nixpkgs/nixos/modules/security/hidepid.nix

{ config, pkgs, lib, ... }:
with lib;

{
  options = {
    security.hideProcessInformation = mkEnableOption "" // { description = ''
      Restrict access to process information to the owning user.  Enabling
      this option implies, among other things, that command-line arguments
      remain private.  This option is recommended for most systems, unless
      there's a legitimate reason for allowing unprivileged users to inspect
      the process information of other users.

      Members of the group "proc" are exempt from process information hiding.
      To allow a service to run without process information hiding, add "proc"
      to its supplementary groups via
      <option>systemd.services.&lt;name?&gt;.serviceConfig.SupplementaryGroups</option>.
    ''; };
  };

  config = mkIf config.security.hideProcessInformation {
    users.groups.proc.gid = config.ids.gids.proc;

    systemd.services.hidepid = {
      wantedBy = [ "local-fs.target" ];
      after = [ "systemd-remount-fs.service" ];
      before = [ "local-fs-pre.target" "local-fs.target" "shutdown.target" ];
      wants = [ "local-fs-pre.target" ];

      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStart = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=2,gid=${toString config.ids.gids.proc} /proc'';
        ExecStop = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=0,gid=0 /proc'';
      };

      unitConfig = {
        DefaultDependencies = false;
        Conflicts = "shutdown.target";
      };
    };
  };
}
nixos: add optional process information hiding This module adds an option `security.hideProcessInformation` that, when enabled, restricts access to process information such as command-line arguments to the process owner. The module adds a static group "proc" whose members are exempt from process information hiding. Ideally, this feature would be implemented by simply adding the appropriate mount options to `fileSystems."/proc".fsOptions`, but this was found to not work in vmtests. To ensure that process information hiding is enforced, we use a systemd service unit that remounts `/proc` after `systemd-remount-fs.service` has completed. To verify the correctness of the feature, simple tests were added to nixos/tests/misc: the test ensures that unprivileged users cannot see process information owned by another user, while members of "proc" CAN. Thanks to @abbradar for feedback and suggestions. 2016-04-09 20:22:16 +02:00			`{ config, pkgs, lib, ... }:`
			`with lib;`

			`{`
			`options = {`
			`security.hideProcessInformation = mkEnableOption "" // { description = ''`
			`Restrict access to process information to the owning user. Enabling`
			`this option implies, among other things, that command-line arguments`
			`remain private. This option is recommended for most systems, unless`
			`there's a legitimate reason for allowing unprivileged users to inspect`
			`the process information of other users.`

			`Members of the group "proc" are exempt from process information hiding.`
			`To allow a service to run without process information hiding, add "proc"`
			`to its supplementary groups via`
			`<option>systemd.services.<name?>.serviceConfig.SupplementaryGroups</option>.`
			`''; };`
			`};`

			`config = mkIf config.security.hideProcessInformation {`
			`users.groups.proc.gid = config.ids.gids.proc;`

			`systemd.services.hidepid = {`
			`wantedBy = [ "local-fs.target" ];`
			`after = [ "systemd-remount-fs.service" ];`
			`before = [ "local-fs-pre.target" "local-fs.target" "shutdown.target" ];`
			`wants = [ "local-fs-pre.target" ];`

			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = true;`
			`ExecStart = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=2,gid=${toString config.ids.gids.proc} /proc'';`
			`ExecStop = ''${pkgs.utillinux}/bin/mount -o remount,hidepid=0,gid=0 /proc'';`
			`};`

			`unitConfig = {`
			`DefaultDependencies = false;`
			`Conflicts = "shutdown.target";`
			`};`
			`};`
			`};`
			`}`