nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 15:03:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/security: remove with lib;

Browse Source
This commit is contained in:
Felix Buehler 2024-08-28 21:18:53 +02:00 committed by Jörg Thalheim
parent 30c85fe74d
commit c99cbe65c4
1 changed files with 22 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
nixos/modules/security/misc.nix
View File

@ -1,10 +1,7 @@
{ config, lib, ... }:
with lib;
{
meta = {
maintainers = [ maintainers.joachifm ];
maintainers = [ lib.maintainers.joachifm ];
};
imports = [
@ -12,8 +9,8 @@ with lib;
];
options = {
security.allowUserNamespaces = mkOption {
type = types.bool;
security.allowUserNamespaces = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to allow creation of user namespaces.
@ -31,8 +28,8 @@ with lib;
'';
};
security.unprivilegedUsernsClone = mkOption {
type = types.bool;
security.unprivilegedUsernsClone = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
When disabled, unprivileged users will not be able to create new namespaces.
@ -41,16 +38,16 @@ with lib;
'';
};
security.protectKernelImage = mkOption {
type = types.bool;
security.protectKernelImage = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to prevent replacing the running kernel image.
'';
};
security.allowSimultaneousMultithreading = mkOption {
type = types.bool;
security.allowSimultaneousMultithreading = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to allow SMT/hyperthreading. Disabling SMT means that only
@ -68,8 +65,8 @@ with lib;
'';
};
security.forcePageTableIsolation = mkOption {
type = types.bool;
security.forcePageTableIsolation = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to force-enable the Page Table Isolation (PTI) Linux kernel
@ -80,8 +77,8 @@ with lib;
'';
};
security.virtualisation.flushL1DataCache = mkOption {
type = types.nullOr (types.enum [ "never" "cond" "always" ]);
security.virtualisation.flushL1DataCache = lib.mkOption {
type = lib.types.nullOr (lib.types.enum [ "never" "cond" "always" ]);
default = null;
description = ''
Whether the hypervisor should flush the L1 data cache before
@ -100,8 +97,8 @@ with lib;
};
};
config = mkMerge [
(mkIf (!config.security.allowUserNamespaces) {
config = lib.mkMerge [
(lib.mkIf (!config.security.allowUserNamespaces) {
# Setting the number of allowed user namespaces to 0 effectively disables
# the feature at runtime. Note that root may raise the limit again
# at any time.
@ -114,26 +111,26 @@ with lib;
];
})
(mkIf config.security.unprivilegedUsernsClone {
boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkDefault true;
(lib.mkIf config.security.unprivilegedUsernsClone {
boot.kernel.sysctl."kernel.unprivileged_userns_clone" = lib.mkDefault true;
})
(mkIf config.security.protectKernelImage {
(lib.mkIf config.security.protectKernelImage {
# Disable hibernation (allows replacing the running kernel)
boot.kernelParams = [ "nohibernate" ];
# Prevent replacing the running kernel image w/o reboot
boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true;
boot.kernel.sysctl."kernel.kexec_load_disabled" = lib.mkDefault true;
})
(mkIf (!config.security.allowSimultaneousMultithreading) {
(lib.mkIf (!config.security.allowSimultaneousMultithreading) {
boot.kernelParams = [ "nosmt" ];
})
(mkIf config.security.forcePageTableIsolation {
(lib.mkIf config.security.forcePageTableIsolation {
boot.kernelParams = [ "pti=on" ];
})
(mkIf (config.security.virtualisation.flushL1DataCache != null) {
(lib.mkIf (config.security.virtualisation.flushL1DataCache != null) {
boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ];
})
];