diff options
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/acme.nix | 4 | ||||
-rw-r--r-- | nixos/modules/security/apparmor-suid.nix | 6 | ||||
-rw-r--r-- | nixos/modules/security/hidepid.nix | 42 | ||||
-rw-r--r-- | nixos/modules/security/polkit.nix | 8 | ||||
-rw-r--r-- | nixos/modules/security/setuid-wrappers.nix | 4 |
5 files changed, 53 insertions, 11 deletions
diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index c5cd0fb60ee9a..cb5410a5f15d8 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -152,7 +152,7 @@ in in nameValuePair ("acme-${cert}") ({ - description = "ACME cert renewal for ${cert} using simp_le"; + description = "Renew ACME Certificate for ${cert}"; after = [ "network.target" ]; serviceConfig = { Type = "oneshot"; @@ -192,7 +192,7 @@ in systemd.timers = flip mapAttrs' cfg.certs (cert: data: nameValuePair ("acme-${cert}") ({ - description = "timer for ACME cert renewal of ${cert}"; + description = "Renew ACME Certificate for ${cert}"; wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = cfg.renewInterval; diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix index b89b379ae6668..d766f6badfc7e 100644 --- a/nixos/modules/security/apparmor-suid.nix +++ b/nixos/modules/security/apparmor-suid.nix @@ -28,9 +28,9 @@ with lib; capability setuid, network inet raw, - ${pkgs.glibc}/lib/*.so mr, - ${pkgs.libcap}/lib/libcap.so* mr, - ${pkgs.attr}/lib/libattr.so* mr, + ${pkgs.glibc.out}/lib/*.so mr, + ${pkgs.libcap.out}/lib/libcap.so* mr, + ${pkgs.attr.out}/lib/libattr.so* mr, ${pkgs.iputils}/bin/ping mixr, /var/setuid-wrappers/ping.real r, diff --git a/nixos/modules/security/hidepid.nix b/nixos/modules/security/hidepid.nix new file mode 100644 index 0000000000000..8271578c55d68 --- /dev/null +++ b/nixos/modules/security/hidepid.nix @@ -0,0 +1,42 @@ +{ config, pkgs, lib, ... }: +with lib; + +{ + options = { + security.hideProcessInformation = mkEnableOption "" // { description = '' + Restrict access to process information to the owning user. Enabling + this option implies, among other things, that command-line arguments + remain private. This option is recommended for most systems, unless + there's a legitimate reason for allowing unprivileged users to inspect + the process information of other users. + + Members of the group "proc" are exempt from process information hiding. + To allow a service to run without process information hiding, add "proc" + to its supplementary groups via + <option>systemd.services.<name?>.serviceConfig.SupplementaryGroups</option>. + ''; }; + }; + + config = mkIf config.security.hideProcessInformation { + users.groups.proc.gid = config.ids.gids.proc; + + systemd.services.hidepid = { + wantedBy = [ "local-fs.target" ]; + after = [ "systemd-remount-fs.service" ]; + before = [ "local-fs-pre.target" "local-fs.target" "shutdown.target" ]; + wants = [ "local-fs-pre.target" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStart = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=2,gid=${toString config.ids.gids.proc} /proc''; + ExecStop = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=0,gid=0 /proc''; + }; + + unitConfig = { + DefaultDependencies = false; + Conflicts = "shutdown.target"; + }; + }; + }; +} diff --git a/nixos/modules/security/polkit.nix b/nixos/modules/security/polkit.nix index 95b659d96f0f2..507f81bbf0737 100644 --- a/nixos/modules/security/polkit.nix +++ b/nixos/modules/security/polkit.nix @@ -59,9 +59,9 @@ in config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.polkit ]; + environment.systemPackages = [ pkgs.polkit.bin pkgs.polkit.out ]; - systemd.packages = [ pkgs.polkit ]; + systemd.packages = [ pkgs.polkit.out ]; systemd.services.polkit.restartTriggers = [ config.system.path ]; systemd.services.polkit.unitConfig.X-StopIfChanged = false; @@ -79,7 +79,7 @@ in ${cfg.extraConfig} ''; #TODO: validation on compilation (at least against typos) - services.dbus.packages = [ pkgs.polkit ]; + services.dbus.packages = [ pkgs.polkit.out ]; security.pam.services.polkit-1 = {}; @@ -90,7 +90,7 @@ in owner = "root"; group = "root"; setuid = true; - source = "${pkgs.polkit}/lib/polkit-1/polkit-agent-helper-1"; + source = "${pkgs.polkit.out}/lib/polkit-1/polkit-agent-helper-1"; } ]; diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/setuid-wrappers.nix index 2a289dc402ce8..7d69f9b1183da 100644 --- a/nixos/modules/security/setuid-wrappers.nix +++ b/nixos/modules/security/setuid-wrappers.nix @@ -8,12 +8,12 @@ let setuidWrapper = pkgs.stdenv.mkDerivation { name = "setuid-wrapper"; - buildCommand = '' + unpackPhase = "true"; + installPhase = '' mkdir -p $out/bin cp ${./setuid-wrapper.c} setuid-wrapper.c gcc -Wall -O2 -DWRAPPER_DIR=\"${wrapperDir}\" \ setuid-wrapper.c -o $out/bin/setuid-wrapper - strip -S $out/bin/setuid-wrapper ''; }; |