summary refs log tree commit diff
diff options
context:
space:
mode:
authorJoachim Fasting <joachifm@fastmail.fm>2016-11-29 02:16:15 +0100
committerJoachim Fasting <joachifm@fastmail.fm>2016-12-07 01:12:05 +0100
commit984d9ebb56edf3ef2b0690e45c357be35b741dc3 (patch)
treed4896b19e22e36db31a8b31baf153ca541be27bc
parentc182733691b2e72f8bcf6d9d9f81a1c801df3449 (diff)
downloadnixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar
nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar.gz
nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar.bz2
nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar.lz
nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar.xz
nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar.zst
nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.zip
hidepid: polkit and systemd-logind compatibility
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948
Diffstat
-rw-r--r--nixos/modules/security/hidepid.nix2
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix
index ee351eb8447..96443fda758 100644
--- a/nixos/modules/security/hidepid.nix
+++ b/nixos/modules/security/hidepid.nix
@@ -19,7 +19,9 @@ with lib;
 
   config = mkIf config.security.hideProcessInformation {
     users.groups.proc.gid = config.ids.gids.proc;
+    users.groups.proc.members = [ "polkituser" ];
 
     boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
+    systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
   };
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-18 21:48:41 +0000