From 984d9ebb56edf3ef2b0690e45c357be35b741dc3 Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Tue, 29 Nov 2016 02:16:15 +0100
Subject: hidepid: polkit and systemd-logind compatibility

`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948
---
 nixos/modules/security/hidepid.nix | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'nixos/modules/security/hidepid.nix')

diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix
index ee351eb84473..96443fda758c 100644
--- a/nixos/modules/security/hidepid.nix
+++ b/nixos/modules/security/hidepid.nix
@@ -19,7 +19,9 @@ with lib;
 
   config = mkIf config.security.hideProcessInformation {
     users.groups.proc.gid = config.ids.gids.proc;
+    users.groups.proc.members = [ "polkituser" ];
 
     boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
+    systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
   };
 }
-- 
cgit 1.4.1