From 44de5064cd9f8ae625997955820146b38afedf90 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 20 Aug 2020 13:11:10 +0200 Subject: [PATCH] security: don't restrict process info by default for module users --- modules/presets/secure-node.nix | 3 +- modules/security.nix | 64 ++++++++++++++++++--------------- 2 files changed, 36 insertions(+), 31 deletions(-) diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 7933487..133f649 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -42,8 +42,7 @@ in { networking.firewall.enable = true; - # hideProcessInformation even if hardened kernel profile is disabled - security.hideProcessInformation = true; + nix-bitcoin.security.hideProcessInformation = true; # Tor services.tor = { diff --git a/modules/security.nix b/modules/security.nix index f4d2c78..cd5ad4e 100644 --- a/modules/security.nix +++ b/modules/security.nix @@ -1,33 +1,39 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, options, ... }: { - # Only show the current user's processes in /proc. - # Users with group 'proc' can still access all processes. - security.hideProcessInformation = true; + options = { + nix-bitcoin.security.hideProcessInformation = options.security.hideProcessInformation; + }; - # This mitigates a systemd security issue leaking (sub)process - # command lines. - # Only allow users with group 'proc' to retrieve systemd unit information like - # cgroup paths (i.e. (sub)process command lines) via D-Bus. - # This D-Bus call is used by `systemctl status`. - services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy - (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" '' - - - - - - - - - '') - ]; + config = lib.mkIf config.nix-bitcoin.security.hideProcessInformation { + # Only show the current user's processes in /proc. + # Users with group 'proc' can still access all processes. + security.hideProcessInformation = true; + + # This mitigates a systemd security issue leaking (sub)process + # command lines. + # Only allow users with group 'proc' to retrieve systemd unit information like + # cgroup paths (i.e. (sub)process command lines) via D-Bus. + # This D-Bus call is used by `systemctl status`. + services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy + (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" '' + + + + + + + + + '') + ]; + }; }