nixos/security/misc: init #48439
nixos/security/misc: init #48439
Conversation
|
This is nice! Nitpick comment - don't we normally "enable" stuff instead of "disable" like it's done here? |
|
In this case, "disable" sounds better to me because the module doesn't provide user namespaces, it only takes them away. |
|
If disable is too unclear, maybe "remove" or some other wording could be used. I don't want to say |
|
I don't like "disable" options, as they result in more layers of negation, which can get pretty confusing. I think an "enable" or maybe better "allow" (since it's less suggestive that the default is not to) option would be better. |
|
Okay, I'll change it to Apart from that, any thoughts on having a module for this compared to just adding the assert to the profile? I'm not sure at present what else could go into this module, but I'm thinking some of the other hardened profile things could be reified as options here, to aid discovery and overriding for users of the profile. But unless that happens, I'm not sure the module is justifiable? |
|
Ha! I was too slow. I was stuck trying to find the assertions magic. WIll test tomorrow probably :) While I'm here, have I been living a lie, or is ENOSPEC a typo? |
|
@DIzFer It is a typo, indeed :) |
|
Barring objections I'll push a squashed version of this soonish. |
A module for security options that are too small to warrant their own module. The impetus for adding this module is to make it more convenient to override the behavior of the hardened profile wrt user namespaces. Without a dedicated option for user namespaces, the user needs to 1) know which sysctl knob controls userns 2) know how large a value the sysctl knob needs to allow e.g., Nix sandbox builds to work In the future, other mitigations currently enabled by the hardened profile may be promoted to options in this module.
joachifm
force-pushed
the
hardened-misc
branch
from
64d2ff9
to
f4ea22e
Compare
|
Thanks for the feedback all :) |
A module for security options that are too small to warrant their own module.
Motivation for this change
The impetus for adding this module is to make it more convenient to override
the behavior of the hardened profile wrt user namespaces.
Without a dedicated option for user namespaces, the user needs to
Nix sandbox builds to work
Because Nix sandbox support is a likely incompatibility for hardened profile
users, it makes sense to create a dedicated option.
Supercedes #48207, resolving the
immediate issue addressed by that PR.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)