nixos/hardened profile: disable user namespaces at runtime

This commit is contained in:
Joachim Fasting 2017-04-30 14:41:56 +02:00
parent 86fe3e9c6e
commit a1678269f9
No known key found for this signature in database
GPG Key ID: 7544761007FE4E08
2 changed files with 17 additions and 0 deletions

View File

@ -47,4 +47,16 @@ with lib;
# ... or at least apply some hardening to it
boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
# A recurring problem with user namespaces is that there are
# still code paths where the kernel's permission checking logic
# fails to account for namespacing, instead permitting a
# namespaced process to act outside the namespace with the
# same privileges as it would have inside it. This is particularly
# bad in the common case of running as root within the namespace.
#
# Setting the number of allowed userns to 0 effectively disables
# the feature at runtime. Attempting to create a user namespace
# with unshare will then fail with "no space left on device".
boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
}

View File

@ -27,5 +27,10 @@ import ./make-test.nix ({ pkgs, ...} : {
# note: this better a be module we normally wouldn't load ...
$machine->fail("modprobe dccp");
};
# Test userns
subtest "userns", sub {
$machine->fail("unshare --user");
};
'';
})