Commit Graph

32 Commits

Author SHA1 Message Date
rnhmjoj
a432668acf
dhcpcd: disable privsep by default
The priviledge separation mode has several downsides:

  - it's incompatible with alternative memory allocators, including
    graphene-hardened;

  - it needs an unreleased patch to fix a crash;

  - it results in none less than 6 subprocesses running at any time,
    increasing the memory usage;

  - the privileged process (albeit not doing any networking related
    tasks) is still running as root, so it has complete access to the
    system.

Let's disable this by default and instead run dhcpcd as an unpriviledge
user with only the necessary capabilities.
2024-09-16 01:23:54 +02:00
K900
a3323f68a7 nixos/tests/hardened: fix eval 2023-10-06 23:54:57 +03:00
AndersonTorres
d87f1b8c9f nixos/tests/hardened.nix: get rid of with lib 2023-05-12 22:29:25 -03:00
Alyssa Ross
a14da86f2c
nixosTests.hardened: fix for recent Nix
As far as I know, there's no stable equivalent of nix ping-store.
2022-07-08 17:03:40 +00:00
Alyssa Ross
d440cc931e
nixosTests.hardened: disable dhcpcd privsep
Since 831024e2b9 ("nixos/dhcpcd: assert if privSep && alternative
malloc"), this test has an assertion failure because dhcpcd (with
privsep enabled) is not compatible with the allocator used by the
hardened profile.

Since it's unclear[1] what to do about this for the hardened profile,
I propose doing the simplest thing possible to make the test eval,
which is to just disable dhcpcd privsep.  It's very inconvenient when
trying to refactor the NixOS test infrastructure to have a test that
doesn't evaluate.  Once the correct solution is found for using dhcpcd
with privsep with the hardened profile, this patch can be reverted.

[1]: https://github.com/NixOS/nixpkgs/pull/157430
2022-07-08 17:03:29 +00:00
Robert Hensing
aa0f27abb0 treewide: machine -> nodes.machine 2022-03-28 14:11:58 +02:00
polykernel
4a9d9928dc nixos/nix-daemon: use structural settings
The `nix.*` options, apart from options for setting up the
daemon itself, currently provide a lot of setting mappings
for the Nix daemon configuration. The scope of the mapping yields
convience, but the line where an option is considered essential
is blurry. For instance, the `extra-sandbox-paths` mapping is
provided without its primary consumer, and the corresponding
`sandbox-paths` option is also not mapped.

The current system increases the maintenance burden as maintainers have to
closely follow upstream changes. In this case, there are two state versions
of Nix which have to be maintained collectively, with different options
avaliable.

This commit aims to following the standard outlined in RFC 42[1] to
implement a structural setting pattern. The Nix configuration is encoded
at its core as key-value pairs which maps nicely to attribute sets, making
it feasible to express in the Nix language itself. Some existing options are
kept such as `buildMachines` and `registry` which present a simplified interface
to managing the respective settings. The interface is exposed as `nix.settings`.

Legacy configurations are mapped to their corresponding options under `nix.settings`
for backwards compatibility.

Various options settings in other nixos modules and relevant tests have been
updated to use structural setting for consistency.

The generation and validation of the configration file has been modified to
use `writeTextFile` instead of `runCommand` for clarity. Note that validation
is now mandatory as strict checking of options has been pushed down to the
derivation level due to freeformType consuming unmatched options. Furthermore,
validation can not occur when cross-compiling due to current limitations.

A new option `publicHostKey` was added to the `buildMachines`
submodule corresponding to the base64 encoded public host key settings
exposed in the builder syntax. The build machine generation was subsequently
rewritten to use `concatStringsSep` for better performance by grouping
concatenations.

[1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
2022-01-26 21:04:50 -05:00
rnhmjoj
1f55c7e022
nixos/tests: drop latestKernel.hardened
The latest kernel does not guarantee a hardened version anymore,
see ga5341beb for the motivation.
2021-09-22 11:20:30 +02:00
rnhmjoj
1bd7260adb
nixos/lock-kernel-modules: reorder before/after
Moving the service before multi-user.target (so the `hardened` test
continue to work the way it did before) can result in locking the kernel
too early. It's better to lock it a bit later and changing the test to
wait specifically for the disable-kernel-module-loading.service.
2021-09-19 12:06:00 +02:00
Robert Scott
dca4f32819 graphene-hardened-malloc: 2 -> 8
significantly overhaul tests to cover build-time-linking and
LD_PRELOAD use, simplifying the hardened nixos test to allow
it to reuse this test setup.
2021-08-14 11:52:11 +01:00
Dominik Xaver Hörl
893d911b55 nixos/hidepid: drop the module as the hidepid mount option is broken
This has been in an unusable state since the switch to cgroups-v2.
See https://github.com/NixOS/nixpkgs/issues/73800 for details.
2021-02-21 13:51:37 +01:00
Maciej Krüger
59eb6d3ee3
nixosTests.*: update to use virtualisation.fileSystems 2021-02-14 12:23:50 +01:00
Dominik Xaver Hörl
25bef2d8f9 treewide: simplify pkgs.stdenv.lib -> pkgs.lib
The library does not depend on stdenv, that `stdenv` exposes `lib` is
an artifact of the ancient origins of nixpkgs.
2021-01-10 20:12:06 +01:00
Tim Steinbach
03197f94ce
tests/hardened: Fix usage with 5.8
Linux >= 5.8 improved /proc mount options. `hidepid=2` is now
displayed as `hidepid=invisible`
2020-10-05 09:07:21 -04:00
Janne Heß
540c033507
nixos/hardened: Port test to Python and fix it
Related to #72828
Replaces and closes #76708

Looks like `nix ping-store` does not output anything anymore but still
fails when the connection does not work.
2020-08-21 21:35:07 +02:00
Emily
fe031d07f8 nixos/tests/hardened: add latestKernel argument 2020-04-17 16:13:39 +01:00
Emily
ad9bfe2254 nixos/hardened: enable user namespaces for root
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f.

This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.

We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.

Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:

    boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
2020-04-17 16:13:39 +01:00
Joachim Fasting
eb59755f70
tests/hardened: fix build
Bug introduced by 4ead3d2ec3

For ZHF https://github.com/NixOS/nixpkgs/issues/68361
2019-09-18 15:38:43 +02:00
volth
08f68313a4 treewide: remove redundant rec 2019-08-28 11:07:32 +00:00
Joachim F
b4a43a278b
Merge pull request #60187 from joachifm/feat/configurable-malloc
nixos: configurable system-wide malloc
2019-05-12 15:18:07 +00:00
Joachim Fasting
92d41f83fd
nixos/tests/hardened: check that apparmor is properly loaded 2019-05-11 18:21:44 +02:00
Joachim Fasting
10d3a0e10b
nixos/tests/hardened: test hardened malloc 2019-05-07 13:45:42 +02:00
Joachim Fasting
39c30a33c1
nixos/tests/hardened: test loading out-of-tree-modules 2019-01-06 13:19:28 +01:00
Joachim Fasting
84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Joachim Fasting
6a7f02d89d
nixos/hardened: restrict access to nix daemon 2018-11-24 16:06:21 +01:00
Joachim Fasting
62623b60d5
nixos/tests/hardened: fix build by disabling nix.useSandbox 2018-11-24 16:06:18 +01:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
xeji
301072dc27 nixos/tests/hardened: fix test (#40745)
failed because `pgrep -u` segfaults when accesss to proc info
is denied on a hardened system.
2018-05-19 08:42:15 +02:00
Joachim Fasting
bccaf63067
nixos/hardened test: add failing test-case for deferred mounts 2017-09-22 23:53:27 +02:00
Joachim Fasting
586d04c588
nixos/tests: expand hardened tests 2017-09-16 13:14:07 +02:00
Joachim Fasting
a1678269f9
nixos/hardened profile: disable user namespaces at runtime 2017-04-30 15:17:27 +02:00
Joachim Fasting
ffa83edf4a
nixos/tests: add tests for exercising various hardening features
This test exercises the linux_hardened kernel along with the various
hardening features (enabled via the hardened profile).

Move hidepid test from misc, so that misc can go back to testing a vanilla
configuration.
2017-04-30 12:05:42 +02:00