diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security/hidepid.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/security/hidepid.nix | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/nixpkgs/nixos/modules/security/hidepid.nix b/nixpkgs/nixos/modules/security/hidepid.nix new file mode 100644 index 000000000000..55a48ea3c9c6 --- /dev/null +++ b/nixpkgs/nixos/modules/security/hidepid.nix @@ -0,0 +1,27 @@ +{ config, lib, ... }: +with lib; + +{ + meta = { + maintainers = [ maintainers.joachifm ]; + doc = ./hidepid.xml; + }; + + options = { + security.hideProcessInformation = mkOption { + type = types.bool; + default = false; + description = '' + Restrict process information to the owning user. + ''; + }; + }; + + config = mkIf config.security.hideProcessInformation { + users.groups.proc.gid = config.ids.gids.proc; + users.groups.proc.members = [ "polkituser" ]; + + boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; + systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ]; + }; +} |