diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-04-09 20:22:16 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-04-10 12:27:06 +0200 |
commit | cef2814a4f0530f6e020badc56dd808a96422a66 (patch) | |
tree | 6455422d43255cb6ac78ca343940516277425828 /nixos/modules/misc/ids.nix | |
parent | 496a36980540390ac47e59310b3d73d516a531a2 (diff) | |
download | nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar.gz nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar.bz2 nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar.lz nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar.xz nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar.zst nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.zip |
nixos: add optional process information hiding
This module adds an option `security.hideProcessInformation` that, when enabled, restricts access to process information such as command-line arguments to the process owner. The module adds a static group "proc" whose members are exempt from process information hiding. Ideally, this feature would be implemented by simply adding the appropriate mount options to `fileSystems."/proc".fsOptions`, but this was found to not work in vmtests. To ensure that process information hiding is enforced, we use a systemd service unit that remounts `/proc` after `systemd-remount-fs.service` has completed. To verify the correctness of the feature, simple tests were added to nixos/tests/misc: the test ensures that unprivileged users cannot see process information owned by another user, while members of "proc" CAN. Thanks to @abbradar for feedback and suggestions.
Diffstat (limited to 'nixos/modules/misc/ids.nix')
-rw-r--r-- | nixos/modules/misc/ids.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/misc/ids.nix b/nixos/modules/misc/ids.nix index 1e14fe655fc0..3f2c735b2216 100644 --- a/nixos/modules/misc/ids.nix +++ b/nixos/modules/misc/ids.nix @@ -47,6 +47,7 @@ #floppy = 18; # unused #uucp = 19; # unused #lp = 20; # unused + #proc = 21; # unused pulseaudio = 22; # must match `pulseaudio' GID gpsd = 23; #cdrom = 24; # unused @@ -288,6 +289,7 @@ floppy = 18; uucp = 19; lp = 20; + proc = 21; pulseaudio = 22; # must match `pulseaudio' UID gpsd = 23; cdrom = 24; |