forked from mirrors/nixpkgs
cef2814a4f
This module adds an option `security.hideProcessInformation` that, when enabled, restricts access to process information such as command-line arguments to the process owner. The module adds a static group "proc" whose members are exempt from process information hiding. Ideally, this feature would be implemented by simply adding the appropriate mount options to `fileSystems."/proc".fsOptions`, but this was found to not work in vmtests. To ensure that process information hiding is enforced, we use a systemd service unit that remounts `/proc` after `systemd-remount-fs.service` has completed. To verify the correctness of the feature, simple tests were added to nixos/tests/misc: the test ensures that unprivileged users cannot see process information owned by another user, while members of "proc" CAN. Thanks to @abbradar for feedback and suggestions. |
||
|---|---|---|
| .. | ||
| acme.nix | ||
| acme.xml | ||
| apparmor-suid.nix | ||
| apparmor.nix | ||
| audit.nix | ||
| ca.nix | ||
| duosec.nix | ||
| grsecurity.nix | ||
| hidepid.nix | ||
| oath.nix | ||
| pam.nix | ||
| pam_mount.nix | ||
| pam_usb.nix | ||
| polkit.nix | ||
| prey.nix | ||
| rngd.nix | ||
| rtkit.nix | ||
| setuid-wrapper.c | ||
| setuid-wrappers.nix | ||
| sudo.nix | ||