Merge pull request #96080 from Izorkin/unprivileged-userns-clone

nixos/security/misc: add option unprivilegedUsernsClone

2 files changed, 18 insertions, 1 deletions

diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index ef8c0d74f0628..7bff79e827302 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -1,7 +1,7 @@
 # A profile with most (vanilla) hardening options enabled by default,
 # potentially at the cost of features and performance.
 
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 with lib;
 
@@ -27,6 +27,9 @@ with lib;
 
   security.forcePageTableIsolation = mkDefault true;
 
+  # This is required by podman to run containers in rootless mode.
+  security.unprivilegedUsernsClone = mkDefault config.virtualisation.containers.enable;
+
   security.virtualisation.flushL1DataCache = mkDefault "always";
 
   security.apparmor.enable = mkDefault true;
diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix
index 16e3bfb14199b..d51dbbb77f718 100644
--- a/nixos/modules/security/misc.nix
+++ b/nixos/modules/security/misc.nix
@@ -27,6 +27,16 @@ with lib;
       '';
     };
 
+    security.unprivilegedUsernsClone = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        When disabled, unprivileged users will not be able to create new namespaces.
+        By default unprivileged user namespaces are disabled.
+        This option only works in a hardened profile.
+      '';
+    };
+
     security.protectKernelImage = mkOption {
       type = types.bool;
       default = false;
@@ -115,6 +125,10 @@ with lib;
       ];
     })
 
+    (mkIf config.security.unprivilegedUsernsClone {
+      boot.kernel.sysctl."kernel.unprivileged_userns_clone" = mkDefault true;
+    })
+
     (mkIf config.security.protectKernelImage {
       # Disable hibernation (allows replacing the running kernel)
       boot.kernelParams = [ "nohibernate" ];