summary refs log tree commit diff
path: root/nixos/modules/security/misc.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/security/misc.nix')
-rw-r--r--nixos/modules/security/misc.nix39
1 files changed, 39 insertions, 0 deletions
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
new file mode 100644
index 00000000000..42f872b7b08
--- /dev/null
+++ b/nixos/modules/security/misc.nix
@@ -0,0 +1,39 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  meta = {
+    maintainers = [ maintainers.joachifm ];
+  };
+
+  options = {
+    security.allowUserNamespaces = mkOption {
+      type = types.bool;
+      default = true;
+      description = ''
+        Whether to allow creation of user namespaces.  A recurring problem
+        with user namespaces is the presence of code paths where the kernel's
+        permission checking logic fails to account for namespacing, instead
+        permitting a namespaced process to act outside the namespace with the
+        same privileges as it would have inside it.  This is particularly
+        damaging in the common case of running as root within the namespace.
+        When user namespace creation is disallowed, attempting to create
+        a user namespace fails with "no space left on device" (ENOSPC).
+      '';
+    };
+  };
+
+  config = mkIf (!config.security.allowUserNamespaces) {
+    # Setting the number of allowed user namespaces to 0 effectively disables
+    # the feature at runtime.  Note that root may raise the limit again
+    # at any time.
+    boot.kernel.sysctl."user.max_user_namespaces" = 0;
+
+    assertions = [
+      { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces;
+        message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`.";
+      }
+    ];
+  };
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-26 17:53:22 +0000