Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 9e55da14fee5
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 18b89e7abddc
Choose a head ref
  • 3 commits
  • 1 file changed
  • 2 contributors

Commits on Nov 19, 2019

  1. nixos/hardened: build sandbox incompatible with namespaces 

    Disables the build sandbox by default to avoid incompatibility with
defaulting user namespaces to false. Ideally there would be some kind of
linux kernel feature that allows us to trust nix-daemon builders to
allow both nix sandbox builds and disabling untrusted naemspaces at the
same time.
    Kyle Copperfield committed Nov 19, 2019
    Copy the full SHA
    00ac71a View commit details

Commits on Nov 26, 2019

  1. nixos/hardened: scudo default allocator. zero by default allow override.

    Kyle Copperfield committed Nov 26, 2019
    Copy the full SHA
    759968a View commit details

Commits on Apr 3, 2020

  1. Merge pull request #73763 from kmcopper/hardening-profile 

    Improvements to the NixOS Hardened Profile
    @joachifm
    joachifm authored Apr 3, 2020
    Copy the full SHA
    18b89e7 View commit details
Showing with 5 additions and 0 deletions.
  1. +5 −0 nixos/modules/profiles/hardened.nix
5 changes: 5 additions & 0 deletions nixos/modules/profiles/hardened.nix
View file
Original file line number Diff line number Diff line change
@@ -14,12 +14,17 @@ with lib;

nix.allowedUsers = mkDefault [ "@users" ];

environment.memoryAllocator.provider = mkDefault "scudo";
environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";

security.hideProcessInformation = mkDefault true;

security.lockKernelModules = mkDefault true;

security.allowUserNamespaces = mkDefault false;

nix.useSandbox = mkDefault false;

security.protectKernelImage = mkDefault true;

security.allowSimultaneousMultithreading = mkDefault false;