public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/hidepid: drop the module as the hidepid mount option is broken 

This has been in an unusable state since the switch to cgroups-v2.
See https://github.com/NixOS/nixpkgs/issues/73800 for details.
This commit is contained in:
Dominik Xaver Hörl 2021-02-21 13:25:56 +01:00
parent b8ec6cfdd4
commit 893d911b55
6 changed files with 5 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nixos/modules/module-list.nix
View File

@ -207,7 +207,6 @@
./security/dhparams.nix ./security/dhparams.nix
./security/duosec.nix ./security/duosec.nix
./security/google_oslogin.nix ./security/google_oslogin.nix
./security/hidepid.nix
./security/lock-kernel-modules.nix ./security/lock-kernel-modules.nix
./security/misc.nix ./security/misc.nix
./security/oath.nix ./security/oath.nix

2
nixos/modules/profiles/hardened.nix
View File

@ -22,8 +22,6 @@ with lib;
environment.memoryAllocator.provider = mkDefault "scudo"; environment.memoryAllocator.provider = mkDefault "scudo";
environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
security.hideProcessInformation = mkDefault true;
security.lockKernelModules = mkDefault true; security.lockKernelModules = mkDefault true;
security.protectKernelImage = mkDefault true; security.protectKernelImage = mkDefault true;

5
nixos/modules/rename.nix
View File

@ -73,6 +73,11 @@ with lib;
(mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.") (mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.")
(mkRemovedOptionModule [ "security" "hideProcessInformation" ] ''
The hidepid module was removed, since the underlying machinery
is broken when using cgroups-v2.
'')
# Do NOT add any option renames here, see top of the file # Do NOT add any option renames here, see top of the file
]; ];
} }

31
nixos/modules/security/hidepid.nix
View File

@ -1,31 +0,0 @@
{ config, lib, ... }:
with lib;
{
meta = {
maintainers = [ maintainers.joachifm ];
doc = ./hidepid.xml;
};
options = {
security.hideProcessInformation = mkOption {
type = types.bool;
default = false;
description = ''
Restrict process information to the owning user.
'';
};
};
config = mkIf config.security.hideProcessInformation {
users.groups.proc.gid = config.ids.gids.proc;
users.groups.proc.members = [ "polkituser" ];
boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
# Disable cgroupsv2, which doesn't work with hidepid.
# https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203
systemd.enableUnifiedCgroupHierarchy = false;
};
}

28
nixos/modules/security/hidepid.xml
View File

@ -1,28 +0,0 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-hidepid">
<title>Hiding process information</title>
<para>
Setting
<programlisting>
<xref linkend="opt-security.hideProcessInformation"/> = true;
</programlisting>
ensures that access to process information is restricted to the owning user.
This implies, among other things, that command-line arguments remain private.
Unless your deployment relies on unprivileged users being able to inspect the
process information of other users, this option should be safe to enable.
</para>
<para>
Members of the <literal>proc</literal> group are exempt from process
information hiding.
</para>
<para>
To allow a service <replaceable>foo</replaceable> to run without process
information hiding, set
<programlisting>
<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ];
</programlisting>
</para>
</chapter>

11
nixos/tests/hardened.nix
View File

@ -65,17 +65,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
machine.succeed("grep -Fq wireguard /proc/modules") machine.succeed("grep -Fq wireguard /proc/modules")
# Test hidepid
with subtest("hidepid=2 option is applied and works"):
# Linux >= 5.8 shows "invisible"
machine.succeed(
"grep -Fq hidepid=2 /proc/mounts || grep -Fq hidepid=invisible /proc/mounts"
)
# cannot use pgrep -u here, it segfaults when access to process info is denied
machine.succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]")
machine.succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]")
# Test kernel module hardening # Test kernel module hardening
with subtest("No more kernel modules can be loaded"): with subtest("No more kernel modules can be loaded"):
# note: this better a be module we normally wouldn't load ... # note: this better a be module we normally wouldn't load ...