nixos/hardened profile: disable user namespaces at runtime

nixos/modules/profiles/hardened.nix

@@ -47,4 +47,16 @@ with lib;
 
   # ... or at least apply some hardening to it
   boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true;
+
+  # A recurring problem with user namespaces is that there are
+  # still code paths where the kernel's permission checking logic
+  # fails to account for namespacing, instead permitting a
+  # namespaced process to act outside the namespace with the
+  # same privileges as it would have inside it.  This is particularly
+  # bad in the common case of running as root within the namespace.
+  #
+  # Setting the number of allowed userns to 0 effectively disables
+  # the feature at runtime.  Attempting to create a user namespace
+  # with unshare will then fail with "no space left on device".
+  boot.kernel.sysctl."user.max_user_namespaces" = mkDefault 0;
 }

nixos/tests/hardened.nix

@@ -27,5 +27,10 @@ import ./make-test.nix ({ pkgs, ...} : {
           # note: this better a be module we normally wouldn't load ...
           $machine->fail("modprobe dccp");
       };
+
+      # Test userns
+      subtest "userns", sub {
+          $machine->fail("unshare --user");
+      };
     '';
 })