diff options
Diffstat (limited to 'nixos/modules/security/hidepid.nix')
-rw-r--r-- | nixos/modules/security/hidepid.nix | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix new file mode 100644 index 00000000000..8271578c55d --- /dev/null +++ b/nixos/modules/security/hidepid.nix @@ -0,0 +1,42 @@ +{ config, pkgs, lib, ... }: +with lib; + +{ + options = { + security.hideProcessInformation = mkEnableOption "" // { description = '' + Restrict access to process information to the owning user. Enabling + this option implies, among other things, that command-line arguments + remain private. This option is recommended for most systems, unless + there's a legitimate reason for allowing unprivileged users to inspect + the process information of other users. + + Members of the group "proc" are exempt from process information hiding. + To allow a service to run without process information hiding, add "proc" + to its supplementary groups via + <option>systemd.services.<name?>.serviceConfig.SupplementaryGroups</option>. + ''; }; + }; + + config = mkIf config.security.hideProcessInformation { + users.groups.proc.gid = config.ids.gids.proc; + + systemd.services.hidepid = { + wantedBy = [ "local-fs.target" ]; + after = [ "systemd-remount-fs.service" ]; + before = [ "local-fs-pre.target" "local-fs.target" "shutdown.target" ]; + wants = [ "local-fs-pre.target" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=2,gid=${toString config.ids.gids.proc} /proc''; + ExecStop = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=0,gid=0 /proc''; + }; + + unitConfig = { + DefaultDependencies = false; + Conflicts = "shutdown.target"; + }; + }; + }; +} |