Security: Difference between revisions
imported>Nix add vulnix to NixOS refs |
→SELinux: Added a note since I'm working on it |
||
| (14 intermediate revisions by 6 users not shown) | |||
| Line 6: | Line 6: | ||
These are security elements that are core features of using Nix(OS). | These are security elements that are core features of using Nix(OS). | ||
=== Effort to isolate runtime search paths === | === Effort to isolate runtime search paths === | ||
In general, there is an effort to avoid [ | In general, there is an effort to avoid [[wikipedia:Rpath|rpath]] collisions across users [https://github.com/NixOS/nix/commit/eba840c8a13b465ace90172ff76a0db2899ab11b]. | ||
=== Multi-user installation === | === Multi-user installation === | ||
| Line 21: | Line 17: | ||
=== Data integrity and authenticity === | === Data integrity and authenticity === | ||
The core installation resources for Nix(OS) have [ | The core installation resources for Nix(OS) have [[wikipedia:SHA-2|SHA256]] checksums which are [[wikipedia:GNU_Privacy_Guard|GPG]] signed by the [https://nixos.org/download.html#nix-verify-installation Nix team] for authenticity. Within the installation data are all the SHA256 checksums for packages that were available within Nixpkgs at build time. | ||
All packages which are pulled into your Nix system via Nixpkgs derivation builds are checked against SHA256 checksums which are already available on your local system (and should be traceable to the signed core Nix install materials). | All packages which are pulled into your Nix system via Nixpkgs derivation builds are checked against SHA256 checksums which are already available on your local system (and should be traceable to the signed core Nix install materials). | ||
=== Obscurity of Nix store === | |||
In a vanilla NixOS system, the typical [https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard Linux filesystem hierarchy] is, in large part, replaced with the Nix store's [[User Environment|user environments]]. This means that some malware which might rely on finding system tools in particular places might fail. This is a form of [https://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity] and is only a minor layer of protection. | |||
== Supported by Nix == | == Supported by Nix == | ||
| Line 37: | Line 37: | ||
NixOS has [https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup LUKS] partition-level disk encryption support. | NixOS has [https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup LUKS] partition-level disk encryption support. | ||
[https://nixos.org/manual/nixos/unstable/index.html#sec-luks-file-systems NixOS Manual - LUKS-Encrypted File Systems] | * [https://nixos.org/manual/nixos/unstable/index.html#sec-luks-file-systems NixOS Manual - LUKS-Encrypted File Systems] | ||
* [https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html Authenticated Boot and Disk Encryption on Linux] | |||
=== Isolation === | === Isolation === | ||
| Line 45: | Line 46: | ||
==== Flatpaks ==== | ==== Flatpaks ==== | ||
[https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces | [https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/ other security risks] for the application . Also, most application flatpaks [https://flatkill.org/ do no not make meaningful use of the sandbox]. | ||
==== Containers ==== | ==== Linux Containers ==== | ||
NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief. | NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief. | ||
| Line 59: | Line 60: | ||
* [https://www.nginx.com/blog/what-are-namespaces-cgroups-how-do-they-work/ What Are Namespaces and cgroups, and How Do They Work?] | * [https://www.nginx.com/blog/what-are-namespaces-cgroups-how-do-they-work/ What Are Namespaces and cgroups, and How Do They Work?] | ||
* [https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces A Tutorial for Isolating Your System with Linux Namespaces (code-based fundamental examples)] | * [https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces A Tutorial for Isolating Your System with Linux Namespaces (code-based fundamental examples)] | ||
==== Docker Containers ==== | |||
[https://en.wikipedia.org/wiki/Docker_(software) Docker] is a system for building and running platform-independent virtual containers. On Linux, it is implemented similarly to LXC. Nix integrates tools to create Docker images (the templates for making Docker containers), documented in the [https://nixos.org/manual/nixpkgs/unstable/#sec-pkgs-dockerTools Nixpkgs manual]. Docker containers work with [https://docs.docker.com/engine/security/ namespacing controls] similar to unprivileged LXC containers by default. | |||
==== Virtual machines ==== | ==== Virtual machines ==== | ||
| Line 66: | Line 71: | ||
NixOS includes support for hosting virtual machines. The Nix store of the host machine is shared read-only with guest machines, making them lighter-weight in terms of storage use than typical VMs. Guest VMs are easily built from Nix configurations. | NixOS includes support for hosting virtual machines. The Nix store of the host machine is shared read-only with guest machines, making them lighter-weight in terms of storage use than typical VMs. Guest VMs are easily built from Nix configurations. | ||
[https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/qemu-vm.nix qemu-vm.nix - Implementation of QEMU builds of NixOS machine configurations] | * [https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/qemu-vm.nix qemu-vm.nix - Implementation of QEMU builds of NixOS machine configurations] | ||
* [https://github.com/firecracker-microvm/firecracker Firecracker microVM] - packages [https://search.nixos.org/packages?channel=unstable&show=firecracker&from=0&size=30&sort=relevance&type=packages&query=firecracker available] | |||
* [https://github.com/astro/microvm.nix microvm.nix] builds and runs NixOS on various hypervisors | |||
===== Test machines ===== | ===== Test machines ===== | ||
| Line 78: | Line 85: | ||
* [http://blog.patapon.info/nixos-local-vm/ Updating NixOS local VMs] - Post demonstrating how to build and run a VM from a NixOS configuration and then update the configuration of the running VM on the fly. | * [http://blog.patapon.info/nixos-local-vm/ Updating NixOS local VMs] - Post demonstrating how to build and run a VM from a NixOS configuration and then update the configuration of the running VM on the fly. | ||
* [https://archive.fosdem.org/2020/schedule/event/kernel_address_space_isolation/attachments/slides/3889/export/events/attachments/kernel_address_space_isolation/slides/3889/Address_Space_Isolation_in_the_Linux_Kernel.pdf 2020 IBM Presentation on Address Space Isolation in the Linux Kernel] - Containers within VMs are a norm for security in the cloud. Addressing ongoing work to improve isolation of containers and VMs. | * [https://archive.fosdem.org/2020/schedule/event/kernel_address_space_isolation/attachments/slides/3889/export/events/attachments/kernel_address_space_isolation/slides/3889/Address_Space_Isolation_in_the_Linux_Kernel.pdf 2020 IBM Presentation on Address Space Isolation in the Linux Kernel] - Containers within VMs are a norm for security in the cloud. Addressing ongoing work to improve isolation of containers and VMs. | ||
* [https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html An EPYC escape: Case-study of a KVM breakout] - Detailing first known non-userspace vulnerability enabling guest-to-host breakout. | |||
==== Systemd Hardening ==== | |||
It is possible to increase the isolation of Systemd services by using hardening options. For example, adding <code>PrivateNetwork=yes</code> option in a Systemd unit removes access to the host network. | |||
For more information, please see [[Systemd_Hardening]]. | |||
=== Networking === | === Networking === | ||
| Line 89: | Line 103: | ||
* [https://nixos.org/manual/nixos/unstable/index.html#sec-firewall NixOS Manual - Networking Chapter: Firewall] | * [https://nixos.org/manual/nixos/unstable/index.html#sec-firewall NixOS Manual - Networking Chapter: Firewall] | ||
* [https://nixos.org/manual/nixos/unstable/options.html#opt-networking.firewall.enable NixOS Manual - Options: networking.firewall.enable] | * [https://nixos.org/manual/nixos/unstable/options.html#opt-networking.firewall.enable NixOS Manual - Options: networking.firewall.enable] | ||
== Awaiting NixOS support == | |||
This section covers important security technologies which still need full NixOS support. | |||
=== Secure Boot === | |||
Development of [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot UEFI Secure Boot] support is [https://github.com/NixOS/nixpkgs/issues/42127 in flight]. An experimental secure boot implementation is available in [https://github.com/nix-community/lanzaboote Lanzaboote] | |||
=== SELinux === | |||
It is possible to use [https://en.wikipedia.org/wiki/Security-Enhanced_Linux Security-Enhanced Linux (SELinux)] in NixOS, but proper integration does not exist. This does not appear to have gotten much attention [https://github.com/NixOS/rfcs/pull/41 since 2019]. However, there has been revived work in 2025 but there's no telling when things will land in NixOS. | |||
== Nix official references == | == Nix official references == | ||