Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nix-daemon confinement

Browse source
This commit is contained in:
Grimmauld 2025-01-08 19:06:22 +01:00
parent cf98a8a221
commit a8f9e7a9c2
No known key found for this signature in database
4 changed files with 56 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
common/tooling/nix.nix
View file

@ -48,7 +48,7 @@
"pipe-operator" "pipe-operator"
]; ];
warn-dirty = false; warn-dirty = false;
allowed-users = [ "@wheel" ]; allowed-users = [ "@wheel" "grimmauld" ];
}; };
programs.nh = { programs.nh = {

3
hardening/systemd/default.nix
View file

@ -17,10 +17,11 @@ in
./wpa_supplicant.nix ./wpa_supplicant.nix
./auditd.nix ./auditd.nix
./acpid.nix ./acpid.nix
./cups.nix # ./cups.nix
./bluetooth.nix ./bluetooth.nix
./tty.nix ./tty.nix
./ask-password.nix ./ask-password.nix
./nix-daemon.nix
./global ./global
]; ];

51
hardening/systemd/nix-daemon.nix Normal file
View file

@ -0,0 +1,51 @@
{
lib,
config,
...
}:
{
config.systemd.services = lib.mkIf (config.specialisation != { }) {
nix-daemon.serviceConfig = {
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
SystemCallArchitectures = "native";
RestrictSUIDSGID = true; # good, somehow???
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; # needed to download sources and caches
RestrictNamespaces = "user net uts mnt ipc pid"; # namespaces needed for sandboxing
SystemCallFilter = "@system-service @cpu-emulation @mount @privileged";
LockPersonality = true;
ProtectControlGroups = true;
ProtectKernelModules = true; # todo: does kvm need a modprobe here?
PrivateMounts = true;
ProtectProc = "invisible";
ProtectClock = true;
# file system
PrivateTmp = true;
ProtectSystem = "strict";
ReadWritePaths = "/nix";
# Scheduling: only do as much as resources are available
LimitNICE = 1;
Nice = 19;
RestrictRealtime = true;
# devices
DevicePolicy = "closed"; # allow pseudo-devices like /dev/null, but no real devices
DeviceAllow = "/dev/kvm"; # kvm is needed for VM tests
CapabilityBoundingSet = [
"CAP_FOWNER CAP_CHOWN CAP_SETUID CAP_SETGID CAP_SYS_ADMIN CAP_DAC_OVERRIDE"
];
# ProtectKernelLogs=true; # BAD
# ProtectKernelTunables = true; # BAD
# PrivateUsers=true; BAD
# ProtectHome = "read-only"; # BAD
# ProtectHostname = true; # BAD!
# PrivateNetwork = true; # BAD!
};
};
}

3
specific/grimm-nixos-ssd/hardware-configuration.nix
View file

@ -41,7 +41,8 @@ in
"mac80211" "mac80211"
"bluetooth" "bluetooth"
"cfg80211" "cfg80211"
]; # "kvm-intel" "kvm-intel"
];
boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y"; boot.extraModprobeConfig = "options iwlwifi disable_11ax=Y";
boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];