Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/kmonad: add new option enableHardening #370437

Merged
merged 1 commit into from
Jan 5, 2025
Merged

nixos/kmonad: add new option enableHardening #370437

merged 1 commit into from
Jan 5, 2025

Conversation

jian-lin
Copy link
Contributor

@jian-lin jian-lin commented Jan 3, 2025
edited
Loading

Before

$ systemd-analyze security kmonad-foo.service | tail -n 1
β†’ Overall exposure level for kmonad-foo.service: 8.2 EXPOSED πŸ™

After

$ systemd-analyze security kmonad-foo.service | tail -n 1
β†’ Overall exposure level for kmonad-foo.service: 0.4 SAFE πŸ˜€

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a πŸ‘ reaction to pull requests you find important.

@jian-lin jian-lin requested a review from r-vdp January 3, 2025 00:35
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 8.has: changelog 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Jan 3, 2025
@jian-lin jian-lin force-pushed the pr/kmonad-optional-hardening branch from 6899906 to 406935a Compare January 3, 2025 19:37
@jian-lin
nixos/kmonad: add new option enableHardening
37e6624 
Before

```console
$ systemd-analyze security kmonad-foo.service | tail -n 1
β†’ Overall exposure level for kmonad-foo.service: 8.2 EXPOSED πŸ™
```

After

```console
$ systemd-analyze security kmonad-foo.service | tail -n 1
β†’ Overall exposure level for kmonad-foo.service: 0.4 SAFE πŸ˜€
```
@jian-lin jian-lin force-pushed the pr/kmonad-optional-hardening branch from 406935a to 37e6624 Compare January 3, 2025 19:41
jian-lin
jian-lin commented Jan 3, 2025
View reviewed changes
Copy link
Contributor Author

@jian-lin jian-lin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just resolved the merge conflicts.

(I promise this is the last thing of kmonad module on my TODO list. πŸ˜…)

nixos/modules/services/hardware/kmonad.nix
@@ -41,6 +41,19 @@ let
'';
};

enableHardening = lib.mkOption {
type = lib.types.bool;
default = true;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think enabling hardening is a good idea even if hardening may make some shell commands fail?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to have these options by default. For people that want to use cmd-button, they can disable this and add the options that are compatible with their macros themselves.

I will test it on my system and come back to you.

r-vdp
r-vdp approved these changes Jan 5, 2025
View reviewed changes
Copy link
Contributor

@r-vdp r-vdp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested on my system, seems to work well!

@jian-lin
Copy link
Contributor Author

jian-lin commented Jan 5, 2025

Thanks!

@jian-lin jian-lin merged commit debb218 into NixOS:master Jan 5, 2025
23 checks passed
@jian-lin jian-lin deleted the pr/kmonad-optional-hardening branch January 5, 2025 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r-vdp r-vdp r-vdp approved these changes

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jian-lin @r-vdp