security: don't restrict process info by default for module users

2020-08-20 13:11:10 +02:00 · 2020-08-20 13:11:10 +02:00 · 44de5064cd
commit 44de5064cd
parent a36789b468
2 changed files with 36 additions and 31 deletions
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -42,8 +42,7 @@ in {

    networking.firewall.enable = true;

-    # hideProcessInformation even if hardened kernel profile is disabled
-    security.hideProcessInformation = true;
+    nix-bitcoin.security.hideProcessInformation = true;

    # Tor
    services.tor = {
--- a/modules/security.nix
+++ b/modules/security.nix
@ -1,33 +1,39 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, options, ... }:

 {
-  # Only show the current user's processes in /proc.
-  # Users with group 'proc' can still access all processes.
-  security.hideProcessInformation = true;
+  options = {
+    nix-bitcoin.security.hideProcessInformation = options.security.hideProcessInformation;
+  };

-  # This mitigates a systemd security issue leaking (sub)process
-  # command lines.
-  # Only allow users with group 'proc' to retrieve systemd unit information like
-  # cgroup paths (i.e. (sub)process command lines) via D-Bus.
-  # This D-Bus call is used by `systemctl status`.
-  services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
-    (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
-      <busconfig>
-        <policy context="default">
-          <deny
-            send_destination="org.freedesktop.systemd1"
-            send_interface="org.freedesktop.systemd1.Manager"
-            send_member="GetUnitProcesses"
-          />
-        </policy>
-        <policy group="proc">
-          <allow
-            send_destination="org.freedesktop.systemd1"
-            send_interface="org.freedesktop.systemd1.Manager"
-            send_member="GetUnitProcesses"
-          />
-        </policy>
-      </busconfig>
-    '')
-  ];
+  config = lib.mkIf config.nix-bitcoin.security.hideProcessInformation {
+    # Only show the current user's processes in /proc.
+    # Users with group 'proc' can still access all processes.
+    security.hideProcessInformation = true;
+
+    # This mitigates a systemd security issue leaking (sub)process
+    # command lines.
+    # Only allow users with group 'proc' to retrieve systemd unit information like
+    # cgroup paths (i.e. (sub)process command lines) via D-Bus.
+    # This D-Bus call is used by `systemctl status`.
+    services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
+      (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
+        <busconfig>
+          <policy context="default">
+            <deny
+              send_destination="org.freedesktop.systemd1"
+              send_interface="org.freedesktop.systemd1.Manager"
+              send_member="GetUnitProcesses"
+            />
+          </policy>
+          <policy group="proc">
+            <allow
+              send_destination="org.freedesktop.systemd1"
+              send_interface="org.freedesktop.systemd1.Manager"
+              send_member="GetUnitProcesses"
+            />
+          </policy>
+        </busconfig>
+      '')
+    ];
+  };
 }