diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-06 14:54:45 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-23 11:00:52 +0200 |
commit | 063ac4030428da5230da2144ff32dbf681b1104b (patch) | |
tree | da25140ba662c57abab4ee05d87ff312e2389578 /nixos | |
parent | 1b3300bf01ccdb794af79440e650e6b6a043137e (diff) | |
download | nixpkgs-063ac4030428da5230da2144ff32dbf681b1104b.tar nixpkgs-063ac4030428da5230da2144ff32dbf681b1104b.tar.gz nixpkgs-063ac4030428da5230da2144ff32dbf681b1104b.tar.bz2 nixpkgs-063ac4030428da5230da2144ff32dbf681b1104b.tar.lz nixpkgs-063ac4030428da5230da2144ff32dbf681b1104b.tar.xz nixpkgs-063ac4030428da5230da2144ff32dbf681b1104b.tar.zst nixpkgs-063ac4030428da5230da2144ff32dbf681b1104b.zip |
nixos: add a "hardened" profile
The idea is to provide a convenient way to enable most vanilla hardening features in one go. The hardened profile, then, will serve as a place for features that enhance security but cannot be enabled for all deployments because they interfere with legitimate use cases (e.g., using ptrace to debug problems in an already running process). Closes https://github.com/NixOS/nixpkgs/pull/24680
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix new file mode 100644 index 00000000000..9933f8b25f5 --- /dev/null +++ b/nixos/modules/profiles/hardened.nix @@ -0,0 +1,35 @@ +# A profile with most (vanilla) hardening options enabled by default, +# potentially at the cost of features and performance. + +{ config, lib, pkgs, ... }: + +with lib; + +{ + security.hideProcessInformation = mkDefault true; + + security.apparmor.enable = mkDefault true; + + # Restrict ptrace() usage to processes with a pre-defined relationship + # (e.g., parent/child) + boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; + + # Prevent replacing the running kernel image w/o reboot + boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; + + # Restrict access to kernel ring buffer (information leaks) + boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; + + # Hide kptrs even for processes with CAP_SYSLOG + boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; + + # Unprivileged access to bpf() has been used for privilege escalation in + # the past + boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true; + + # Disable bpf() JIT (to eliminate spray attacks) + boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; + + # ... or at least apply some hardening to it + boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true; +} |