Security: Difference between revisions

(5 intermediate revisions by 5 users not shown)

Line 46:

==== Flatpaks ====

[https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/ other security risks] for the application . Also, most application flatpaks [https://flatkill.org/ do no not make meaningful use of the sandbox].

[https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/ other security risks] for the application . Also, most application flatpaks [https://flatkill.org/ do not make meaningful use of the sandbox].

==== Linux Containers ====

Line 110:

=== Secure Boot ===

Development of [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot UEFI Secure Boot] support is [https://github.com/NixOS/nixpkgs/issues/42127 in flight]. An experimental ~~secure boot~~ implementation is available in [https://github.com/nix-community/lanzaboote Lanzaboote]

Development of [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot UEFI Secure Boot] support is [https://github.com/NixOS/nixpkgs/issues/42127 in flight]. An experimental Secure Boot implementation is available in [https://github.com/nix-community/lanzaboote Lanzaboote]. [[Limine]] bootloader also supports Secure Boot.

=== SELinux ===

It is possible to use [https://en.wikipedia.org/wiki/Security-Enhanced_Linux Security-Enhanced Linux (SELinux)] in NixOS, but proper integration does not exist. This does not appear to have gotten much attention [https://github.com/NixOS/rfcs/pull/41 since 2019].

It is possible to use [https://en.wikipedia.org/wiki/Security-Enhanced_Linux Security-Enhanced Linux (SELinux)] in NixOS, but proper integration does not exist. This does not appear to have gotten much attention [https://github.com/NixOS/rfcs/pull/41 since 2019]. However, there has been revived work in 2025 but there's no telling when things will land in NixOS.

== Nix official references ==

Line 124:

=== NixOS ===

* [[NixOS Hardening]]

* [https://christine.website/blog/paranoid-nixos-2021-07-18 Blog - Paranoid NixOS Setup]

* [https://github.com/flyingcircusio/vulnix vulnix] - Vulnerability (CVE) scanner for Nix/NixOS

Line 142:

Line 143:

* [https://github.com/decalage2/awesome-security-hardening awesome-security-hardening] - Collection of security hardening guides, tools and other resources.

=== Supply chain security ===

* [https://nixcademy.com/posts/secure-supply-chain-with-nix/ Demonstrably Secure Software Supply Chains with Nix], Nixcademy

[[Category:Guide]]

[[Category:NixOS]]

[[Category:Nix]]

[[Category:Security]]

@@ Line 46: / Line 46: @@
 ==== Flatpaks ====
-[https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/ other security risks] for the application . Also, most application flatpaks [https://flatkill.org/ do no not make meaningful use of the sandbox].
+[https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/ other security risks] for the application . Also, most application flatpaks [https://flatkill.org/ do not make meaningful use of the sandbox].
 ==== Linux Containers ====
@@ Line 110: / Line 110: @@
 === Secure Boot ===
-Development of [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot UEFI Secure Boot] support is [https://github.com/NixOS/nixpkgs/issues/42127 in flight]. An experimental secure boot implementation is available in [https://github.com/nix-community/lanzaboote Lanzaboote]
+Development of [https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_Boot UEFI Secure Boot] support is [https://github.com/NixOS/nixpkgs/issues/42127 in flight]. An experimental Secure Boot implementation is available in [https://github.com/nix-community/lanzaboote Lanzaboote]. [[Limine]] bootloader also supports Secure Boot.
 === SELinux ===
-It is possible to use [https://en.wikipedia.org/wiki/Security-Enhanced_Linux Security-Enhanced Linux (SELinux)] in NixOS, but proper integration does not exist. This does not appear to have gotten much attention [https://github.com/NixOS/rfcs/pull/41 since 2019].
+It is possible to use [https://en.wikipedia.org/wiki/Security-Enhanced_Linux Security-Enhanced Linux (SELinux)] in NixOS, but proper integration does not exist. This does not appear to have gotten much attention [https://github.com/NixOS/rfcs/pull/41 since 2019]. However, there has been revived work in 2025 but there's no telling when things will land in NixOS.
 == Nix official references ==
@@ Line 124: / Line 124: @@
 === NixOS ===
+* [[NixOS Hardening]]
 * [https://christine.website/blog/paranoid-nixos-2021-07-18 Blog - Paranoid NixOS Setup]
 * [https://github.com/flyingcircusio/vulnix vulnix] - Vulnerability (CVE) scanner for Nix/NixOS
@@ Line 142: / Line 143: @@
 * [https://github.com/decalage2/awesome-security-hardening awesome-security-hardening] - Collection of security hardening guides, tools and other resources.
+=== Supply chain security ===
+* [https://nixcademy.com/posts/secure-supply-chain-with-nix/ Demonstrably Secure Software Supply Chains with Nix], Nixcademy
 [[Category:Guide]]
 [[Category:NixOS]]
 [[Category:Nix]]
+[[Category:Security]]