diff options
author | Dominik Xaver Hörl <hoe.dom@gmx.de> | 2021-02-21 13:25:56 +0100 |
---|---|---|
committer | Dominik Xaver Hörl <hoe.dom@gmx.de> | 2021-02-21 13:51:37 +0100 |
commit | 893d911b553526b150cd6a0c6c0cea47e0ef55ab (patch) | |
tree | 409aaf4b54039fdbd12016f827dd7587f6fad7e8 /nixos | |
parent | b8ec6cfdd45b442ffae14447d1dbd7d87db47027 (diff) | |
download | nixlib-893d911b553526b150cd6a0c6c0cea47e0ef55ab.tar nixlib-893d911b553526b150cd6a0c6c0cea47e0ef55ab.tar.gz nixlib-893d911b553526b150cd6a0c6c0cea47e0ef55ab.tar.bz2 nixlib-893d911b553526b150cd6a0c6c0cea47e0ef55ab.tar.lz nixlib-893d911b553526b150cd6a0c6c0cea47e0ef55ab.tar.xz nixlib-893d911b553526b150cd6a0c6c0cea47e0ef55ab.tar.zst nixlib-893d911b553526b150cd6a0c6c0cea47e0ef55ab.zip |
nixos/hidepid: drop the module as the hidepid mount option is broken
This has been in an unusable state since the switch to cgroups-v2. See https://github.com/NixOS/nixpkgs/issues/73800 for details.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 2 | ||||
-rw-r--r-- | nixos/modules/rename.nix | 5 | ||||
-rw-r--r-- | nixos/modules/security/hidepid.nix | 31 | ||||
-rw-r--r-- | nixos/modules/security/hidepid.xml | 28 | ||||
-rw-r--r-- | nixos/tests/hardened.nix | 11 |
6 files changed, 5 insertions, 73 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 644229627b2f..f831e302b161 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -207,7 +207,6 @@ ./security/dhparams.nix ./security/duosec.nix ./security/google_oslogin.nix - ./security/hidepid.nix ./security/lock-kernel-modules.nix ./security/misc.nix ./security/oath.nix diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 680fa40b9119..00aafc6831b2 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -22,8 +22,6 @@ with lib; environment.memoryAllocator.provider = mkDefault "scudo"; environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; - security.hideProcessInformation = mkDefault true; - security.lockKernelModules = mkDefault true; security.protectKernelImage = mkDefault true; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 2d07e421efe4..9f1efc462798 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -73,6 +73,11 @@ with lib; (mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.") + (mkRemovedOptionModule [ "security" "hideProcessInformation" ] '' + The hidepid module was removed, since the underlying machinery + is broken when using cgroups-v2. + '') + # Do NOT add any option renames here, see top of the file ]; } diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix deleted file mode 100644 index 4953f517e93b..000000000000 --- a/nixos/modules/security/hidepid.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, lib, ... }: -with lib; - -{ - meta = { - maintainers = [ maintainers.joachifm ]; - doc = ./hidepid.xml; - }; - - options = { - security.hideProcessInformation = mkOption { - type = types.bool; - default = false; - description = '' - Restrict process information to the owning user. - ''; - }; - }; - - config = mkIf config.security.hideProcessInformation { - users.groups.proc.gid = config.ids.gids.proc; - users.groups.proc.members = [ "polkituser" ]; - - boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; - systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ]; - - # Disable cgroupsv2, which doesn't work with hidepid. - # https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203 - systemd.enableUnifiedCgroupHierarchy = false; - }; -} diff --git a/nixos/modules/security/hidepid.xml b/nixos/modules/security/hidepid.xml deleted file mode 100644 index 5a17cb1da412..000000000000 --- a/nixos/modules/security/hidepid.xml +++ /dev/null @@ -1,28 +0,0 @@ -<chapter xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-hidepid"> - <title>Hiding process information</title> - <para> - Setting -<programlisting> -<xref linkend="opt-security.hideProcessInformation"/> = true; -</programlisting> - ensures that access to process information is restricted to the owning user. - This implies, among other things, that command-line arguments remain private. - Unless your deployment relies on unprivileged users being able to inspect the - process information of other users, this option should be safe to enable. - </para> - <para> - Members of the <literal>proc</literal> group are exempt from process - information hiding. - </para> - <para> - To allow a service <replaceable>foo</replaceable> to run without process - information hiding, set -<programlisting> -<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ]; -</programlisting> - </para> -</chapter> diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index 0c26eaa310d4..485efc0fb78c 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -65,17 +65,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { machine.succeed("grep -Fq wireguard /proc/modules") - # Test hidepid - with subtest("hidepid=2 option is applied and works"): - # Linux >= 5.8 shows "invisible" - machine.succeed( - "grep -Fq hidepid=2 /proc/mounts || grep -Fq hidepid=invisible /proc/mounts" - ) - # cannot use pgrep -u here, it segfaults when access to process info is denied - machine.succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]") - machine.succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]") - - # Test kernel module hardening with subtest("No more kernel modules can be loaded"): # note: this better a be module we normally wouldn't load ... |