diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2016-11-29 02:16:15 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2016-12-07 01:12:05 +0100 |
commit | 984d9ebb56edf3ef2b0690e45c357be35b741dc3 (patch) | |
tree | d4896b19e22e36db31a8b31baf153ca541be27bc | |
parent | c182733691b2e72f8bcf6d9d9f81a1c801df3449 (diff) | |
download | nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar.gz nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar.bz2 nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar.lz nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar.xz nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.tar.zst nixpkgs-984d9ebb56edf3ef2b0690e45c357be35b741dc3.zip |
hidepid: polkit and systemd-logind compatibility
`systemd.hideProcessInformation = true`, would break interactions requiring polkit arbitration such as initating poweroff/reboot as a normal user; the polkit daemon cannot be expected to make decisions about processes that don't exist as far as it is concerned. systemd-logind lacks the `sys_ptrace` capability and so needs to be part of the designated proc gid, even though it runs as root. Fixes https://github.com/NixOS/nixpkgs/issues/20948
-rw-r--r-- | nixos/modules/security/hidepid.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix index ee351eb8447..96443fda758 100644 --- a/nixos/modules/security/hidepid.nix +++ b/nixos/modules/security/hidepid.nix @@ -19,7 +19,9 @@ with lib; config = mkIf config.security.hideProcessInformation { users.groups.proc.gid = config.ids.gids.proc; + users.groups.proc.members = [ "polkituser" ]; boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; + systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ]; }; } |