about summary refs log tree commit diff
path: root/nixos/modules/security
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/security')
-rw-r--r--nixos/modules/security/acme.nix4
-rw-r--r--nixos/modules/security/apparmor-suid.nix6
-rw-r--r--nixos/modules/security/hidepid.nix42
-rw-r--r--nixos/modules/security/polkit.nix8
-rw-r--r--nixos/modules/security/setuid-wrappers.nix4
5 files changed, 53 insertions, 11 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index c5cd0fb60ee9a..cb5410a5f15d8 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -152,7 +152,7 @@ in
         in nameValuePair
         ("acme-${cert}")
         ({
-          description = "ACME cert renewal for ${cert} using simp_le";
+          description = "Renew ACME Certificate for ${cert}";
           after = [ "network.target" ];
           serviceConfig = {
             Type = "oneshot";
@@ -192,7 +192,7 @@ in
       systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair
         ("acme-${cert}")
         ({
-          description = "timer for ACME cert renewal of ${cert}";
+          description = "Renew ACME Certificate for ${cert}";
           wantedBy = [ "timers.target" ];
           timerConfig = {
             OnCalendar = cfg.renewInterval;
diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix
index b89b379ae6668..d766f6badfc7e 100644
--- a/nixos/modules/security/apparmor-suid.nix
+++ b/nixos/modules/security/apparmor-suid.nix
@@ -28,9 +28,9 @@ with lib;
         capability setuid,
         network inet raw,
 
-        ${pkgs.glibc}/lib/*.so mr,
-        ${pkgs.libcap}/lib/libcap.so* mr,
-        ${pkgs.attr}/lib/libattr.so* mr,
+        ${pkgs.glibc.out}/lib/*.so mr,
+        ${pkgs.libcap.out}/lib/libcap.so* mr,
+        ${pkgs.attr.out}/lib/libattr.so* mr,
 
         ${pkgs.iputils}/bin/ping mixr,
         /var/setuid-wrappers/ping.real r,
diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix
new file mode 100644
index 0000000000000..8271578c55d68
--- /dev/null
+++ b/nixos/modules/security/hidepid.nix
@@ -0,0 +1,42 @@
+{ config, pkgs, lib, ... }:
+with lib;
+
+{
+  options = {
+    security.hideProcessInformation = mkEnableOption "" // { description = ''
+      Restrict access to process information to the owning user.  Enabling
+      this option implies, among other things, that command-line arguments
+      remain private.  This option is recommended for most systems, unless
+      there's a legitimate reason for allowing unprivileged users to inspect
+      the process information of other users.
+
+      Members of the group "proc" are exempt from process information hiding.
+      To allow a service to run without process information hiding, add "proc"
+      to its supplementary groups via
+      <option>systemd.services.&lt;name?&gt;.serviceConfig.SupplementaryGroups</option>.
+    ''; };
+  };
+
+  config = mkIf config.security.hideProcessInformation {
+    users.groups.proc.gid = config.ids.gids.proc;
+
+    systemd.services.hidepid = {
+      wantedBy = [ "local-fs.target" ];
+      after = [ "systemd-remount-fs.service" ];
+      before = [ "local-fs-pre.target" "local-fs.target" "shutdown.target" ];
+      wants = [ "local-fs-pre.target" ];
+
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=2,gid=${toString config.ids.gids.proc} /proc'';
+        ExecStop = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=0,gid=0 /proc'';
+      };
+
+      unitConfig = {
+        DefaultDependencies = false;
+        Conflicts = "shutdown.target";
+      };
+    };
+  };
+}
diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix
index 95b659d96f0f2..507f81bbf0737 100644
--- a/nixos/modules/security/polkit.nix
+++ b/nixos/modules/security/polkit.nix
@@ -59,9 +59,9 @@ in
 
   config = mkIf cfg.enable {
 
-    environment.systemPackages = [ pkgs.polkit ];
+    environment.systemPackages = [ pkgs.polkit.bin pkgs.polkit.out ];
 
-    systemd.packages = [ pkgs.polkit ];
+    systemd.packages = [ pkgs.polkit.out ];
 
     systemd.services.polkit.restartTriggers = [ config.system.path ];
     systemd.services.polkit.unitConfig.X-StopIfChanged = false;
@@ -79,7 +79,7 @@ in
         ${cfg.extraConfig}
       ''; #TODO: validation on compilation (at least against typos)
 
-    services.dbus.packages = [ pkgs.polkit ];
+    services.dbus.packages = [ pkgs.polkit.out ];
 
     security.pam.services.polkit-1 = {};
 
@@ -90,7 +90,7 @@ in
         owner = "root";
         group = "root";
         setuid = true;
-        source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1";
+        source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1";
       }
     ];
 
diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/setuid-wrappers.nix
index 2a289dc402ce8..7d69f9b1183da 100644
--- a/nixos/modules/security/setuid-wrappers.nix
+++ b/nixos/modules/security/setuid-wrappers.nix
@@ -8,12 +8,12 @@ let
 
   setuidWrapper = pkgs.stdenv.mkDerivation {
     name = "setuid-wrapper";
-    buildCommand = ''
+    unpackPhase = "true";
+    installPhase = ''
       mkdir -p $out/bin
       cp ${./setuid-wrapper.c} setuid-wrapper.c
       gcc -Wall -O2 -DWRAPPER_DIR=\"${wrapperDir}\" \
           setuid-wrapper.c -o $out/bin/setuid-wrapper
-      strip -S $out/bin/setuid-wrapper
     '';
   };
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-09-02 05:29:17 +0000