From c99cbe65c4ffcab445f3c389cccf37788bbfdcee Mon Sep 17 00:00:00 2001 From: Felix Buehler Date: Wed, 28 Aug 2024 21:18:53 +0200 Subject: [PATCH] nixos/security: remove `with lib;` --- nixos/modules/security/misc.nix | 47 +++++++++++++++------------------ 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index 5e13b4caddd8..d3ffefe46fc6 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -1,10 +1,7 @@ { config, lib, ... }: - -with lib; - { meta = { - maintainers = [ maintainers.joachifm ]; + maintainers = [ lib.maintainers.joachifm ]; }; imports = [ @@ -12,8 +9,8 @@ with lib; ]; options = { - security.allowUserNamespaces = mkOption { - type = types.bool; + security.allowUserNamespaces = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to allow creation of user namespaces. @@ -31,8 +28,8 @@ with lib; ''; }; - security.unprivilegedUsernsClone = mkOption { - type = types.bool; + security.unprivilegedUsernsClone = lib.mkOption { + type = lib.types.bool; default = false; description = '' When disabled, unprivileged users will not be able to create new namespaces. @@ -41,16 +38,16 @@ with lib; ''; }; - security.protectKernelImage = mkOption { - type = types.bool; + security.protectKernelImage = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to prevent replacing the running kernel image. ''; }; - security.allowSimultaneousMultithreading = mkOption { - type = types.bool; + security.allowSimultaneousMultithreading = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to allow SMT/hyperthreading. Disabling SMT means that only @@ -68,8 +65,8 @@ with lib; ''; }; - security.forcePageTableIsolation = mkOption { - type = types.bool; + security.forcePageTableIsolation = lib.mkOption { + type = lib.types.bool; default = false; description = '' Whether to force-enable the Page Table Isolation (PTI) Linux kernel @@ -80,8 +77,8 @@ with lib; ''; }; - security.virtualisation.flushL1DataCache = mkOption { - type = types.nullOr (types.enum [ "never" "cond" "always" ]); + security.virtualisation.flushL1DataCache = lib.mkOption { + type = lib.types.nullOr (lib.types.enum [ "never" "cond" "always" ]); default = null; description = '' Whether the hypervisor should flush the L1 data cache before @@ -100,8 +97,8 @@ with lib; }; }; - config = mkMerge [ - (mkIf (!config.security.allowUserNamespaces) { + config = lib.mkMerge [ + (lib.mkIf (!config.security.allowUserNamespaces) { # Setting the number of allowed user namespaces to 0 effectively disables # the feature at runtime. Note that root may raise the limit again # at any time. @@ -114,26 +111,26 @@ with lib; ]; }) - (mkIf config.security.unprivilegedUsernsClone { - boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkDefault true; + (lib.mkIf config.security.unprivilegedUsernsClone { + boot.kernel.sysctl."kernel.unprivileged_userns_clone" = lib.mkDefault true; }) - (mkIf config.security.protectKernelImage { + (lib.mkIf config.security.protectKernelImage { # Disable hibernation (allows replacing the running kernel) boot.kernelParams = [ "nohibernate" ]; # Prevent replacing the running kernel image w/o reboot - boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; + boot.kernel.sysctl."kernel.kexec_load_disabled" = lib.mkDefault true; }) - (mkIf (!config.security.allowSimultaneousMultithreading) { + (lib.mkIf (!config.security.allowSimultaneousMultithreading) { boot.kernelParams = [ "nosmt" ]; }) - (mkIf config.security.forcePageTableIsolation { + (lib.mkIf config.security.forcePageTableIsolation { boot.kernelParams = [ "pti=on" ]; }) - (mkIf (config.security.virtualisation.flushL1DataCache != null) { + (lib.mkIf (config.security.virtualisation.flushL1DataCache != null) { boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ]; }) ];