 2020-08-23 10:17:53 +00:00			`# This is required by podman to run containers in rootless mode.`
			`security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;`

Renaming security.virtualization.flushL1DataCache to virtualisation Fixes #65044 2019-07-19 13:49:37 +00:00			`security.virtualisation.flushL1DataCache = mkDefault "always";`
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing). 2018-12-26 21:22:55 +00:00
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00			`security.apparmor.enable = mkDefault true;`
nixos/apparmor: disable killUnconfinedConfinables by default 2021-02-28 23:24:54 +00:00			`security.apparmor.killUnconfinedConfinables = mkDefault true;`
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00
nixos/hardened profile: disable legacy virtual syscalls This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289 2017-04-29 15:27:08 +00:00			`boot.kernelParams = [`
nixos/hardened profile: slab/slub hardening slab_nomerge may reduce surface somewhat slub_debug is used to enable additional sanity checks and "red zones" around allocations to detect read/writes beyond the allocated area, as well as poisoning to overwrite free'd data. The cost is yet more memory fragmentation ... 2019-01-05 12:47:25 +00:00			`# Slab/slub sanity checks, redzoning, and poisoning`
			`"slub_debug=FZP"`

nixos/hardened profile: use the linux_hardened kernel 2017-04-29 23:22:32 +00:00			`# Overwrite free'd memory`
			`"page_poison=1"`

nixos-hardened: enable page alloc randomization 2019-08-15 16:24:24 +00:00			`# Enable page allocator randomization`
			`"page_alloc.shuffle=1"`
nixos/hardened profile: disable legacy virtual syscalls This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289 2017-04-29 15:27:08 +00:00			`];`

nixos/hardened: blacklist a few obscure net protocols 2017-09-02 23:49:01 +00:00			`boot.blacklistedKernelModules = [`
			`# Obscure network protocols`
			`"ax25"`
			`"netrom"`
			`"rose"`
nixos/hardened: blacklist old filesystems (#70482) The rationale for this is that old filesystems have recieved little scrutiny wrt. security relevant bugs. Lifted from OpenSUSE[1]. [1]: https://github.com/openSUSE/suse-module-tools/pull/5/commits/8cb42fb6658f210cb8c955d584a65f7b041c0575 Co-Authored-By: Renaud <c0bw3b@users.noreply.github.com> 2019-10-12 10:08:44 +00:00
			`# Old or rare or insufficiently audited filesystems`
			`"adfs"`
			`"affs"`
			`"bfs"`
			`"befs"`
			`"cramfs"`
			`"efs"`
			`"erofs"`
			`"exofs"`
			`"freevxfs"`
			`"f2fs"`
			`"hfs"`
			`"hpfs"`
			`"jfs"`
			`"minix"`
			`"nilfs2"`
nixos/hardened: update blacklisted filesystems https://github.com/openSUSE/suse-module-tools/blob/241a1582698c6a7f96f877a5ec64f478fdf90c82/suse-module-tools.spec#L24 2020-09-27 06:16:58 +00:00			`"ntfs"`
			`"omfs"`
nixos/hardened: blacklist old filesystems (#70482) The rationale for this is that old filesystems have recieved little scrutiny wrt. security relevant bugs. Lifted from OpenSUSE[1]. [1]: https://github.com/openSUSE/suse-module-tools/pull/5/commits/8cb42fb6658f210cb8c955d584a65f7b041c0575 Co-Authored-By: Renaud <c0bw3b@users.noreply.github.com> 2019-10-12 10:08:44 +00:00			`"qnx4"`
			`"qnx6"`
			`"sysv"`
			`"ufs"`
nixos/hardened: blacklist a few obscure net protocols 2017-09-02 23:49:01 +00:00			`];`

nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00			`# Restrict ptrace() usage to processes with a pre-defined relationship`
			`# (e.g., parent/child)`
			`boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;`

			`# Hide kptrs even for processes with CAP_SYSLOG`
			`boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;`

			`# Disable bpf() JIT (to eliminate spray attacks)`
			`boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false;`

nixos/hardened: disable ftrace by default 2019-07-04 16:50:48 +00:00			`# Disable ftrace debugging`
			`boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;`
nixos/hardened: harder inet defaults See e.g., https://github.com/NixOS/nixpkgs/issues/63768 Forwarding remains enabled for now, need to determine its effects on virtualization, if any. 2019-07-04 16:51:06 +00:00
nixos/systemd: install sysctl snippets systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit. 2019-08-11 11:32:24 +00:00			`# Enable strict reverse path filtering (that is, do not attempt to route`
			`# packets that "obviously" do not belong to the iface's network; dropped`
			`# packets are logged as martians).`
nixos/hardened: harder inet defaults See e.g., https://github.com/NixOS/nixpkgs/issues/63768 Forwarding remains enabled for now, need to determine its effects on virtualization, if any. 2019-07-04 16:51:06 +00:00			`boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;`
nixos/systemd: install sysctl snippets systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit. 2019-08-11 11:32:24 +00:00			`boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";`
nixos/hardened: harder inet defaults See e.g., https://github.com/NixOS/nixpkgs/issues/63768 Forwarding remains enabled for now, need to determine its effects on virtualization, if any. 2019-07-04 16:51:06 +00:00			`boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;`
nixos/systemd: install sysctl snippets systemd provides two sysctl snippets, 50-coredump.conf and 50-default.conf. These enable: - Loose reverse path filtering - Source route filtering - `fq_codel` as a packet scheduler (this helps to fight bufferbloat) This also configures the kernel to pass coredumps to `systemd-coredump`. These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`, and overridden via `boot.kernel.sysctl` (which will place the parameters in `/etc/sysctl.d/60-nixos.conf`. Let's start using these, like other distros already do for quite some time, and remove those duplicate `boot.kernel.sysctl` options we previously did set. In the case of rp_filter (which systemd would set to 2 (loose)), make our overrides to "1" more explicit. 2019-08-11 11:32:24 +00:00			`boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";`
nixos/hardened: harder inet defaults See e.g., https://github.com/NixOS/nixpkgs/issues/63768 Forwarding remains enabled for now, need to determine its effects on virtualization, if any. 2019-07-04 16:51:06 +00:00
			`# Ignore broadcast ICMP (mitigate SMURF)`
			`boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;`

			`# Ignore incoming ICMP redirects (note: default is needed to ensure that the`
			`# setting is applied to interfaces added after the sysctls are set)`
			`boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv4.conf.all.secure_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv4.conf.default.accept_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv4.conf.default.secure_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv6.conf.all.accept_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv6.conf.default.accept_redirects" = mkDefault false;`

			`# Ignore outgoing ICMP redirects (this is ipv4 only)`
			`boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false;`
			`boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false;`
nixos: add a "hardened" profile The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680 2017-04-06 12:54:45 +00:00			`}`