diff options
| author | Izorkin <izorkin@elven.pw> | 2020-08-23 13:17:53 +0300 |
|---|---|---|
| committer | Izorkin <izorkin@elven.pw> | 2020-08-25 14:18:24 +0300 |
| commit | e21e5a94839383e542f2e4b5629e9087658e0984 (patch) | |
| tree | 0a3b31292a271ccbdaf8c17d4086c54f88b6b62b /nixos/modules/security/misc.nix | |
| parent | 6a6d4c9b39a4e1e85b0241c6eff1f99d282d9a4f (diff) | |
| download | nixpkgs-e21e5a94839383e542f2e4b5629e9087658e0984.tar nixpkgs-e21e5a94839383e542f2e4b5629e9087658e0984.tar.gz nixpkgs-e21e5a94839383e542f2e4b5629e9087658e0984.tar.bz2 nixpkgs-e21e5a94839383e542f2e4b5629e9087658e0984.tar.lz nixpkgs-e21e5a94839383e542f2e4b5629e9087658e0984.tar.xz nixpkgs-e21e5a94839383e542f2e4b5629e9087658e0984.tar.zst nixpkgs-e21e5a94839383e542f2e4b5629e9087658e0984.zip | |
nixos/security/misc: add option unprivilegedUsernsClone
Diffstat (limited to 'nixos/modules/security/misc.nix')
| -rw-r--r-- | nixos/modules/security/misc.nix | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 16e3bfb1419..d51dbbb77f7 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -27,6 +27,16 @@ with lib; ''; }; + security.unprivilegedUsernsClone = mkOption { + type = types.bool; + default = false; + description = '' + When disabled, unprivileged users will not be able to create new namespaces. + By default unprivileged user namespaces are disabled. + This option only works in a hardened profile. + ''; + }; + security.protectKernelImage = mkOption { type = types.bool; default = false; @@ -115,6 +125,10 @@ with lib; ]; }) + (mkIf config.security.unprivilegedUsernsClone { + boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkDefault true; + }) + (mkIf config.security.protectKernelImage { # Disable hibernation (allows replacing the running kernel) boot.kernelParams = [ "nohibernate" ]; |