commit 893d911b553526b150cd6a0c6c0cea47e0ef55ab · pyrox.dev/nixpkgs

-1

nixos/modules/module-list.nix

···

       207
        
         ./security/dhparams.nix

     

       208
        
         ./security/duosec.nix

     

       209
        
         ./security/google_oslogin.nix

     

       210
       -
         ./security/hidepid.nix

     

       211
        
         ./security/lock-kernel-modules.nix

     

       212
        
         ./security/misc.nix

     

       213
        
         ./security/oath.nix

···

       207
        
         ./security/dhparams.nix

     

       208
        
         ./security/duosec.nix

     

       209
        
         ./security/google_oslogin.nix

     

       0
        
       
     

       210
        
         ./security/lock-kernel-modules.nix

     

       211
        
         ./security/misc.nix

     

       212
        
         ./security/oath.nix

-2

nixos/modules/profiles/hardened.nix

···

       22
        
         environment.memoryAllocator.provider = mkDefault "scudo";

     

       23
        
         environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";

     

       24
        
       

     

       25
       -
         security.hideProcessInformation = mkDefault true;

     

       26
       -
       

     

       27
        
         security.lockKernelModules = mkDefault true;

     

       28
        
       

     

       29
        
         security.protectKernelImage = mkDefault true;

···

       22
        
         environment.memoryAllocator.provider = mkDefault "scudo";

     

       23
        
         environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";

     

       24
        
       

     

       0
        
       
     

       0
        
       
     

       25
        
         security.lockKernelModules = mkDefault true;

     

       26
        
       

     

       27
        
         security.protectKernelImage = mkDefault true;

+5

nixos/modules/rename.nix

···

       73
        
           (mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.")

     

       74
        
           (mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.")

     

       75
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       76
        
           # Do NOT add any option renames here, see top of the file

     

       77
        
         ];

     

       78
        
       }

···

       73
        
           (mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.")

     

       74
        
           (mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.")

     

       75
        
       

     

       76
       +
           (mkRemovedOptionModule [ "security" "hideProcessInformation" ] ''

     

       77
       +
               The hidepid module was removed, since the underlying machinery

     

       78
       +
               is broken when using cgroups-v2.

     

       79
       +
           '')

     

       80
       +
       

     

       81
        
           # Do NOT add any option renames here, see top of the file

     

       82
        
         ];

     

       83
        
       }

-31

nixos/modules/security/hidepid.nix

···

       1
       -
       { config, lib, ... }:

     

       2
       -
       with lib;

     

       3
       -
       

     

       4
       -
       {

     

       5
       -
         meta = {

     

       6
       -
           maintainers = [ maintainers.joachifm ];

     

       7
       -
           doc = ./hidepid.xml;

     

       8
       -
         };

     

       9
       -
       

     

       10
       -
         options = {

     

       11
       -
           security.hideProcessInformation = mkOption {

     

       12
       -
             type = types.bool;

     

       13
       -
             default = false;

     

       14
       -
             description = ''

     

       15
       -
               Restrict process information to the owning user.

     

       16
       -
             '';

     

       17
       -
           };

     

       18
       -
         };

     

       19
       -
       

     

       20
       -
         config = mkIf config.security.hideProcessInformation {

     

       21
       -
           users.groups.proc.gid = config.ids.gids.proc;

     

       22
       -
           users.groups.proc.members = [ "polkituser" ];

     

       23
       -
       

     

       24
       -
           boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];

     

       25
       -
           systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];

     

       26
       -
       

     

       27
       -
           # Disable cgroupsv2, which doesn't work with hidepid.

     

       28
       -
           # https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203

     

       29
       -
           systemd.enableUnifiedCgroupHierarchy = false;

     

       30
       -
         };

     

       31
       -
       }

-28

nixos/modules/security/hidepid.xml

···

       1
       -
       <chapter xmlns="http://docbook.org/ns/docbook"

     

       2
       -
                xmlns:xlink="http://www.w3.org/1999/xlink"

     

       3
       -
                xmlns:xi="http://www.w3.org/2001/XInclude"

     

       4
       -
                version="5.0"

     

       5
       -
                xml:id="sec-hidepid">

     

       6
       -
        <title>Hiding process information</title>

     

       7
       -
        <para>

     

       8
       -
         Setting

     

       9
       -
       <programlisting>

     

       10
       -
       <xref linkend="opt-security.hideProcessInformation"/> = true;

     

       11
       -
       </programlisting>

     

       12
       -
         ensures that access to process information is restricted to the owning user.

     

       13
       -
         This implies, among other things, that command-line arguments remain private.

     

       14
       -
         Unless your deployment relies on unprivileged users being able to inspect the

     

       15
       -
         process information of other users, this option should be safe to enable.

     

       16
       -
        </para>

     

       17
       -
        <para>

     

       18
       -
         Members of the <literal>proc</literal> group are exempt from process

     

       19
       -
         information hiding.

     

       20
       -
        </para>

     

       21
       -
        <para>

     

       22
       -
         To allow a service <replaceable>foo</replaceable> to run without process

     

       23
       -
         information hiding, set

     

       24
       -
       <programlisting>

     

       25
       -
       <link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ];

     

       26
       -
       </programlisting>

     

       27
       -
        </para>

     

       28
       -
       </chapter>

-11

nixos/tests/hardened.nix

···

       65
        
                 machine.succeed("grep -Fq wireguard /proc/modules")

     

       66
        
       

     

       67
        
       

     

       68
       -
             # Test hidepid

     

       69
       -
             with subtest("hidepid=2 option is applied and works"):

     

       70
       -
                 # Linux >= 5.8 shows "invisible"

     

       71
       -
                 machine.succeed(

     

       72
       -
                     "grep -Fq hidepid=2 /proc/mounts || grep -Fq hidepid=invisible /proc/mounts"

     

       73
       -
                 )

     

       74
       -
                 # cannot use pgrep -u here, it segfaults when access to process info is denied

     

       75
       -
                 machine.succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]")

     

       76
       -
                 machine.succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]")

     

       77
       -
       

     

       78
       -
       

     

       79
        
             # Test kernel module hardening

     

       80
        
             with subtest("No more kernel modules can be loaded"):

     

       81
        
                 # note: this better a be module we normally wouldn't load ...

···

       65
        
                 machine.succeed("grep -Fq wireguard /proc/modules")

     

       66
        
       

     

       67
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       68
        
             # Test kernel module hardening

     

       69
        
             with subtest("No more kernel modules can be loaded"):

     

       70
        
                 # note: this better a be module we normally wouldn't load ...