Security: Difference between revisions

Overview

This page is a guide to securing NixOS. Topics like hardening, process isolation, virtualization, firewalls, SELinux, containers, sandboxes, encryption, VPNs, etc. are in scope.

What Nix already gives you

Core features

These are security elements that are core features of using Nix(OS).

Obscurity of Nix store

In a vanilla NixOS system, the typical Linux filesystem hierarchy is, in large part, replaced with the Nix store's user environments. This means that some malware which might rely on finding system tools in particular places might fail. This is a form of security through obscurity and is only a minor layer of protection.

Effort to isolate runtime search paths

In general, there is an effort to avoid rpath collisions across users [1].

Multi-user installation

NixOS is automatically installed in Multi-User mode. For standalone-Nix, the manual covers multi-user installs. This allows multiple users to have isolated store environments and to avoid them having access to root in order to install their personal applications (achieved by having build users which nix operations are delegated to).

Data integrity and authenticity

The core installation resources for Nix(OS) have SHA256 checksums which are GPG signed by the Nix team for authenticity. Within the installation data are all the SHA256 checksums for packages that were available within Nixpkgs at build time.

All packages which are pulled into your Nix system via Nixpkgs derivation builds are checked against SHA256 checksums which are already available on your local system (and should be traceable to the signed core Nix install materials).

Supported

These are features which are easily supported using Nix(OS).

Encryption

These are features which can protect data on a system.

Filesystem encryption

NixOS has LUKS partition-level disk encryption support.

NixOS Manual - LUKS-Encrypted File Systems

Isolation

These are features which can limit a process or package's access to the host system.

Flatpak support

Flatpak'ed applications are sandboxed and require explicit privilege declaration for most access outside their own path. NixOS includes support for Flatpak. Note that, since Flatpak application dependencies are bundled/vendored, this introduces other security risks for the application [2].

Containers

NixOS includes support for Linux Containers (LXC). Containers, by default, do not provide much security. They are, oversimplifying a lot, a chroot environment with some resource constraints (cgroups). The root user in a container would also be root on the whole system though. To avoid this, you must use unprivileged containers. There are some complications to this. The end of this post covers them well in brief.

References

• NixOS Manual - Administration: Containers Chapter.
  • The manual — notably — currently has no mention of using unprivileged containers.
• LXC 1.0 Release, Security Features Coverage (user namespaces, unprivileged containers)
• Youtube - Red Hat: How containers use PID namespaces to provide process isolation

Virtual machines

Virtual machines are generally one of the most robust tools available for process isolation. They come with performance penalties and resource overheads.

NixOS includes support for hosting virtual machines. The Nix store of the host machine is shared read-only with guest machines, making them lighter-weight in terms of storage use than typical VMs. Guest VMs are easily built from Nix configurations.

qemu-vm.nix - Implementation of QEMU builds of NixOS machine configurations

Test machines

NixOS integrates support for building test VMs to test configuration changes to your system.

NixOS also uses VMs to continuously validate functionality of the system. NixOS Manual - Writing Tests Chapter covers this.

Nix official references

• Nix Manual - Security Chapter

See also

• Blog - Paranoid NixOS Setup