mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-25 20:34:52 +03:00
nixos/hardened profile: disable user namespaces at runtime
This commit is contained in:
parent
86fe3e9c6e
commit
a1678269f9
@ -47,4 +47,16 @@ with lib;
|
||||
|
||||
# ... or at least apply some hardening to it
|
||||
boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
|
||||
|
||||
# A recurring problem with user namespaces is that there are
|
||||
# still code paths where the kernel's permission checking logic
|
||||
# fails to account for namespacing, instead permitting a
|
||||
# namespaced process to act outside the namespace with the
|
||||
# same privileges as it would have inside it. This is particularly
|
||||
# bad in the common case of running as root within the namespace.
|
||||
#
|
||||
# Setting the number of allowed userns to 0 effectively disables
|
||||
# the feature at runtime. Attempting to create a user namespace
|
||||
# with unshare will then fail with "no space left on device".
|
||||
boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
|
||||
}
|
||||
|
@ -27,5 +27,10 @@ import ./make-test.nix ({ pkgs, ...} : {
|
||||
# note: this better a be module we normally wouldn't load ...
|
||||
$machine->fail("modprobe dccp");
|
||||
};
|
||||
|
||||
# Test userns
|
||||
subtest "userns", sub {
|
||||
$machine->fail("unshare --user");
|
||||
};
|
||||
'';
|
||||
})
|
||||
|
Loading…
Reference in New Issue
Block a user