nixpkgs/nixos/modules/security/hidepid.nix

{ config, lib, ... }:
with lib;

{
  meta = {
    maintainers = [ maintainers.joachifm ];
    doc = ./hidepid.xml;
  };

  options = {
    security.hideProcessInformation = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Restrict process information to the owning user.
      '';
    };
  };

  config = mkIf config.security.hideProcessInformation {
    users.groups.proc.gid = config.ids.gids.proc;
    users.groups.proc.members = [ "polkituser" ];

    boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
    systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
  };
}
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ config, lib, ... }:`
nixos: add optional process information hiding This module adds an option `security.hideProcessInformation` that, when enabled, restricts access to process information such as command-line arguments to the process owner. The module adds a static group "proc" whose members are exempt from process information hiding. Ideally, this feature would be implemented by simply adding the appropriate mount options to `fileSystems."/proc".fsOptions`, but this was found to not work in vmtests. To ensure that process information hiding is enforced, we use a systemd service unit that remounts `/proc` after `systemd-remount-fs.service` has completed. To verify the correctness of the feature, simple tests were added to nixos/tests/misc: the test ensures that unprivileged users cannot see process information owned by another user, while members of "proc" CAN. Thanks to @abbradar for feedback and suggestions. 2016-04-09 18:22:16 +00:00			`with lib;`

			`{`
hidepid module: detailed description to external doc 2016-09-15 13:23:52 +00:00			`meta = {`
			`maintainers = [ maintainers.joachifm ];`
			`doc = ./hidepid.xml;`
			`};`
nixos: add optional process information hiding This module adds an option `security.hideProcessInformation` that, when enabled, restricts access to process information such as command-line arguments to the process owner. The module adds a static group "proc" whose members are exempt from process information hiding. Ideally, this feature would be implemented by simply adding the appropriate mount options to `fileSystems."/proc".fsOptions`, but this was found to not work in vmtests. To ensure that process information hiding is enforced, we use a systemd service unit that remounts `/proc` after `systemd-remount-fs.service` has completed. To verify the correctness of the feature, simple tests were added to nixos/tests/misc: the test ensures that unprivileged users cannot see process information owned by another user, while members of "proc" CAN. Thanks to @abbradar for feedback and suggestions. 2016-04-09 18:22:16 +00:00
hidepid module: detailed description to external doc 2016-09-15 13:23:52 +00:00			`options = {`
			`security.hideProcessInformation = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = ''`
			`Restrict process information to the owning user.`
			`'';`
			`};`
nixos: add optional process information hiding This module adds an option `security.hideProcessInformation` that, when enabled, restricts access to process information such as command-line arguments to the process owner. The module adds a static group "proc" whose members are exempt from process information hiding. Ideally, this feature would be implemented by simply adding the appropriate mount options to `fileSystems."/proc".fsOptions`, but this was found to not work in vmtests. To ensure that process information hiding is enforced, we use a systemd service unit that remounts `/proc` after `systemd-remount-fs.service` has completed. To verify the correctness of the feature, simple tests were added to nixos/tests/misc: the test ensures that unprivileged users cannot see process information owned by another user, while members of "proc" CAN. Thanks to @abbradar for feedback and suggestions. 2016-04-09 18:22:16 +00:00			`};`

			`config = mkIf config.security.hideProcessInformation {`
			`users.groups.proc.gid = config.ids.gids.proc;`
hidepid: polkit and systemd-logind compatibility `systemd.hideProcessInformation = true`, would break interactions requiring polkit arbitration such as initating poweroff/reboot as a normal user; the polkit daemon cannot be expected to make decisions about processes that don't exist as far as it is concerned. systemd-logind lacks the `sys_ptrace` capability and so needs to be part of the designated proc gid, even though it runs as root. Fixes https://github.com/NixOS/nixpkgs/issues/20948 2016-11-29 01:16:15 +00:00			`users.groups.proc.members = [ "polkituser" ];`
nixos: add optional process information hiding This module adds an option `security.hideProcessInformation` that, when enabled, restricts access to process information such as command-line arguments to the process owner. The module adds a static group "proc" whose members are exempt from process information hiding. Ideally, this feature would be implemented by simply adding the appropriate mount options to `fileSystems."/proc".fsOptions`, but this was found to not work in vmtests. To ensure that process information hiding is enforced, we use a systemd service unit that remounts `/proc` after `systemd-remount-fs.service` has completed. To verify the correctness of the feature, simple tests were added to nixos/tests/misc: the test ensures that unprivileged users cannot see process information owned by another user, while members of "proc" CAN. Thanks to @abbradar for feedback and suggestions. 2016-04-09 18:22:16 +00:00
hidepid service: use new boot.specialFileSystems 2016-08-31 14:16:30 +00:00			`boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];`
hidepid: polkit and systemd-logind compatibility `systemd.hideProcessInformation = true`, would break interactions requiring polkit arbitration such as initating poweroff/reboot as a normal user; the polkit daemon cannot be expected to make decisions about processes that don't exist as far as it is concerned. systemd-logind lacks the `sys_ptrace` capability and so needs to be part of the designated proc gid, even though it runs as root. Fixes https://github.com/NixOS/nixpkgs/issues/20948 2016-11-29 01:16:15 +00:00			`systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];`
nixos: add optional process information hiding This module adds an option `security.hideProcessInformation` that, when enabled, restricts access to process information such as command-line arguments to the process owner. The module adds a static group "proc" whose members are exempt from process information hiding. Ideally, this feature would be implemented by simply adding the appropriate mount options to `fileSystems."/proc".fsOptions`, but this was found to not work in vmtests. To ensure that process information hiding is enforced, we use a systemd service unit that remounts `/proc` after `systemd-remount-fs.service` has completed. To verify the correctness of the feature, simple tests were added to nixos/tests/misc: the test ensures that unprivileged users cannot see process information owned by another user, while members of "proc" CAN. Thanks to @abbradar for feedback and suggestions. 2016-04-09 18:22:16 +00:00			`};`
			`}`