pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / security / misc.nix
at 22.05-pre 5.6 kB view raw
1{ config, lib, ... }: 2 3with lib; 4 5{ 6 meta = { 7 maintainers = [ maintainers.joachifm ]; 8 }; 9 10 imports = [ 11 (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) 12 ]; 13 14 options = { 15 security.allowUserNamespaces = mkOption { 16 type = types.bool; 17 default = true; 18 description = '' 19 Whether to allow creation of user namespaces. 20 21 The motivation for disabling user namespaces is the potential 22 presence of code paths where the kernel's permission checking 23 logic fails to account for namespacing, instead permitting a 24 namespaced process to act outside the namespace with the same 25 privileges as it would have inside it. This is particularly 26 damaging in the common case of running as root within the namespace. 27 28 When user namespace creation is disallowed, attempting to create a 29 user namespace fails with "no space left on device" (ENOSPC). 30 root may re-enable user namespace creation at runtime. 31 ''; 32 }; 33 34 security.unprivilegedUsernsClone = mkOption { 35 type = types.bool; 36 default = false; 37 description = '' 38 When disabled, unprivileged users will not be able to create new namespaces. 39 By default unprivileged user namespaces are disabled. 40 This option only works in a hardened profile. 41 ''; 42 }; 43 44 security.protectKernelImage = mkOption { 45 type = types.bool; 46 default = false; 47 description = '' 48 Whether to prevent replacing the running kernel image. 49 ''; 50 }; 51 52 security.allowSimultaneousMultithreading = mkOption { 53 type = types.bool; 54 default = true; 55 description = '' 56 Whether to allow SMT/hyperthreading. Disabling SMT means that only 57 physical CPU cores will be usable at runtime, potentially at 58 significant performance cost. 59 60 The primary motivation for disabling SMT is to mitigate the risk of 61 leaking data between threads running on the same CPU core (due to 62 e.g., shared caches). This attack vector is unproven. 63 64 Disabling SMT is a supplement to the L1 data cache flushing mitigation 65 (see <xref linkend="opt-security.virtualisation.flushL1DataCache"/>) 66 versus malicious VM guests (SMT could "bring back" previously flushed 67 data). 68 ''; 69 }; 70 71 security.forcePageTableIsolation = mkOption { 72 type = types.bool; 73 default = false; 74 description = '' 75 Whether to force-enable the Page Table Isolation (PTI) Linux kernel 76 feature even on CPU models that claim to be safe from Meltdown. 77 78 This hardening feature is most beneficial to systems that run untrusted 79 workloads that rely on address space isolation for security. 80 ''; 81 }; 82 83 security.virtualisation.flushL1DataCache = mkOption { 84 type = types.nullOr (types.enum [ "never" "cond" "always" ]); 85 default = null; 86 description = '' 87 Whether the hypervisor should flush the L1 data cache before 88 entering guests. 89 See also <xref linkend="opt-security.allowSimultaneousMultithreading"/>. 90 91 <variablelist> 92 <varlistentry> 93 <term><literal>null</literal></term> 94 <listitem><para>uses the kernel default</para></listitem> 95 </varlistentry> 96 <varlistentry> 97 <term><literal>"never"</literal></term> 98 <listitem><para>disables L1 data cache flushing entirely. 99 May be appropriate if all guests are trusted.</para></listitem> 100 </varlistentry> 101 <varlistentry> 102 <term><literal>"cond"</literal></term> 103 <listitem><para>flushes L1 data cache only for pre-determined 104 code paths. May leak information about the host address space 105 layout.</para></listitem> 106 </varlistentry> 107 <varlistentry> 108 <term><literal>"always"</literal></term> 109 <listitem><para>flushes L1 data cache every time the hypervisor 110 enters the guest. May incur significant performance cost. 111 </para></listitem> 112 </varlistentry> 113 </variablelist> 114 ''; 115 }; 116 }; 117 118 config = mkMerge [ 119 (mkIf (!config.security.allowUserNamespaces) { 120 # Setting the number of allowed user namespaces to 0 effectively disables 121 # the feature at runtime. Note that root may raise the limit again 122 # at any time. 123 boot.kernel.sysctl."user.max_user_namespaces" = 0; 124 125 assertions = [ 126 { assertion = config.nix.useSandbox -> config.security.allowUserNamespaces; 127 message = "`nix.useSandbox = true` conflicts with `!security.allowUserNamespaces`."; 128 } 129 ]; 130 }) 131 132 (mkIf config.security.unprivilegedUsernsClone { 133 boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkDefault true; 134 }) 135 136 (mkIf config.security.protectKernelImage { 137 # Disable hibernation (allows replacing the running kernel) 138 boot.kernelParams = [ "nohibernate" ]; 139 # Prevent replacing the running kernel image w/o reboot 140 boot.kernel.sysctl."kernel.kexec_load_disabled" = mkDefault true; 141 }) 142 143 (mkIf (!config.security.allowSimultaneousMultithreading) { 144 boot.kernelParams = [ "nosmt" ]; 145 }) 146 147 (mkIf config.security.forcePageTableIsolation { 148 boot.kernelParams = [ "pti=on" ]; 149 }) 150 151 (mkIf (config.security.virtualisation.flushL1DataCache != null) { 152 boot.kernelParams = [ "kvm-intel.vmentry_l1d_flush=${config.security.virtualisation.flushL1DataCache}" ]; 153 }) 154 ]; 155}