| Commit message (Collapse) | Author | Age |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This module adds an option `security.hideProcessInformation` that, when
enabled, restricts access to process information such as command-line
arguments to the process owner. The module adds a static group "proc"
whose members are exempt from process information hiding.
Ideally, this feature would be implemented by simply adding the
appropriate mount options to `fileSystems."/proc".fsOptions`, but this
was found to not work in vmtests. To ensure that process information
hiding is enforced, we use a systemd service unit that remounts `/proc`
after `systemd-remount-fs.service` has completed.
To verify the correctness of the feature, simple tests were added to
nixos/tests/misc: the test ensures that unprivileged users cannot see
process information owned by another user, while members of "proc" CAN.
Thanks to @abbradar for feedback and suggestions.
|
|
|
|
|
| |
This is an alternative to NixOS/nixpkgs#6721, with
improvements suggested by @edolstra
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow usage of list of strings instead of a comma-separated string
for filesystem options. Deprecate the comma-separated string style
with a warning message; convert this to a hard error after 16.09.
15.09 was just released, so this provides a deprecation period during
the 16.03 release.
closes #10518
Signed-off-by: Robin Gloster <mail@glob.in>
|
|
|
|
|
|
|
|
| |
systemd-udev-settle is not started by default anymore.
Because checking for psmouse like that is considered legacy,
we start systemd-udev-settle manually in the test.
cc @edolstra
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Can't figure out why "hostname -s" keeps failing randomly :-(
http://hydra.nixos.org/build/10662142
|
|
|
|
|
|
|
| |
Nscd forks into the background before it's ready to accept
connections. So explicitly wait until it's ready.
http://hydra.nixos.org/build/10661767
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
This allows specifying rules for systemd-tmpfiles.
Also, enable systemd-tmpfiles-clean.timer so that stuff is cleaned up
automatically 15 minutes after boot and every day, *if* you have the
appropriate cleanup rules (which we don't have by default).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
You can now run a test in the nixos/tests directory directly using
nix-build, e.g.
$ nix-build '<nixos/tests/login.nix>' -A test
This gets rid of having to add the test to nixos/tests/default.nix.
(Of course, you still need to add it to nixos/release.nix if you want
Hydra to run the test.)
|
|
|
|
| |
Issue #1248.
|
|
|
|
| |
http://hydra.nixos.org/build/6480163
|
|
|