nixos/modules/security/hidepid.nix at 16.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / security / hidepid.nix

at 16.09-beta 1.0 kB view raw

 1{ config, pkgs, lib, ... }:
 2with lib;
 3
 4{
 5  options = {
 6    security.hideProcessInformation = mkEnableOption "" // { description = ''
 7      Restrict access to process information to the owning user.  Enabling
 8      this option implies, among other things, that command-line arguments
 9      remain private.  This option is recommended for most systems, unless
10      there's a legitimate reason for allowing unprivileged users to inspect
11      the process information of other users.
12
13      Members of the group "proc" are exempt from process information hiding.
14      To allow a service to run without process information hiding, add "proc"
15      to its supplementary groups via
16      <option>systemd.services.&lt;name?&gt;.serviceConfig.SupplementaryGroups</option>.
17    ''; };
18  };
19
20  config = mkIf config.security.hideProcessInformation {
21    users.groups.proc.gid = config.ids.gids.proc;
22
23    boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
24  };
25}