starred/nix-config

mirror of https://github.com/ryan4yin/nix-config.git synced 2026-03-29 13:51:50 +02:00

Files

History

Ryan Yin 6942e54b28 fix: error: attribute 'packages' missing

2024-09-06 00:01:09 +08:00

..

feat: hardening nixos desktops (#160 )

2024-09-05 23:59:39 +08:00

feat: hardening nixos desktops (#160 )

2024-09-05 23:59:39 +08:00

fix: error: attribute 'packages' missing

2024-09-06 00:01:09 +08:00

feat: hardening nixos desktops (#160 )

2024-09-05 23:59:39 +08:00

README.md

feat: hardening nixos desktops (#160 )

2024-09-05 23:59:39 +08:00

README.md

Linux Hardening

Goal

System Level: Protect critical files from being accessed by untrusted applications.
1. Such as browser cookies, SSH keys, etc.
Per-App Level: Prevent untrusted applications(such as closed-source apps) from:
1. Accessing files they shouldn't.
  - Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
2. Accessing the network when they don't need to.
3. Accessing hardware devices they don't need.

Kernel Hardening

NixOS Kernel Config: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/os-specific/linux/kernel/hardened/config.nix

System Hardening

NixOS Profile: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/profiles/hardened.nix
Apparmor: roddhjav/apparmor.d)
- https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
- AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
- Nix Package: roddhjav-apparmor-rules
- https://github.com/NixOS/nixpkgs/issues/331645
SELinux: too complex, not recommended for personal use.

Application Sandboxing

Firejail: A SUID security sandbox with hundreds of security profiles for many common applications in the default installation.
- https://wiki.nixos.org/wiki/Firejail
- Firejail needs SUID to work, which is considered a security risk - Does firejail improve the security of my system?
Bubblewrap: nixpak, more secure than firejail, but no batteries included.
- NixOS's FHSEnv is implemented using bubblewrap by default.
Systemd/Hardening: Systemd also provides some sandboxing features.

NOTE

Running untrusted code is never safe, kernel hardening & sandboxing cannot change this.

If you want to run untrusted code, please use a VM & an isolated network environment, which will provide a much higher level of security.

References

Harden your NixOS workstation - dataswamp
Linux Insecurities - Madaidans
Sandboxing all programs by default - NixOS Discourse
在 Firejail 中运行 Steam
Firejail - Arch Linux Wiki
nixpak configs:
firejail configs:
- f8967c82a5/packages/overlay.nix (L261)
apparmor configs:
- 7fcf737c50/modules/shared/security/apparmor/default.nix (L8)
- 4fe177f698/modules/nixos/security/apparmor.nix (L4)
Others:
- Directly via buildFHSUserEnvBubblewrap: https://github.com/xddxdd/nur-packages/blob/master/pkgs/uncategorized/wechat-uos/default.nix