security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 25 Wiki Activity

nix: expose syscall filter policy
All checks were successful
Build / Create distribution (push) Successful in 1m31s
Details
Test / Run NixOS test (push) Successful in 1m52s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-01-23 17:24:42 +09:00
parent 134247b57d
commit 8a00a83c71
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
2 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos.nix
View File

@ -117,6 +117,9 @@ in
dev dev
env env
; ;
syscall = {
inherit (app) devel multiarch bluetooth;
};
map_real_uid = app.mapRealUid; map_real_uid = app.mapRealUid;
no_new_session = app.tty; no_new_session = app.tty;
filesystem = filesystem =

16
options.nix
View File

@ -141,16 +141,20 @@ in
''; '';
}; };
nix = mkEnableOption "nix daemon access within the sandbox"; nix = mkEnableOption "nix daemon";
userns = mkEnableOption "userns within the sandbox"; userns = mkEnableOption "user namespace";
mapRealUid = mkEnableOption "mapping to fortify's real UID within the sandbox"; mapRealUid = mkEnableOption "mapping to priv-user uid";
dev = mkEnableOption "access to all devices within the sandbox"; dev = mkEnableOption "access to all devices";
tty = mkEnableOption "allow access to the controlling terminal"; tty = mkEnableOption "access to the controlling terminal";
net = mkEnableOption "network access within the sandbox" // { net = mkEnableOption "network access" // {
default = true; default = true;
}; };
devel = mkEnableOption "development kernel APIs";
multiarch = mkEnableOption "multiarch kernel support";
bluetooth = mkEnableOption "AF_BLUETOOTH socket operations";
gpu = mkOption { gpu = mkOption {
type = nullOr bool; type = nullOr bool;
default = null; default = null;