+12

nixos/modules/profiles/hardened.nix

reviewed

··· 47 47 48 48 # ... or at least apply some hardening to it 49 49 boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true; 50 50 + 51 51 + # A recurring problem with user namespaces is that there are 52 52 + # still code paths where the kernel's permission checking logic 53 53 + # fails to account for namespacing, instead permitting a 54 54 + # namespaced process to act outside the namespace with the 55 55 + # same privileges as it would have inside it. This is particularly 56 56 + # bad in the common case of running as root within the namespace. 57 57 + # 58 58 + # Setting the number of allowed userns to 0 effectively disables 59 59 + # the feature at runtime. Attempting to create a user namespace 60 60 + # with unshare will then fail with "no space left on device". 61 61 + boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0; 50 62 }

+5

nixos/tests/hardened.nix

reviewed

··· 27 27 # note: this better a be module we normally wouldn't load ... 28 28 $machine->fail("modprobe dccp"); 29 29 }; 30 30 + 31 31 + # Test userns 32 32 + subtest "userns", sub { 33 33 + $machine->fail("unshare --user"); 34 34 + }; 30 35 ''; 31 36 })