Official NixOS Wiki

Security: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Nix
add Secure Boot
imported>Nix
Isolation: add Docker section
Line 48: Line 48:
[https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces other security risks for the application [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/].
[https://en.wikipedia.org/wiki/Flatpak Flatpak]'ed applications are [https://docs.flatpak.org/en/latest/sandbox-permissions.html sandboxed] and require explicit privilege declaration for most access outside their own path. NixOS includes [https://nixos.org/manual/nixos/unstable/index.html#module-services-flatpak support for Flatpak]. Note that, since Flatpak application dependencies are [https://stackoverflow.com/questions/26217488/what-is-vendoring bundled/vendored], this introduces other security risks for the application [https://blogs.gentoo.org/mgorny/2021/02/19/the-modern-packagers-security-nightmare/].


==== Containers ====
==== Linux Containers ====


NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.
NixOS includes support for [https://en.wikipedia.org/wiki/LXC Linux Containers (LXC)]. Containers, by default, do not provide much security. They are, oversimplifying a lot, a [https://en.wikipedia.org/wiki/Chroot chroot] environment with some resource constraints ([https://en.wikipedia.org/wiki/Cgroups cgroups]). The root user in a container would also be root on the whole system though. To avoid this, you must use ''unprivileged containers''. There are some complications to this. The end of [https://blog.beardhatcode.be/2020/12/Declarative-Nixos-Containers.html this post] covers them well in brief.
Line 60: Line 60:
* [https://www.nginx.com/blog/what-are-namespaces-cgroups-how-do-they-work/ What Are Namespaces and cgroups, and How Do They Work?]
* [https://www.nginx.com/blog/what-are-namespaces-cgroups-how-do-they-work/ What Are Namespaces and cgroups, and How Do They Work?]
* [https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces A Tutorial for Isolating Your System with Linux Namespaces (code-based fundamental examples)]
* [https://www.toptal.com/linux/separation-anxiety-isolating-your-system-with-linux-namespaces A Tutorial for Isolating Your System with Linux Namespaces (code-based fundamental examples)]
==== Docker Containers ====
[https://en.wikipedia.org/wiki/Docker_(software) Docker] is a system for building and running platform-independent virtual containers. On Linux, it is implemented similarly to LXC.  Nix integrates tools to create Docker images (the templates for making Docker containers), documented in the [https://nixos.org/manual/nixpkgs/unstable/#sec-pkgs-dockerTools Nixpkgs manual].  Docker containers work with [https://docs.docker.com/engine/security/ namespacing controls] similar to unprivileged LXC containers by default.


==== Virtual machines ====
==== Virtual machines ====
Retrieved from "https://wiki.nixos.org/wiki/Security"