colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5f349abc7b
nixpkgs/nixos/modules/security/misc.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

141 lines
4.9 KiB
Nix
Raw Normal View History

nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module.
2018-10-14 22:39:26 +00:00
{ config, lib, ... }:
with lib;
{
meta = {
maintainers = [ maintainers.joachifm ];
};
nixos/apparmor: improve code readability
2021-02-27 20:26:47 +00:00
imports = [
(lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
];
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module.
2018-10-14 22:39:26 +00:00
options = {
security.allowUserNamespaces = mkOption {
type = types.bool;
default = true;
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned.
2024-04-13 12:54:15 +00:00
description = ''
nixos/hardened: split description of allowUserNamespaces into paras
2019-04-21 09:50:52 +00:00
Whether to allow creation of user namespaces.
The motivation for disabling user namespaces is the potential
presence of code paths where the kernel's permission checking
logic fails to account for namespacing, instead permitting a
namespaced process to act outside the namespace with the same
privileges as it would have inside it. This is particularly
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module.
2018-10-14 22:39:26 +00:00
damaging in the common case of running as root within the namespace.
nixos/hardened: split description of allowUserNamespaces into paras
2019-04-21 09:50:52 +00:00
When user namespace creation is disallowed, attempting to create a
user namespace fails with "no space left on device" (ENOSPC).
root may re-enable user namespace creation at runtime.
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module.
2018-10-14 22:39:26 +00:00
'';
};
nixos/security/misc: factor out protectKernelImage Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work.
2018-12-16 09:37:36 +00:00
nixos/security/misc: add option unprivilegedUsernsClone
2020-08-23 10:17:53 +00:00
security.unprivilegedUsernsClone = mkOption {
type = types.bool;
default = false;
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned.
2024-04-13 12:54:15 +00:00
description = ''
nixos/security/misc: add option unprivilegedUsernsClone
2020-08-23 10:17:53 +00:00
When disabled, unprivileged users will not be able to create new namespaces.
By default unprivileged user namespaces are disabled.
This option only works in a hardened profile.
'';
};
nixos/security/misc: factor out protectKernelImage Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work.
2018-12-16 09:37:36 +00:00
security.protectKernelImage = mkOption {
type = types.bool;
default = false;
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned.
2024-04-13 12:54:15 +00:00
description = ''
nixos/security/misc: factor out protectKernelImage Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work.
2018-12-16 09:37:36 +00:00
Whether to prevent replacing the running kernel image.
'';
};
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing).
2018-12-26 21:22:55 +00:00
nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no *proven* method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control
2018-12-26 21:24:04 +00:00
security.allowSimultaneousMultithreading = mkOption {
type = types.bool;
default = true;
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned.
2024-04-13 12:54:15 +00:00
description = ''
nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no *proven* method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control
2018-12-26 21:24:04 +00:00
Whether to allow SMT/hyperthreading. Disabling SMT means that only
physical CPU cores will be usable at runtime, potentially at
significant performance cost.
The primary motivation for disabling SMT is to mitigate the risk of
leaking data between threads running on the same CPU core (due to
e.g., shared caches). This attack vector is unproven.
Disabling SMT is a supplement to the L1 data cache flushing mitigation
Renaming security.virtualization.flushL1DataCache to virtualisation Fixes #65044
2019-07-19 13:49:37 +00:00
(see [](#opt-security.virtualisation.flushL1DataCache))
nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no *proven* method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control
2018-12-26 21:24:04 +00:00
versus malicious VM guests (SMT could "bring back" previously flushed
data).
'';
};
nixos/hardened: make pti=on overridable Introduces a new security.forcePageTableIsolation option (default false on !hardened, true on hardened) that forces pti=on.
2019-07-30 00:24:56 +00:00
security.forcePageTableIsolation = mkOption {
type = types.bool;
default = false;
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned.
2024-04-13 12:54:15 +00:00
description = ''
nixos/hardened: make pti=on overridable Introduces a new security.forcePageTableIsolation option (default false on !hardened, true on hardened) that forces pti=on.
2019-07-30 00:24:56 +00:00
Whether to force-enable the Page Table Isolation (PTI) Linux kernel
feature even on CPU models that claim to be safe from Meltdown.
This hardening feature is most beneficial to systems that run untrusted
workloads that rely on address space isolation for security.
'';
};
Renaming security.virtualization.flushL1DataCache to virtualisation Fixes #65044
2019-07-19 13:49:37 +00:00
security.virtualisation.flushL1DataCache = mkOption {
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing).
2018-12-26 21:22:55 +00:00
type = types.nullOr (types.enum [ "never" "cond" "always" ]);
default = null;
nixos: remove all uses of lib.mdDoc these changes were generated with nixq 0.0.2, by running nixq ">> lib.mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> mdDoc[remove] Argument[keep]" --batchmode nixos/**.nix nixq ">> Inherit >> mdDoc[remove]" --batchmode nixos/**.nix two mentions of the mdDoc function remain in nixos/, both of which are inside of comments. Since lib.mdDoc is already defined as just id, this commit is a no-op as far as Nix (and the built manual) is concerned.
2024-04-13 12:54:15 +00:00
description = ''
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing).
2018-12-26 21:22:55 +00:00
Whether the hypervisor should flush the L1 data cache before
entering guests.
nixos/*: convert varlist-using options to MD there are sufficiently few variable list around, and they are sufficiently simple, that it doesn't seem helpful to add another markdown extension for them. rendering differences are small, except in the tor module: admonitions inside other blocks cannot be made to work well with mistune (and likely most other markdown processors), so those had to be shuffled a bit. we also lose paragraph breaks in the list items due to how we have to render from markdown to docbook, but once we remove docbook from the pipeline those paragraph breaks will be restored.
2022-08-29 23:13:36 +00:00
See also [](#opt-security.allowSimultaneousMultithreading).
- `null`: uses the kernel default
- `"never"`: disables L1 data cache flushing entirely.
May be appropriate if all guests are trusted.
- `"cond"`: flushes L1 data cache only for pre-determined
code paths. May leak information about the host address space
layout.
- `"always"`: flushes L1 data cache every time the hypervisor
enters the guest. May incur significant performance cost.
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing).
2018-12-26 21:22:55 +00:00
'';
};
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module.
2018-10-14 22:39:26 +00:00
};
nixos/security/misc: use mkMerge for easier extension
2018-11-24 17:37:46 +00:00
config = mkMerge [
(mkIf (!config.security.allowUserNamespaces) {
# Setting the number of allowed user namespaces to 0 effectively disables
# the feature at runtime. Note that root may raise the limit again
# at any time.
boot.kernel.sysctl."user.max_user_namespaces" = 0;
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module.
2018-10-14 22:39:26 +00:00
nixos/security/misc: use mkMerge for easier extension
2018-11-24 17:37:46 +00:00
assertions = [
nixos/nix-daemon: use structural settings The `nix.*` options, apart from options for setting up the daemon itself, currently provide a lot of setting mappings for the Nix daemon configuration. The scope of the mapping yields convience, but the line where an option is considered essential is blurry. For instance, the `extra-sandbox-paths` mapping is provided without its primary consumer, and the corresponding `sandbox-paths` option is also not mapped. The current system increases the maintenance burden as maintainers have to closely follow upstream changes. In this case, there are two state versions of Nix which have to be maintained collectively, with different options avaliable. This commit aims to following the standard outlined in RFC 42[1] to implement a structural setting pattern. The Nix configuration is encoded at its core as key-value pairs which maps nicely to attribute sets, making it feasible to express in the Nix language itself. Some existing options are kept such as `buildMachines` and `registry` which present a simplified interface to managing the respective settings. The interface is exposed as `nix.settings`. Legacy configurations are mapped to their corresponding options under `nix.settings` for backwards compatibility. Various options settings in other nixos modules and relevant tests have been updated to use structural setting for consistency. The generation and validation of the configration file has been modified to use `writeTextFile` instead of `runCommand` for clarity. Note that validation is now mandatory as strict checking of options has been pushed down to the derivation level due to freeformType consuming unmatched options. Furthermore, validation can not occur when cross-compiling due to current limitations. A new option `publicHostKey` was added to the `buildMachines` submodule corresponding to the base64 encoded public host key settings exposed in the builder syntax. The build machine generation was subsequently rewritten to use `concatStringsSep` for better performance by grouping concatenations. [1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
2021-11-19 22:36:26 +00:00
{ assertion = config.nix.settings.sandbox -> config.security.allowUserNamespaces;
message = "`nix.settings.sandbox = true` conflicts with `!security.allowUserNamespaces`.";
nixos/security/misc: use mkMerge for easier extension
2018-11-24 17:37:46 +00:00
}
];
})
nixos/security/misc: factor out protectKernelImage Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work.
2018-12-16 09:37:36 +00:00
nixos/security/misc: add option unprivilegedUsernsClone
2020-08-23 10:17:53 +00:00
(mkIf config.security.unprivilegedUsernsClone {
boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkDefault true;
})
nixos/security/misc: factor out protectKernelImage Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work.
2018-12-16 09:37:36 +00:00
(mkIf config.security.protectKernelImage {
# Disable hibernation (allows replacing the running kernel)
boot.kernelParams = [ "nohibernate" ];
# Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
})
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing).
2018-12-26 21:22:55 +00:00
nixos/security/misc: expose SMT control option For the hardened profile disable symmetric multi threading. There seems to be no *proven* method of exploiting cache sharing between threads on the same CPU core, so this may be considered quite paranoid, considering the perf cost. SMT can be controlled at runtime, however. This is in keeping with OpenBSD defaults. TODO: since SMT is left to be controlled at runtime, changing the option definition should take effect on system activation. Write to /sys/devices/system/cpu/smt/control
2018-12-26 21:24:04 +00:00
(mkIf (!config.security.allowSimultaneousMultithreading) {
boot.kernelParams = [ "nosmt" ];
})
nixos/hardened: make pti=on overridable Introduces a new security.forcePageTableIsolation option (default false on !hardened, true on hardened) that forces pti=on.
2019-07-30 00:24:56 +00:00
(mkIf config.security.forcePageTableIsolation {
boot.kernelParams = [ "pti=on" ];
})
Renaming security.virtualization.flushL1DataCache to virtualisation Fixes #65044
2019-07-19 13:49:37 +00:00
(mkIf (config.security.virtualisation.flushL1DataCache != null) {
boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
nixos/security/misc: expose l1tf mitigation option For the hardened profile enable flushing whenever the hypervisor enters the guest, but otherwise leave at kernel default (conditional flushing as of writing).
2018-12-26 21:22:55 +00:00
})
nixos/security/misc: use mkMerge for easier extension
2018-11-24 17:37:46 +00:00
];
nixos/security/misc: init A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module.
2018-10-14 22:39:26 +00:00
}
Reference in New Issue Copy Permalink