Commit graph

25 commits

Author SHA1 Message Date
rnhmjoj 1f55c7e022
nixos/tests: drop latestKernel.hardened
The latest kernel does not guarantee a hardened version anymore,
see ga5341beb for the motivation.
2021-09-22 11:20:30 +02:00
rnhmjoj 1bd7260adb
nixos/lock-kernel-modules: reorder before/after
Moving the service before multi-user.target (so the `hardened` test
continue to work the way it did before) can result in locking the kernel
too early. It's better to lock it a bit later and changing the test to
wait specifically for the disable-kernel-module-loading.service.
2021-09-19 12:06:00 +02:00
Robert Scott dca4f32819 graphene-hardened-malloc: 2 -> 8
significantly overhaul tests to cover build-time-linking and
LD_PRELOAD use, simplifying the hardened nixos test to allow
it to reuse this test setup.
2021-08-14 11:52:11 +01:00
Dominik Xaver Hörl 893d911b55 nixos/hidepid: drop the module as the hidepid mount option is broken
This has been in an unusable state since the switch to cgroups-v2.
See https://github.com/NixOS/nixpkgs/issues/73800 for details.
2021-02-21 13:51:37 +01:00
Maciej Krüger 59eb6d3ee3
nixosTests.*: update to use virtualisation.fileSystems 2021-02-14 12:23:50 +01:00
Dominik Xaver Hörl 25bef2d8f9 treewide: simplify pkgs.stdenv.lib -> pkgs.lib
The library does not depend on stdenv, that `stdenv` exposes `lib` is
an artifact of the ancient origins of nixpkgs.
2021-01-10 20:12:06 +01:00
Tim Steinbach 03197f94ce
tests/hardened: Fix usage with 5.8
Linux >= 5.8 improved /proc mount options. `hidepid=2` is now
displayed as `hidepid=invisible`
2020-10-05 09:07:21 -04:00
Janne Heß 540c033507
nixos/hardened: Port test to Python and fix it
Related to #72828
Replaces and closes #76708

Looks like `nix ping-store` does not output anything anymore but still
fails when the connection does not work.
2020-08-21 21:35:07 +02:00
Emily fe031d07f8 nixos/tests/hardened: add latestKernel argument 2020-04-17 16:13:39 +01:00
Emily ad9bfe2254 nixos/hardened: enable user namespaces for root
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f.

This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.

We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.

Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:

    boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
2020-04-17 16:13:39 +01:00
Joachim Fasting eb59755f70
tests/hardened: fix build
Bug introduced by 4ead3d2ec3

For ZHF https://github.com/NixOS/nixpkgs/issues/68361
2019-09-18 15:38:43 +02:00
volth 08f68313a4 treewide: remove redundant rec 2019-08-28 11:07:32 +00:00
Joachim F b4a43a278b
Merge pull request #60187 from joachifm/feat/configurable-malloc
nixos: configurable system-wide malloc
2019-05-12 15:18:07 +00:00
Joachim Fasting 92d41f83fd
nixos/tests/hardened: check that apparmor is properly loaded 2019-05-11 18:21:44 +02:00
Joachim Fasting 10d3a0e10b
nixos/tests/hardened: test hardened malloc 2019-05-07 13:45:42 +02:00
Joachim Fasting 39c30a33c1
nixos/tests/hardened: test loading out-of-tree-modules 2019-01-06 13:19:28 +01:00
Joachim Fasting 84fb8820db
nixos/security/misc: factor out protectKernelImage
Introduces the option security.protectKernelImage that is intended to control
various mitigations to protect the integrity of the running kernel
image (i.e., prevent replacing it without rebooting).

This makes sense as a dedicated module as it is otherwise somewhat difficult
to override for hardened profile users who want e.g., hibernation to work.
2018-12-27 15:00:47 +01:00
Joachim Fasting 6a7f02d89d
nixos/hardened: restrict access to nix daemon 2018-11-24 16:06:21 +01:00
Joachim Fasting 62623b60d5
nixos/tests/hardened: fix build by disabling nix.useSandbox 2018-11-24 16:06:18 +01:00
volth 2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
xeji 301072dc27 nixos/tests/hardened: fix test (#40745)
failed because `pgrep -u` segfaults when accesss to proc info
is denied on a hardened system.
2018-05-19 08:42:15 +02:00
Joachim Fasting bccaf63067
nixos/hardened test: add failing test-case for deferred mounts 2017-09-22 23:53:27 +02:00
Joachim Fasting 586d04c588
nixos/tests: expand hardened tests 2017-09-16 13:14:07 +02:00
Joachim Fasting a1678269f9
nixos/hardened profile: disable user namespaces at runtime 2017-04-30 15:17:27 +02:00
Joachim Fasting ffa83edf4a
nixos/tests: add tests for exercising various hardening features
This test exercises the linux_hardened kernel along with the various
hardening features (enabled via the hardened profile).

Move hidepid test from misc, so that misc can go back to testing a vanilla
configuration.
2017-04-30 12:05:42 +02:00