summary refs log tree commit diff
diff options
context:
space:
mode:
authorKyle Copperfield <kmcopper@danwin1210.me>2019-11-19 09:57:23 +0000
committerKyle Copperfield <kmcopper@danwin1210.me>2019-11-19 14:56:09 +0000
commit00ac71ab1932b395452209627011a32a63d81897 (patch)
treef14229a6df69b606a3e1bdf9c634a6107c995aee
parent93e8c34e2e4bfb27c881270720cee933ae5ba336 (diff)
downloadnixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar
nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar.gz
nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar.bz2
nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar.lz
nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar.xz
nixpkgs-00ac71ab1932b395452209627011a32a63d81897.tar.zst
nixpkgs-00ac71ab1932b395452209627011a32a63d81897.zip
nixos/hardened: build sandbox incompatible with namespaces
Disables the build sandbox by default to avoid incompatibility with
defaulting user namespaces to false. Ideally there would be some kind of
linux kernel feature that allows us to trust nix-daemon builders to
allow both nix sandbox builds and disabling untrusted naemspaces at the
same time.
Diffstat
-rw-r--r--nixos/modules/profiles/hardened.nix2
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index f7b2f5c7fc1..33e4ddc3fb4 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -20,6 +20,8 @@ with lib;
 
   security.allowUserNamespaces = mkDefault false;
 
+  nix.useSandbox = mkDefault false;
+
   security.protectKernelImage = mkDefault true;
 
   security.allowSimultaneousMultithreading = mkDefault false;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-20 02:35:14 +0000