nixos/security/misc: init

A module for security options that are too small to warrant their own module.

The impetus for adding this module is to make it more convenient to override
the behavior of the hardened profile wrt user namespaces.
Without a dedicated option for user namespaces, the user needs to
1) know which sysctl knob controls userns
2) know how large a value the sysctl knob needs to allow e.g.,
   Nix sandbox builds to work

In the future, other mitigations currently enabled by the hardened profile may
be promoted to options in this module.

3 files changed, 42 insertions, 12 deletions

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index f55c32fa511..2bb41767b0b 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -149,6 +149,7 @@
   ./security/duosec.nix
   ./security/hidepid.nix
   ./security/lock-kernel-modules.nix
+  ./security/misc.nix
   ./security/oath.nix
   ./security/pam.nix
   ./security/pam_usb.nix
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 2af8bf1f8e3..da47313f180 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -12,6 +12,8 @@ with lib;
 
   security.lockKernelModules = mkDefault true;
 
+  security.allowUserNamespaces = mkDefault false;
+
   security.apparmor.enable = mkDefault true;
 
   boot.kernelParams = [
@@ -55,18 +57,6 @@ with lib;
   # ... or at least apply some hardening to it
   boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
 
-  # A recurring problem with user namespaces is that there are
-  # still code paths where the kernel's permission checking logic
-  # fails to account for namespacing, instead permitting a
-  # namespaced process to act outside the namespace with the
-  # same privileges as it would have inside it.  This is particularly
-  # bad in the common case of running as root within the namespace.
-  #
-  # Setting the number of allowed user namespaces to 0 effectively disables
-  # the feature at runtime.  Attempting to create a user namespace
-  # with unshare will then fail with "no space left on device".
-  boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
-
   # Raise ASLR entropy for 64bit & 32bit, respectively.
   #
   # Note: mmap_rnd_compat_bits may not exist on 64bit.
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
new file mode 100644
index 00000000000..42f872b7b08
--- /dev/null
+++ b/nixos/modules/security/misc.nix
@@ -0,0 +1,39 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  meta = {
+    maintainers = [ maintainers.joachifm ];
+  };
+
+  options = {
+    security.allowUserNamespaces = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to allow creation of user namespaces.  A recurring problem
+        with user namespaces is the presence of code paths where the kernel's
+        permission checking logic fails to account for namespacing, instead
+        permitting a namespaced process to act outside the namespace with the
+        same privileges as it would have inside it.  This is particularly
+        damaging in the common case of running as root within the namespace.
+        When user namespace creation is disallowed, attempting to create
+        a user namespace fails with "no space left on device" (ENOSPC).
+      '';
+    };
+  };
+
+  config = mkIf (!config.security.allowUserNamespaces) {
+    # Setting the number of allowed user namespaces to 0 effectively disables
+    # the feature at runtime.  Note that root may raise the limit again
+    # at any time.
+    boot.kernel.sysctl."user.max_user_namespaces" = 0;
+
+    assertions = [
+      { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
+        message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
+      }
+    ];
+  };
+}