diff --git a/application.nix b/application.nix index 2df3f774..29057321 100644 --- a/application.nix +++ b/application.nix @@ -178,5 +178,7 @@ rec { # Set a low default timeout when stopping services, to prevent the Windows 95 shutdown experience systemd.extraConfig = "DefaultTimeoutStopSec=15s"; + playos.hardening.enable = true; + }; } diff --git a/base/default.nix b/base/default.nix index 859f5a9b..f9c38188 100644 --- a/base/default.nix +++ b/base/default.nix @@ -9,6 +9,7 @@ with lib; { imports = [ (import ./networking.nix { hostName = safeProductName; inherit lib pkgs config; }) + ./hardening.nix ./localization.nix ./remote-maintenance.nix ./self-update diff --git a/base/hardening.nix b/base/hardening.nix new file mode 100644 index 00000000..fc6bdef9 --- /dev/null +++ b/base/hardening.nix @@ -0,0 +1,34 @@ +/* Apply system hardening configuration. + +This module acts as a convenient way of disabling a number of standard +NixOS/Linux functionalities that are not required for immutable kiosk +operation. The idea is to disable them for additional system hardening, +removing things that could do harm should the system fall into the hands of an +attacker despite intrusion protection. + +It may be convenient to disable the hardening configuration during development +at times. + +*/ +{config, pkgs, lib, ... }: +let + cfg = config.playos.hardening; +in +{ + options = { + playos.hardening = with lib; { + enable = mkEnableOption "Apply hardening options"; + }; + }; + + config = lib.mkIf cfg.enable { + # There is no need for sudo + security.sudo.enable = lib.mkForce false; + + # Nobody needs to use nix + nix.settings.allowed-users = lib.mkForce [ "root" ]; + + # Do not include default packages + environment.defaultPackages = lib.mkForce []; + }; +} diff --git a/base/volatile-root.nix b/base/volatile-root.nix index b4f2d767..ac648ce2 100644 --- a/base/volatile-root.nix +++ b/base/volatile-root.nix @@ -44,17 +44,18 @@ with lib; (lib.mapAttrs (n: config: { device = "/mnt/data${n}"; - options = [ "bind" ]; + options = [ "bind" "noexec" ]; }) cfg.persistentFolders) // { # Force to override if other root has been configured "/" = mkForce { fsType = "tmpfs"; - options = [ "mode=0755" ]; + options = [ "mode=0755" "noexec" ]; }; "/mnt/data" = { - inherit (cfg.persistentDataPartition) device fsType options; + inherit (cfg.persistentDataPartition) device fsType; + options = cfg.persistentDataPartition.options ++ [ "noexec" ]; # mount during stage-1, so that directories can be initialized neededForBoot = true; }; diff --git a/controller/Changelog.md b/controller/Changelog.md index 2e8bd5b3..67cf986b 100644 --- a/controller/Changelog.md +++ b/controller/Changelog.md @@ -8,6 +8,11 @@ ## Changed - os: Update nixpkgs channel to 23.11 +- os: Set noexec for volatile root and persistent storage mounts + +## Removed + +- os: Remove unnecessary administration capabilities for hardening # [2023.9.1] - 2024-03-15