nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 15:03:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/security: remove with lib;

Browse Source
This commit is contained in:
Felix Buehler 2024-08-28 21:18:53 +02:00 committed by Jörg Thalheim
parent 30c85fe74d
commit c99cbe65c4
1 changed files with 22 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
nixos/modules/security/misc.nix
View File

@ -1,10 +1,7 @@
{ config, lib, ... }: { config, lib, ... }:
with lib;
{ {
meta = { meta = {
maintainers = [ maintainers.joachifm ]; maintainers = [ lib.maintainers.joachifm ];
}; };
imports = [ imports = [
@ -12,8 +9,8 @@ with lib;
]; ];
options = { options = {
security.allowUserNamespaces = mkOption { security.allowUserNamespaces = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Whether to allow creation of user namespaces. Whether to allow creation of user namespaces.
@ -31,8 +28,8 @@ with lib;
''; '';
}; };
security.unprivilegedUsernsClone = mkOption { security.unprivilegedUsernsClone = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
When disabled, unprivileged users will not be able to create new namespaces. When disabled, unprivileged users will not be able to create new namespaces.
@ -41,16 +38,16 @@ with lib;
''; '';
}; };
security.protectKernelImage = mkOption { security.protectKernelImage = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
Whether to prevent replacing the running kernel image. Whether to prevent replacing the running kernel image.
''; '';
}; };
security.allowSimultaneousMultithreading = mkOption { security.allowSimultaneousMultithreading = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = true; default = true;
description = '' description = ''
Whether to allow SMT/hyperthreading. Disabling SMT means that only Whether to allow SMT/hyperthreading. Disabling SMT means that only
@ -68,8 +65,8 @@ with lib;
''; '';
}; };
security.forcePageTableIsolation = mkOption { security.forcePageTableIsolation = lib.mkOption {
type = types.bool; type = lib.types.bool;
default = false; default = false;
description = '' description = ''
Whether to force-enable the Page Table Isolation (PTI) Linux kernel Whether to force-enable the Page Table Isolation (PTI) Linux kernel
@ -80,8 +77,8 @@ with lib;
''; '';
}; };
security.virtualisation.flushL1DataCache = mkOption { security.virtualisation.flushL1DataCache = lib.mkOption {
type = types.nullOr (types.enum [ "never" "cond" "always" ]); type = lib.types.nullOr (lib.types.enum [ "never" "cond" "always" ]);
default = null; default = null;
description = '' description = ''
Whether the hypervisor should flush the L1 data cache before Whether the hypervisor should flush the L1 data cache before
@ -100,8 +97,8 @@ with lib;
}; };
}; };
config = mkMerge [ config = lib.mkMerge [
(mkIf (!config.security.allowUserNamespaces) { (lib.mkIf (!config.security.allowUserNamespaces) {
# Setting the number of allowed user namespaces to 0 effectively disables # Setting the number of allowed user namespaces to 0 effectively disables
# the feature at runtime. Note that root may raise the limit again # the feature at runtime. Note that root may raise the limit again
# at any time. # at any time.
@ -114,26 +111,26 @@ with lib;
]; ];
}) })
(mkIf config.security.unprivilegedUsernsClone { (lib.mkIf config.security.unprivilegedUsernsClone {
boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkDefault true; boot.kernel.sysctl."kernel.unprivileged_userns_clone" = lib.mkDefault true;
}) })
(mkIf config.security.protectKernelImage { (lib.mkIf config.security.protectKernelImage {
# Disable hibernation (allows replacing the running kernel) # Disable hibernation (allows replacing the running kernel)
boot.kernelParams = [ "nohibernate" ]; boot.kernelParams = [ "nohibernate" ];
# Prevent replacing the running kernel image w/o reboot # Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; boot.kernel.sysctl."kernel.kexec_load_disabled" = lib.mkDefault true;
}) })
(mkIf (!config.security.allowSimultaneousMultithreading) { (lib.mkIf (!config.security.allowSimultaneousMultithreading) {
boot.kernelParams = [ "nosmt" ]; boot.kernelParams = [ "nosmt" ];
}) })
(mkIf config.security.forcePageTableIsolation { (lib.mkIf config.security.forcePageTableIsolation {
boot.kernelParams = [ "pti=on" ]; boot.kernelParams = [ "pti=on" ];
}) })
(mkIf (config.security.virtualisation.flushL1DataCache != null) { (lib.mkIf (config.security.virtualisation.flushL1DataCache != null) {
boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ]; boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
}) })
]; ];