diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2016-04-09 20:22:16 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-04-10 12:27:06 +0200 |
| commit | cef2814a4f0530f6e020badc56dd808a96422a66 (patch) | |
| tree | 6455422d43255cb6ac78ca343940516277425828 /nixos/modules/security/hidepid.nix | |
| parent | 496a36980540390ac47e59310b3d73d516a531a2 (diff) | |
| download | nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar.gz nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar.bz2 nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar.lz nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar.xz nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.tar.zst nixlib-cef2814a4f0530f6e020badc56dd808a96422a66.zip | |
nixos: add optional process information hiding
This module adds an option `security.hideProcessInformation` that, when enabled, restricts access to process information such as command-line arguments to the process owner. The module adds a static group "proc" whose members are exempt from process information hiding. Ideally, this feature would be implemented by simply adding the appropriate mount options to `fileSystems."/proc".fsOptions`, but this was found to not work in vmtests. To ensure that process information hiding is enforced, we use a systemd service unit that remounts `/proc` after `systemd-remount-fs.service` has completed. To verify the correctness of the feature, simple tests were added to nixos/tests/misc: the test ensures that unprivileged users cannot see process information owned by another user, while members of "proc" CAN. Thanks to @abbradar for feedback and suggestions.
Diffstat (limited to 'nixos/modules/security/hidepid.nix')
| -rw-r--r-- | nixos/modules/security/hidepid.nix | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix new file mode 100644 index 000000000000..8271578c55d6 --- /dev/null +++ b/nixos/modules/security/hidepid.nix @@ -0,0 +1,42 @@ +{ config, pkgs, lib, ... }: +with lib; + +{ + options = { + security.hideProcessInformation = mkEnableOption "" // { description = '' + Restrict access to process information to the owning user. Enabling + this option implies, among other things, that command-line arguments + remain private. This option is recommended for most systems, unless + there's a legitimate reason for allowing unprivileged users to inspect + the process information of other users. + + Members of the group "proc" are exempt from process information hiding. + To allow a service to run without process information hiding, add "proc" + to its supplementary groups via + <option>systemd.services.<name?>.serviceConfig.SupplementaryGroups</option>. + ''; }; + }; + + config = mkIf config.security.hideProcessInformation { + users.groups.proc.gid = config.ids.gids.proc; + + systemd.services.hidepid = { + wantedBy = [ "local-fs.target" ]; + after = [ "systemd-remount-fs.service" ]; + before = [ "local-fs-pre.target" "local-fs.target" "shutdown.target" ]; + wants = [ "local-fs-pre.target" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=2,gid=${toString config.ids.gids.proc} /proc''; + ExecStop = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=0,gid=0 /proc''; + }; + + unitConfig = { + DefaultDependencies = false; + Conflicts = "shutdown.target"; + }; + }; + }; +} |