Merge pull request #111635 from xaverdh/hide-pid-broken

nixos/hidepid: remove module, it's broken
This commit is contained in:
Florian Klink 2021-02-23 00:20:29 +01:00 committed by GitHub
commit f3af2df658
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 11 additions and 73 deletions

View file

@ -100,6 +100,12 @@
<link linkend="sec-custom-ifnames">Assigning custom names</link> section
of the NixOS manual for an example using networkd links.
</para>
</listitem>
<listitem>
<para>
The <option>security.hideProcessInformation</option> module has been removed.
It was broken since the switch to cgroups-v2.
</para>
</listitem>
<listitem>
<para>

View file

@ -207,7 +207,6 @@
./security/dhparams.nix
./security/duosec.nix
./security/google_oslogin.nix
./security/hidepid.nix
./security/lock-kernel-modules.nix
./security/misc.nix
./security/oath.nix

View file

@ -22,8 +22,6 @@ with lib;
environment.memoryAllocator.provider = mkDefault "scudo";
environment.variables.SCUDO_OPTIONS = mkDefault "ZeroContents=1";
security.hideProcessInformation = mkDefault true;
security.lockKernelModules = mkDefault true;
security.protectKernelImage = mkDefault true;

View file

@ -73,6 +73,11 @@ with lib;
(mkRemovedOptionModule [ "services" "venus" ] "The corresponding package was removed from nixpkgs.")
(mkRemovedOptionModule [ "services" "flashpolicyd" ] "The flashpolicyd module has been removed. Adobe Flash Player is deprecated.")
(mkRemovedOptionModule [ "security" "hideProcessInformation" ] ''
The hidepid module was removed, since the underlying machinery
is broken when using cgroups-v2.
'')
# Do NOT add any option renames here, see top of the file
];
}

View file

@ -1,31 +0,0 @@
{ config, lib, ... }:
with lib;
{
meta = {
maintainers = [ maintainers.joachifm ];
doc = ./hidepid.xml;
};
options = {
security.hideProcessInformation = mkOption {
type = types.bool;
default = false;
description = ''
Restrict process information to the owning user.
'';
};
};
config = mkIf config.security.hideProcessInformation {
users.groups.proc.gid = config.ids.gids.proc;
users.groups.proc.members = [ "polkituser" ];
boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
# Disable cgroupsv2, which doesn't work with hidepid.
# https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203
systemd.enableUnifiedCgroupHierarchy = false;
};
}

View file

@ -1,28 +0,0 @@
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-hidepid">
<title>Hiding process information</title>
<para>
Setting
<programlisting>
<xref linkend="opt-security.hideProcessInformation"/> = true;
</programlisting>
ensures that access to process information is restricted to the owning user.
This implies, among other things, that command-line arguments remain private.
Unless your deployment relies on unprivileged users being able to inspect the
process information of other users, this option should be safe to enable.
</para>
<para>
Members of the <literal>proc</literal> group are exempt from process
information hiding.
</para>
<para>
To allow a service <replaceable>foo</replaceable> to run without process
information hiding, set
<programlisting>
<link linkend="opt-systemd.services._name_.serviceConfig">systemd.services.<replaceable>foo</replaceable>.serviceConfig</link>.SupplementaryGroups = [ "proc" ];
</programlisting>
</para>
</chapter>

View file

@ -65,17 +65,6 @@ import ./make-test-python.nix ({ pkgs, latestKernel ? false, ... } : {
machine.succeed("grep -Fq wireguard /proc/modules")
# Test hidepid
with subtest("hidepid=2 option is applied and works"):
# Linux >= 5.8 shows "invisible"
machine.succeed(
"grep -Fq hidepid=2 /proc/mounts || grep -Fq hidepid=invisible /proc/mounts"
)
# cannot use pgrep -u here, it segfaults when access to process info is denied
machine.succeed("[ `su - sybil -c 'ps --no-headers --user root | wc -l'` = 0 ]")
machine.succeed("[ `su - alice -c 'ps --no-headers --user root | wc -l'` != 0 ]")
# Test kernel module hardening
with subtest("No more kernel modules can be loaded"):
# note: this better a be module we normally wouldn't load ...