Go to file
Joachim Fasting cef2814a4f nixos: add optional process information hiding
This module adds an option `security.hideProcessInformation` that, when
enabled, restricts access to process information such as command-line
arguments to the process owner.  The module adds a static group "proc"
whose members are exempt from process information hiding.

Ideally, this feature would be implemented by simply adding the
appropriate mount options to `fileSystems."/proc".fsOptions`, but this
was found to not work in vmtests. To ensure that process information
hiding is enforced, we use a systemd service unit that remounts `/proc`
after `systemd-remount-fs.service` has completed.

To verify the correctness of the feature, simple tests were added to
nixos/tests/misc: the test ensures that unprivileged users cannot see
process information owned by another user, while members of "proc" CAN.

Thanks to @abbradar for feedback and suggestions.
2016-04-10 12:27:06 +02:00
.github simplify ISSUE_TEMPLATE 2016-03-31 16:14:54 +02:00
doc nixpkgs manual introduction: improve 2016-04-05 10:06:10 +02:00
lib Merge pull request #14518 from CrystalGamma/master 2016-04-09 17:47:15 +02:00
maintainers find-tarballs.nix: Handle stdenv bootstrap fetchurl 2016-04-08 14:00:47 +02:00
nixos nixos: add optional process information hiding 2016-04-10 12:27:06 +02:00
pkgs Merge pull request #14561 from micxjo/update-botan 2016-04-10 11:56:11 +02:00
.gitignore kde5: consolidate packages into desktops/kde-5 2016-03-01 10:36:00 -06:00
.mention-bot Blacklist jhasse 2016-03-05 23:23:19 +01:00
.travis.yml
.version as always, no newline in .version 2016-02-28 23:39:38 +00:00
COPYING COPYING: Update year range to 2016 (close #12621) 2016-01-26 10:10:45 +01:00
default.nix Extract the top-level logic out of all-packages.nix into pkgs/top-level/default.nix 2016-03-20 16:28:18 +00:00
README.md README: 15.09 -> 16.03 2016-04-04 14:42:07 -04:00

logo

Build Status Issue Stats Issue Stats

Nixpkgs is a collection of packages for the Nix package manager. It is periodically built and tested by the hydra build daemon as so-called channels. To get channel information via git, add nixpkgs-channels as a remote:

% git remote add channels git://github.com/NixOS/nixpkgs-channels.git

For stability and maximum binary package support, it is recommended to maintain custom changes on top of one of the channels, e.g. nixos-16.03 for the latest release and nixos-unstable for the latest successful build of master:

% git remote update channels
% git rebase channels/nixos-16.03

For pull-requests, please rebase onto nixpkgs master.

NixOS linux distribution source code is located inside nixos/ folder.

Communication: