nixos/hidepid: drop the module as the hidepid mount option is broken

This has been in an unusable state since the switch to cgroups-v2. See https://github.com/NixOS/nixpkgs/issues/73800 for details.
2021-02-21 13:25:56 +01:00 · 2021-02-21 13:25:56 +01:00 · 893d911b55
parent b8ec6cfdd4
commit 893d911b55
6 changed files with 5 additions and 73 deletions
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -207,7 +207,6 @@
  ./security/dhparams.nix
  ./security/duosec.nix
  ./security/google_oslogin.nix
-  ./security/hidepid.nix
  ./security/lock-kernel-modules.nix
  ./security/misc.nix
  ./security/oath.nix
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@ -22,8 +22,6 @@ with lib;
  environment.memoryAllocator.provider = mkDefault "scudo";
  environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";

-  security.hideProcessInformation = mkDefault true;
-
  security.lockKernelModules = mkDefault true;

  security.protectKernelImage = mkDefault true;
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -73,6 +73,11 @@ with lib;
    (mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.")
    (mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.")

+    (mkRemovedOptionModule [ "security" "hideProcessInformation" ] ''
+        The hidepid module was removed, since the underlying machinery
+        is broken when using cgroups-v2.
+    '')
+
    # Do NOT add any option renames here, see top of the file
  ];
 }
--- a/nixos/modules/security/hidepid.nix
+++ b/nixos/modules/security/hidepid.nix
@ -1,31 +0,0 @@
-{ config, lib, ... }:
-with lib;
-
-{
-  meta = {
-    maintainers = [ maintainers.joachifm ];
-    doc = ./hidepid.xml;
-  };
-
-  options = {
-    security.hideProcessInformation = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Restrict process information to the owning user.
-      '';
-    };
-  };
-
-  config = mkIf config.security.hideProcessInformation {
-    users.groups.proc.gid = config.ids.gids.proc;
-    users.groups.proc.members = [ "polkituser" ];
-
-    boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
-    systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
-
-    # Disable cgroupsv2, which doesn't work with hidepid.
-    # https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203
-    systemd.enableUnifiedCgroupHierarchy = false;
-  };
-}
--- a/nixos/modules/security/hidepid.xml
+++ b/nixos/modules/security/hidepid.xml
@ -1,28 +0,0 @@
-<chapter xmlns="http://docbook.org/ns/docbook"
-         xmlns:xlink="http://www.w3.org/1999/xlink"
-         xmlns:xi="http://www.w3.org/2001/XInclude"
-         version="5.0"
-         xml:id="sec-hidepid">
- <title>Hiding process information</title>
- <para>
-  Setting
-<programlisting>
-<xref linkend="opt-security.hideProcessInformation"/> = true;
-</programlisting>
-  ensures that access to process information is restricted to the owning user.
-  This implies, among other things, that command-line arguments remain private.
-  Unless your deployment relies on unprivileged users being able to inspect the
-  process information of other users, this option should be safe to enable.
- </para>
- <para>
-  Members of the <literal>proc</literal> group are exempt from process
-  information hiding.
- </para>
- <para>
-  To allow a service <replaceable>foo</replaceable> to run without process
-  information hiding, set
-<programlisting>
-<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ];
-</programlisting>
- </para>
-</chapter>
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@ -65,17 +65,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
          machine.succeed("grep -Fq wireguard /proc/modules")


-      # Test hidepid
-      with subtest("hidepid=2 option is applied and works"):
-          # Linux >= 5.8 shows "invisible"
-          machine.succeed(
-              "grep -Fq hidepid=2 /proc/mounts || grep -Fq hidepid=invisible /proc/mounts"
-          )
-          # cannot use pgrep -u here, it segfaults when access to process info is denied
-          machine.succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]")
-          machine.succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]")
-
-
      # Test kernel module hardening
      with subtest("No more kernel modules can be loaded"):
          # note: this better a be module we normally wouldn't load ...