Merge pull request #154 from knuton/system-hardening

Limit powers of normal users in base system
dividat · Apr 4, 2024 · cf19393 · cf19393
2 parents 3405346 + e6b5988
commit cf19393
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 3 deletions.
diff --git a/application.nix b/application.nix
@@ -178,5 +178,7 @@ rec {
       # Set a low default timeout when stopping services, to prevent the Windows 95 shutdown experience
       systemd.extraConfig = "DefaultTimeoutStopSec=15s";
 
+      playos.hardening.enable = true;
+
     };
 }
diff --git a/base/default.nix b/base/default.nix
@@ -9,6 +9,7 @@ with lib;
 {
   imports = [
     (import ./networking.nix { hostName = safeProductName; inherit lib pkgs config; })
+    ./hardening.nix
     ./localization.nix
     ./remote-maintenance.nix
     ./self-update

diff --git a/base/hardening.nix b/base/hardening.nix
@@ -0,0 +1,34 @@
+/* Apply system hardening configuration.
+
+This module acts as a convenient way of disabling a number of standard
+NixOS/Linux functionalities that are not required for immutable kiosk
+operation. The idea is to disable them for additional system hardening,
+removing things that could do harm should the system fall into the hands of an
+attacker despite intrusion protection.
+
+It may be convenient to disable the hardening configuration during development
+at times.
+
+*/
+{config, pkgs, lib, ... }:
+let
+  cfg = config.playos.hardening;
+in
+{
+  options = {
+    playos.hardening = with lib; {
+      enable = mkEnableOption "Apply hardening options";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # There is no need for sudo
+    security.sudo.enable = lib.mkForce false;
+
+    # Nobody needs to use nix
+    nix.settings.allowed-users = lib.mkForce [ "root" ];
+
+    # Do not include default packages
+    environment.defaultPackages = lib.mkForce [];
+  };
+}
diff --git a/base/volatile-root.nix b/base/volatile-root.nix
@@ -44,17 +44,18 @@ with lib;
       (lib.mapAttrs
       (n: config: {
         device = "/mnt/data${n}";
-        options = [ "bind" ];
+        options = [ "bind" "noexec" ];
       })
       cfg.persistentFolders) //
       {
         # Force to override if other root has been configured
         "/" = mkForce {
           fsType = "tmpfs";
-          options = [ "mode=0755" ];
+          options = [ "mode=0755" "noexec" ];
         };
         "/mnt/data" = {
-          inherit (cfg.persistentDataPartition) device fsType options;
+          inherit (cfg.persistentDataPartition) device fsType;
+	  options = cfg.persistentDataPartition.options ++ [ "noexec" ];
           # mount during stage-1, so that directories can be initialized
           neededForBoot = true;
         };

diff --git a/controller/Changelog.md b/controller/Changelog.md
@@ -8,6 +8,11 @@
 ## Changed
 
 - os: Update nixpkgs channel to 23.11
+- os: Set noexec for volatile root and persistent storage mounts
+
+## Removed
+
+- os: Remove unnecessary administration capabilities for hardening
 
 # [2023.9.1] - 2024-03-15