diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-16 10:37:36 +0100 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2018-12-27 15:00:47 +0100 |
| commit | 84fb8820db6226a6e5333813d47da6d876243064 (patch) | |
| tree | e213da41f9e8d4e974fe71e724442b8155578bd5 /nixos | |
| parent | 9db84f6fcdb2616471abb6a427a2b21fe8a8255f (diff) | |
| download | nixpkgs-84fb8820db6226a6e5333813d47da6d876243064.tar nixpkgs-84fb8820db6226a6e5333813d47da6d876243064.tar.gz nixpkgs-84fb8820db6226a6e5333813d47da6d876243064.tar.bz2 nixpkgs-84fb8820db6226a6e5333813d47da6d876243064.tar.lz nixpkgs-84fb8820db6226a6e5333813d47da6d876243064.tar.xz nixpkgs-84fb8820db6226a6e5333813d47da6d876243064.tar.zst nixpkgs-84fb8820db6226a6e5333813d47da6d876243064.zip | |
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control various mitigations to protect the integrity of the running kernel image (i.e., prevent replacing it without rebooting). This makes sense as a dedicated module as it is otherwise somewhat difficult to override for hardened profile users who want e.g., hibernation to work.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/security/misc.nix | 15 | ||||
| -rw-r--r-- | nixos/tests/hardened.nix | 6 |
3 files changed, 23 insertions, 6 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 61e871bcaca..bad4cb81639 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -20,6 +20,8 @@ with lib; security.allowUserNamespaces = mkDefault false; + security.protectKernelImage = mkDefault true; + security.apparmor.enable = mkDefault true; boot.kernelParams = [ @@ -28,9 +30,6 @@ with lib; # Disable legacy virtual syscalls "vsyscall=none" - - # Disable hibernation (allows replacing the running kernel) - "nohibernate" ]; boot.blacklistedKernelModules = [ @@ -44,9 +43,6 @@ with lib; # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; - # Prevent replacing the running kernel image w/o reboot - boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; - # Restrict access to kernel ring buffer (information leaks) boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index f3fc6db22ea..b1db0bc8da8 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -22,6 +22,14 @@ with lib; a user namespace fails with "no space left on device" (ENOSPC). ''; }; + + security.protectKernelImage = mkOption { + type = types.bool; + default = false; + description = '' + Whether to prevent replacing the running kernel image. + ''; + }; }; config = mkMerge [ @@ -37,5 +45,12 @@ with lib; } ]; }) + + (mkIf config.security.protectKernelImage { + # Disable hibernation (allows replacing the running kernel) + boot.kernelParams = [ "nohibernate" ]; + # Prevent replacing the running kernel image w/o reboot + boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; + }) ]; } diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index e10a6363164..683f56c45af 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -70,5 +70,11 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->fail("su -l nobody -s /bin/sh -c 'nix ping-store'"); $machine->succeed("su -l alice -c 'nix ping-store'") =~ "OK"; }; + + # Test kernel image protection + subtest "kernelimage", sub { + $machine->fail("systemctl hibernate"); + $machine->fail("systemctl kexec"); + }; ''; }) |