JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hidepid: polkit and systemd-logind compatibility

Browse Source 
`systemd.hideProcessInformation = true`, would break interactions
requiring polkit arbitration such as initating poweroff/reboot as a
normal user; the polkit daemon cannot be expected to make decisions
about processes that don't exist as far as it is concerned.

systemd-logind lacks the `sys_ptrace` capability and so needs to be part
of the designated proc gid, even though it runs as root.

Fixes https://github.com/NixOS/nixpkgs/issues/20948
This commit is contained in:
Joachim Fasting 2016-11-29 02:16:15 +01:00
parent c182733691
commit 984d9ebb56
No known key found for this signature in database
GPG Key ID: 7544761007FE4E08
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/modules/security/hidepid.nix
View File

@ -19,7 +19,9 @@ with lib;
config = mkIf config.security.hideProcessInformation {
users.groups.proc.gid = config.ids.gids.proc;
users.groups.proc.members = [ "polkituser" ];
boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];
};
}