Security: Difference between revisions

Line 25:

These are features which are easily supported using Nix(OS).

==== Flatpak support ====

==== Encryption ====

These are features which can protect data on a system.

===== Filesystem encryption =====

NixOS has [https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup LUKS] partition-level disk encryption support.

[https://nixos.org/manual/nixos/unstable/index.html#sec-luks-file-systems NixOS Manual - LUKS-Encrypted File Systems]

==== Isolation ====

These are features which can limit a process or package's access to the host system.

===== Flatpak support =====

[https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces other security risks for the application [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/].

==== Containers ====

===== Containers =====

NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, ~~don't~~ provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.

NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.

===== References =====

Line 38:

Line 52:

* [https://stgraber.org/2014/01/01/lxc-1-0-security-features/ LXC 1.0 Release, Security Features Coverage (user namespaces, unprivileged containers)]

== Nix ~~Official References~~ ==

== Nix official references ==

* [https://nixos.org/manual/nix/stable/#ch-nix-security Nix Manual - Security Chapter]

@@ Line 25: / Line 25: @@
 These are features which are easily supported using Nix(OS).
-==== Flatpak support ====
+==== Encryption ====
+These are features which can protect data on a system.
+===== Filesystem encryption =====
+NixOS has [https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup LUKS] partition-level disk encryption support.
+[https://nixos.org/manual/nixos/unstable/index.html#sec-luks-file-systems NixOS Manual - LUKS-Encrypted File Systems]
+==== Isolation ====
+These are features which can limit a process or package's access to the host system.
+===== Flatpak support =====
 [https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces other security risks for the application [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/].
-==== Containers ====
+===== Containers =====
-NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, don't provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.
+NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.
 ===== References =====
@@ Line 38: / Line 52: @@
 * [https://stgraber.org/2014/01/01/lxc-1-0-security-features/ LXC 1.0 Release, Security Features Coverage (user namespaces, unprivileged containers)]
-== Nix Official References ==
+== Nix official references ==
 * [https://nixos.org/manual/nix/stable/#ch-nix-security Nix Manual - Security Chapter]