Questions regarding hardened.nix profile

Father2303 · September 14, 2022, 2:53pm

I employed hardened.nix as much as possible, leaving out options that noticeably degrade performance (as far as i understand it).

Enabling security.lockKernelModules = mkDefault true; leads to my system not being able to access the internet which i find strange, as this is enabled by default in the hardened.nix profile.

Anyway, my main question is regarding the following options (i’m fairly new to Nixos and still don’t really understand its inner workings):

  # Restrict ptrace() usage to processes with a pre-defined relationship
  # (e.g., parent/child)
  boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1;

  # Hide kptrs even for processes with CAP_SYSLOG
  boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2;

Why does it say mkOverride? Why does it have the number 500 in it?

The trailing number (1 and 2) is what i want to set and i don’t know what mkOverride 500 does and why it is 500 by default.

Thank you for your explanation!

Solene · September 14, 2022, 3:04pm

mkOverride weight value is a mechanism to over a default value that can be superseeded by another module with a lower weight.

Here, this mean if you load the profile, you can still use boot.kernel.sysctl."kernal.yama.ptrace_scope" = mkOverride 499 0; if you want it to have value 0, because it will be prioritary against the one with weight 500.

github.com

NixOS/nixpkgs/blob/9dfcba812aa0f4dc374acfe0600d591885f4e274/lib/modules.nix#L646

    
      
          mkAssert = assertion: message: content:
            mkIf
              (if assertion then true else throw "\nFailed assertion: ${message}")
              content;
          
          
mkMerge = contents:
            { _type = "merge";
              inherit contents;
            };
          
          
mkOverride = priority: content:
            { _type = "override";
              inherit priority content;
            };
          
          
mkOptionDefault = mkOverride 1500; # priority of option defaults
          mkDefault = mkOverride 1000; # used in config sections of non-user modules to set a default
          mkForce = mkOverride 50;
          mkVMOverride = mkOverride 10; # used by ‘nixos-rebuild build-vm’
          
          
mkStrict = builtins.trace "`mkStrict' is obsolete; use `mkOverride 0' instead." (mkOverride 0);

Father2303 · September 14, 2022, 3:09pm

Thank you for your explanation and quick reply!

Solene · September 14, 2022, 3:10pm

as for your issue with the lockKernelModules, I wonder if your wifi card is slow to be discovered by your system, so the kernel doesn’t see it before locking the modules

Father2303 · September 14, 2022, 3:11pm

I’m using ethernet…

It’s not a big issue, just wondering why this is the case.

Solene · September 14, 2022, 3:14pm

that’s curious Could you open a new topic about it?

Father2303 · September 14, 2022, 3:22pm

Sure, but i guess the first question posed would be “please provide further information/logs”.

What is pertinent information for this issue?