nixos/security/misc: add option unprivilegedUsernsClone

2020-08-23 13:17:53 +03:00 · 2020-08-23 13:17:53 +03:00 · e21e5a9483
commit e21e5a9483
parent 6a6d4c9b39
2 changed files with 18 additions and 1 deletions
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -1,7 +1,7 @@
 # A profile with most (vanilla) hardening options enabled by default,
 # potentially at the cost of features and performance.

-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:

 with lib;

@ -27,6 +27,9 @@ with lib;

  security.forcePageTableIsolation = mkDefault true;

+  # This is required by podman to run containers in rootless mode.
+  security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
+
  security.virtualisation.flushL1DataCache = mkDefault "always";

  security.apparmor.enable = mkDefault true;
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@ -27,6 +27,16 @@ with lib;
      '';
    };

+    security.unprivilegedUsernsClone = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        When disabled, unprivileged users will not be able to create new namespaces.
+        By default unprivileged user namespaces are disabled.
+        This option only works in a hardened profile.
+      '';
+    };
+
    security.protectKernelImage = mkOption {
      type = types.bool;
      default = false;
@ -115,6 +125,10 @@ with lib;
      ];
    })

+    (mkIf config.security.unprivilegedUsernsClone {
+      boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkDefault true;
+    })
+
    (mkIf config.security.protectKernelImage {
      # Disable hibernation (allows replacing the running kernel)
      boot.kernelParams = [ "nohibernate" ];