mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-15 14:26:33 +01:00
984d9ebb56
`systemd.hideProcessInformation = true`, would break interactions requiring polkit arbitration such as initating poweroff/reboot as a normal user; the polkit daemon cannot be expected to make decisions about processes that don't exist as far as it is concerned. systemd-logind lacks the `sys_ptrace` capability and so needs to be part of the designated proc gid, even though it runs as root. Fixes https://github.com/NixOS/nixpkgs/issues/20948
27 lines
692 B
Nix
27 lines
692 B
Nix
{ config, pkgs, lib, ... }:
|
|
with lib;
|
|
|
|
{
|
|
meta = {
|
|
maintainers = [ maintainers.joachifm ];
|
|
doc = ./hidepid.xml;
|
|
};
|
|
|
|
options = {
|
|
security.hideProcessInformation = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Restrict process information to the owning user.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = mkIf config.security.hideProcessInformation {
|
|
users.groups.proc.gid = config.ids.gids.proc;
|
|
users.groups.proc.members = [ "polkituser" ];
|
|
|
|
boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
|
|
systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
|
|
};
|
|
}
|