diff options
author | Kyle Copperfield <kmcopper@danwin1210.me> | 2019-11-19 09:57:23 +0000 |
---|---|---|
committer | Kyle Copperfield <kmcopper@danwin1210.me> | 2019-11-19 14:56:09 +0000 |
commit | 00ac71ab1932b395452209627011a32a63d81897 (patch) | |
tree | f14229a6df69b606a3e1bdf9c634a6107c995aee | |
parent | 93e8c34e2e4bfb27c881270720cee933ae5ba336 (diff) | |
download | nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar.gz nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar.bz2 nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar.lz nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar.xz nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar.zst nixpkgs-00ac71ab1932b395452209627011a32a63d81897.zip |
nixos/hardened: build sandbox incompatible with namespaces
Disables the build sandbox by default to avoid incompatibility with defaulting user namespaces to false. Ideally there would be some kind of linux kernel feature that allows us to trust nix-daemon builders to allow both nix sandbox builds and disabling untrusted naemspaces at the same time.
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index f7b2f5c7fc1..33e4ddc3fb4 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -20,6 +20,8 @@ with lib; security.allowUserNamespaces = mkDefault false; + nix.useSandbox = mkDefault false; + security.protectKernelImage = mkDefault true; security.allowSimultaneousMultithreading = mkDefault false; |