From 893d911b553526b150cd6a0c6c0cea47e0ef55ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominik=20Xaver=20H=C3=B6rl?= Date: Sun, 21 Feb 2021 13:25:56 +0100 Subject: [PATCH] nixos/hidepid: drop the module as the hidepid mount option is broken This has been in an unusable state since the switch to cgroups-v2. See https://github.com/NixOS/nixpkgs/issues/73800 for details. --- nixos/modules/module-list.nix | 1 - nixos/modules/profiles/hardened.nix | 2 -- nixos/modules/rename.nix | 5 +++++ nixos/modules/security/hidepid.nix | 31 ----------------------------- nixos/modules/security/hidepid.xml | 28 -------------------------- nixos/tests/hardened.nix | 11 ---------- 6 files changed, 5 insertions(+), 73 deletions(-) delete mode 100644 nixos/modules/security/hidepid.nix delete mode 100644 nixos/modules/security/hidepid.xml diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 644229627b2f..f831e302b161 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -207,7 +207,6 @@ ./security/dhparams.nix ./security/duosec.nix ./security/google_oslogin.nix - ./security/hidepid.nix ./security/lock-kernel-modules.nix ./security/misc.nix ./security/oath.nix diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 680fa40b9119..00aafc6831b2 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -22,8 +22,6 @@ with lib; environment.memoryAllocator.provider = mkDefault "scudo"; environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1"; - security.hideProcessInformation = mkDefault true; - security.lockKernelModules = mkDefault true; security.protectKernelImage = mkDefault true; diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 2d07e421efe4..9f1efc462798 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -73,6 +73,11 @@ with lib; (mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.") + (mkRemovedOptionModule [ "security" "hideProcessInformation" ] '' + The hidepid module was removed, since the underlying machinery + is broken when using cgroups-v2. + '') + # Do NOT add any option renames here, see top of the file ]; } diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix deleted file mode 100644 index 4953f517e93b..000000000000 --- a/nixos/modules/security/hidepid.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, lib, ... }: -with lib; - -{ - meta = { - maintainers = [ maintainers.joachifm ]; - doc = ./hidepid.xml; - }; - - options = { - security.hideProcessInformation = mkOption { - type = types.bool; - default = false; - description = '' - Restrict process information to the owning user. - ''; - }; - }; - - config = mkIf config.security.hideProcessInformation { - users.groups.proc.gid = config.ids.gids.proc; - users.groups.proc.members = [ "polkituser" ]; - - boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; - systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ]; - - # Disable cgroupsv2, which doesn't work with hidepid. - # https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203 - systemd.enableUnifiedCgroupHierarchy = false; - }; -} diff --git a/nixos/modules/security/hidepid.xml b/nixos/modules/security/hidepid.xml deleted file mode 100644 index 5a17cb1da412..000000000000 --- a/nixos/modules/security/hidepid.xml +++ /dev/null @@ -1,28 +0,0 @@ - - Hiding process information - - Setting - - = true; - - ensures that access to process information is restricted to the owning user. - This implies, among other things, that command-line arguments remain private. - Unless your deployment relies on unprivileged users being able to inspect the - process information of other users, this option should be safe to enable. - - - Members of the proc group are exempt from process - information hiding. - - - To allow a service foo to run without process - information hiding, set - -systemd.services.foo.serviceConfig.SupplementaryGroups = [ "proc" ]; - - - diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index 0c26eaa310d4..485efc0fb78c 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -65,17 +65,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : { machine.succeed("grep -Fq wireguard /proc/modules") - # Test hidepid - with subtest("hidepid=2 option is applied and works"): - # Linux >= 5.8 shows "invisible" - machine.succeed( - "grep -Fq hidepid=2 /proc/mounts || grep -Fq hidepid=invisible /proc/mounts" - ) - # cannot use pgrep -u here, it segfaults when access to process info is denied - machine.succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]") - machine.succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]") - - # Test kernel module hardening with subtest("No more kernel modules can be loaded"): # note: this better a be module we normally wouldn't load ...