| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| | |
docker-container: Remove /etc symlink
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The system output usually contains a symlink from /etc to the static
configuration for the benefit of the stage-1 script in the initrd. The stage-2
script is usually started in the real root without such a symlink. In a
container, there is no stage-1 and the system output is used directly as a real
root. If the symlink is present, setup-etc.pl will create a symlink cycle and
the system cannot boot. There is no reason for the /etc link to exist in a
container because setup-etc.pl will create the necessary files. The container
module will now remove the /etc symlink and create an empty directory. The empty
/etc is for container managers to populate it with site-specific settings; for
example, to set the hostname. This is required to boot NixOS in an LXC container
on another host.
See also: #9735
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f058a395502192c4939645df6f52ecb.
This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.
We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.
Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:
boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
|
| | |
| |
| |
| | |
Upstreamed in anthraxx/linux-hardened@a712392b88b3cbc8385fd97be87a43db2ad7ecf0.
|
| | |
| |
| |
| | |
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd532551b048d97b35473c25809f7a0f.
|
| | |
| |
| |
| | |
Upstreamed in anthraxx/linux-hardened@ae6d85f437dddf8f5a9076019cdfbb7788a9c154.
|
| | |
| |
| |
| | |
Upstreamed in anthraxx/linux-hardened@82e384401d441d42efad9830ab31650a7ea571db.
|
| | |
| |
| |
| | |
Upstreamed in anthraxx/linux-hardened@1a3e0c283028533527595a91d9504d2b7eabc977.
|
| | |
| |
| |
| | |
Upstreamed in anthraxx/linux-hardened@e3d3f13ffb1a5ff507a8ecae52e3d1fa05d30a07.
|
| | |
| |
| |
| | |
Upstreamed in anthraxx/linux-hardened@d300b0fdad706daab3a36a8d23b35ebe03c3fc87.
|
| | |
| |
| |
| | |
Upstreamed in anthraxx/linux-hardened@df29f9248c6b2459dcaae216dc6f4751fab4ff3b.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As discussed in https://github.com/NixOS/nixpkgs/pull/73763, prevailing
consensus is to revert that commit. People use the hardened profile on
machines and run nix builds, and there's no good reason to use
unsandboxed builds at all unless you're in a platform that doesn't
support them.
This reverts commit 00ac71ab1932b395452209627011a32a63d81897.
|
| |\ \
| | |
| | | |
Improvements to the NixOS Hardened Profile
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Disables the build sandbox by default to avoid incompatibility with
defaulting user namespaces to false. Ideally there would be some kind of
linux kernel feature that allows us to trust nix-daemon builders to
allow both nix sandbox builds and disabling untrusted naemspaces at the
same time.
|
| | | | |
|
| | |/
|/|
| |
| |
| |
| |
| |
| | |
Running the manual on a TTY is useless in the graphical ISOs and not
particularly useful in non-graphical ISOs (since you can also run
'nixos-help').
Fixes #83157.
|
| |/
|
|
| |
Phonon no longer supports Qt4 so this is useless.
|
| |
|
|
|
|
| |
It's not needed since #66338 and should have been done earlier.
This is based on a follow-up on #56167.
|
| |
|
|
|
|
|
|
| |
This reverts commit 571fb74f449aa173e231166515b41feb778524b8.
The dependency on gtk2 was removed.
Co-authored-by: Florian Klink <flokli@flokli.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
The rationale for this is that old filesystems have recieved little scrutiny
wrt. security relevant bugs.
Lifted from OpenSUSE[1].
[1]: https://github.com/openSUSE/suse-module-tools/pull/5/commits/8cb42fb6658f210cb8c955d584a65f7b041c0575
Co-Authored-By: Renaud <c0bw3b@users.noreply.github.com>
|
| |
|
|
|
|
|
|
| |
... otherwise enabling it causes a merge conflict.
Enabling it was necessary to give enough entropy for the sshd daemon in
my libvirt/nixops VM to generate keys see
https://github.com/NixOS/nixops/issues/1199.
|
| |\
| |
| | |
installation-device.nix: explain sshd usage, don't include clone-config
|
| | | |
|
| |\ \
| |/
|/|
| |
| | |
joachifm/feat/hardened-nixos-revert-graphene-malloc
Revert "nixos/hardened: use graphene-hardened malloc by default"
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 48ff4f119735dc60c3e2794a71b00757b838d877.
Causes too much breakage to be enabled by default [1][2].
[1]: https://github.com/NixOS/nixpkgs/issues/61489
[2]: https://github.com/NixOS/nixpkgs/issues/65000
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
systemd provides two sysctl snippets, 50-coredump.conf and
50-default.conf.
These enable:
- Loose reverse path filtering
- Source route filtering
- `fq_codel` as a packet scheduler (this helps to fight bufferbloat)
This also configures the kernel to pass coredumps to `systemd-coredump`.
These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`,
and overridden via `boot.kernel.sysctl`
(which will place the parameters in `/etc/sysctl.d/60-nixos.conf`.
Let's start using these, like other distros already do for quite some
time, and remove those duplicate `boot.kernel.sysctl` options we
previously did set.
In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
|
| |
|
|
|
|
| |
New in 5.2 [1]
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There's many reason why it is and is going to
continue to be difficult to do this:
1. All display-managers (excluding slim) default PAM rules
disallow root auto login.
2. We can't use wayland
3. We have to use system-wide pulseaudio
4. It could break applications in the session.
This happened to dolphin in plasma5
in the past.
This is a growing technical debt, let's just use
passwordless sudo.
|
| |
|
|
|
| |
Introduces a new security.forcePageTableIsolation option (default false
on !hardened, true on hardened) that forces pti=on.
|
| |
|
|
| |
Fixes #65044
|
| |
|
|
|
|
|
| |
See e.g., https://github.com/NixOS/nixpkgs/issues/63768
Forwarding remains enabled for now, need to determine its effects on
virtualization, if any.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The option is `false` by default since
e349ccc77febd45abbd14be14f7de123ec4a4da2, so we don’t need to mention
it explicitely in these minimal configs.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
slab_nomerge may reduce surface somewhat
slub_debug is used to enable additional sanity checks and "red zones" around
allocations to detect read/writes beyond the allocated area, as well as
poisoning to overwrite free'd data.
The cost is yet more memory fragmentation ...
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For the hardened profile disable symmetric multi threading. There seems to be
no *proven* method of exploiting cache sharing between threads on the same CPU
core, so this may be considered quite paranoid, considering the perf cost.
SMT can be controlled at runtime, however. This is in keeping with OpenBSD
defaults.
TODO: since SMT is left to be controlled at runtime, changing the option
definition should take effect on system activation. Write to
/sys/devices/system/cpu/smt/control
|
| |
|
|
|
|
| |
For the hardened profile enable flushing whenever the hypervisor enters the
guest, but otherwise leave at kernel default (conditional flushing as of
writing).
|
| |
|
|
|
|
|
|
|
| |
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).
This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ZFS's popularity is growing, and not including it by default is a
bit frustrating. On top of that, the base iso includes ZFS
_anyway_ due to other packages depending upon it.
I think we're in the clear to do this on the basis that Oracle
probably doesn't care, it is probably fine (the SFLC agrees) and
we're a small fish. If a copyright holder asks us to, we can
definitely revert it again.
This reverts commit 33d07c7ea9f0d05d47dd4b41ded3b261380acfac.
|
| |\
| |
| |
| | |
tarball-closureinfo
|
| | | |
|
| |\|
| |
| |
| | |
tarball-closureinfo
|
| | |\
| | |
| | | |
nixos/installation-device: set GC initial heap size to 1MB
|
| | | |
| | |
| | |
| | | |
100000 (100kB) is too aggressive (too low) and gets ignored by the GC
See issue #43339
|