Branch: refs/heads/master
Home: https://github.com/NixOS/nixpkgs
Commit: cef2814a4f0530f6e020badc56dd808a96422a66
https://github.com/NixOS/nixpkgs/commit/cef2814a4f0530f6e020badc56dd808a96422a66
Author: Joachim Fasting <[email protected]>
Date: 2016-04-10 (Sun, 10 Apr 2016)
Changed paths:
M nixos/modules/misc/ids.nix
M nixos/modules/module-list.nix
A nixos/modules/security/hidepid.nix
M nixos/tests/misc.nix
Log Message:
-----------
nixos: add optional process information hiding
This module adds an option `security.hideProcessInformation` that, when
enabled, restricts access to process information such as command-line
arguments to the process owner. The module adds a static group "proc"
whose members are exempt from process information hiding.
Ideally, this feature would be implemented by simply adding the
appropriate mount options to `fileSystems."/proc".fsOptions`, but this
was found to not work in vmtests. To ensure that process information
hiding is enforced, we use a systemd service unit that remounts `/proc`
after `systemd-remount-fs.service` has completed.
To verify the correctness of the feature, simple tests were added to
nixos/tests/misc: the test ensures that unprivileged users cannot see
process information owned by another user, while members of "proc" CAN.
Thanks to @abbradar for feedback and suggestions.
Commit: 13773356891a16e4bb8552841e2638482b5efd69
https://github.com/NixOS/nixpkgs/commit/13773356891a16e4bb8552841e2638482b5efd69
Author: joachifm <[email protected]>
Date: 2016-04-10 (Sun, 10 Apr 2016)
Changed paths:
M nixos/modules/misc/ids.nix
M nixos/modules/module-list.nix
A nixos/modules/security/hidepid.nix
M nixos/tests/misc.nix
Log Message:
-----------
Merge pull request #14372 from joachifm/hidepid
nixos: add option to restrict process information to process owners
Compare: https://github.com/NixOS/nixpkgs/compare/496a36980540...13773356891a_______________________________________________
nix-commits mailing list
[email protected]
http://lists.science.uu.nl/mailman/listinfo/nix-commits
