Security: Difference between revisions

This page is a guide to securing NixOS. Topics like hardening, process isolation, virtualization, firewalls, SELinux, containers, sandboxes, encryption, VPNs, etc. are in scope.

These are security elements that are core features of using Nix(OS).

In a vanilla NixOS system, the typical [https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard Linux filesystem hierarchy] is, in large part, replaced with the Nix store's [[User Environment|user environments]]. This means that some malware which might rely on finding system tools in particular places might fail. This is a form of [https://en.wikipedia.org/wiki/Security_through_obscurity security through obscurity] and is only a minor layer of protection.

In general, there is an effort to avoid [https://en.wikipedia.org/wiki/Rpath rpath] collisions across users [https://github.com/NixOS/nix/commit/eba840c8a13b465ace90172ff76a0db2899ab11b].

NixOS is automatically installed in Multi-User mode. For standalone-Nix, the manual covers [https://nixos.org/manual/nix/stable/#ssec-multi-user multi-user installs]. This allows multiple users to have isolated store environments and to avoid them having access to root in order to install their personal applications (achieved by having build users which nix operations are delegated to).

The core installation resources for Nix(OS) have [https://en.wikipedia.org/wiki/SHA-2 SHA256] checksums which are [https://en.wikipedia.org/wiki/GNU_Privacy_Guard GPG] signed by the [https://nixos.org/download.html#nix-verify-installation Nix team] for authenticity. Within the installation data are all the SHA256 checksums for packages that were available within Nixpkgs at build time.

All packages which are pulled into your Nix system via Nixpkgs derivation builds are checked against SHA256 checksums which are already available on your local system (and should be traceable to the signed core Nix install materials).

These are features which are easily supported using Nix(OS).

These are features which can protect data on a system.

NixOS has [https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup LUKS] partition-level disk encryption support.

[https://nixos.org/manual/nixos/unstable/index.html#sec-luks-file-systems NixOS Manual - LUKS-Encrypted File Systems]

These are features which can limit a process or package's access to the host system.

[https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces other security risks for the application [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/].

NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.

* [https://nixos.org/manual/nixos/unstable/index.html#ch-containers NixOS Manual - Administration: Containers Chapter].

* [https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces A Tutorial for Isolating Your System with Linux Namespaces (code-based fundamental examples)]

[https://en.wikipedia.org/wiki/Virtual_machine Virtual machines] are generally one of the most robust tools available for process isolation. They come with [https://www.brendangregg.com/blog/2017-11-29/aws-ec2-virtualization-2017.html performance penalties] and resource overheads.

[https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/virtualisation/qemu-vm.nix qemu-vm.nix - Implementation of QEMU builds of NixOS machine configurations]

NixOS integrates support for building [[NixOS:nixos-rebuild_build-vm|test VMs]] to test configuration changes to your system.

NixOS also uses VMs to continuously validate functionality of the system. [https://nixos.org/manual/nixos/unstable/index.html#sec-writing-nixos-tests NixOS Manual - Writing Tests Chapter] covers this.

* [https://archive.fosdem.org/2020/schedule/event/kernel_address_space_isolation/attachments/slides/3889/export/events/attachments/kernel_address_space_isolation/slides/3889/Address_Space_Isolation_in_the_Linux_Kernel.pdf 2020 IBM Presentation on Address Space Isolation in the Linux Kernel] - Containers within VMs are a norm for security in the cloud. Addressing ongoing work to improve isolation of containers and VMs.

These are features which improve system security in relation to the world outside of the system.

NixOS includes a simple stateful firewall. It blocks incoming connections and other unexpected packets and is enabled by default.