diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index ef8c0d74f062..7bff79e82730 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -1,7 +1,7 @@ # A profile with most (vanilla) hardening options enabled by default, # potentially at the cost of features and performance. -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: with lib; @@ -27,6 +27,9 @@ with lib; security.forcePageTableIsolation = mkDefault true; + # This is required by podman to run containers in rootless mode. + security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable; + security.virtualisation.flushL1DataCache = mkDefault "always"; security.apparmor.enable = mkDefault true; diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 16e3bfb14199..d51dbbb77f71 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -27,6 +27,16 @@ with lib; ''; }; + security.unprivilegedUsernsClone = mkOption { + type = types.bool; + default = false; + description = '' + When disabled, unprivileged users will not be able to create new namespaces. + By default unprivileged user namespaces are disabled. + This option only works in a hardened profile. + ''; + }; + security.protectKernelImage = mkOption { type = types.bool; default = false; @@ -115,6 +125,10 @@ with lib; ]; }) + (mkIf config.security.unprivilegedUsernsClone { + boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkDefault true; + }) + (mkIf config.security.protectKernelImage { # Disable hibernation (allows replacing the running kernel) boot.kernelParams = [ "nohibernate" ];