cef2814a4f
This module adds an option `security.hideProcessInformation` that, when enabled, restricts access to process information such as command-line arguments to the process owner. The module adds a static group "proc" whose members are exempt from process information hiding. Ideally, this feature would be implemented by simply adding the appropriate mount options to `fileSystems."/proc".fsOptions`, but this was found to not work in vmtests. To ensure that process information hiding is enforced, we use a systemd service unit that remounts `/proc` after `systemd-remount-fs.service` has completed. To verify the correctness of the feature, simple tests were added to nixos/tests/misc: the test ensures that unprivileged users cannot see process information owned by another user, while members of "proc" CAN. Thanks to @abbradar for feedback and suggestions. |
||
---|---|---|
.github | ||
doc | ||
lib | ||
maintainers | ||
nixos | ||
pkgs | ||
.gitignore | ||
.mention-bot | ||
.travis.yml | ||
.version | ||
COPYING | ||
default.nix | ||
README.md |
Nixpkgs is a collection of packages for the Nix package manager. It is periodically built and tested by the hydra build daemon as so-called channels. To get channel information via git, add nixpkgs-channels as a remote:
% git remote add channels git://github.com/NixOS/nixpkgs-channels.git
For stability and maximum binary package support, it is recommended to maintain
custom changes on top of one of the channels, e.g. nixos-16.03
for the latest
release and nixos-unstable
for the latest successful build of master:
% git remote update channels
% git rebase channels/nixos-16.03
For pull-requests, please rebase onto nixpkgs master
.
NixOS linux distribution source code is located inside
nixos/
folder.
- NixOS installation instructions
- Documentation (Nix Expression Language chapter)
- Manual (How to write packages for Nix)
- Manual (NixOS)
- Nix Wiki
- Continuous package builds for unstable/master
- Continuous package builds for 16.03 release
- Tests for unstable/master
- Tests for 16.03 release
Communication: