commit 984d9ebb56edf3ef2b0690e45c357be35b741dc3 · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

hidepid: polkit and systemd-logind compatibility

`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948

Joachim Fasting 9 years ago 984d9ebb c1827336

1 changed file

expand all

unified split

nixos

modules

security

hidepid.nix

nixos/modules/security/hidepid.nix

··· 19 20 config = mkIf config.security.hideProcessInformation { 21 users.groups.proc.gid = config.ids.gids.proc; 22 23 boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; 24 }; 25 }

··· 19 20 config = mkIf config.security.hideProcessInformation { 21 users.groups.proc.gid = config.ids.gids.proc; 22 + users.groups.proc.members = [ "polkituser" ]; 23 24 boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ]; 25 + systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ]; 26 }; 27 }