infra/libkookie/nixpkgs/nixos/modules/security/hidepid.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

{ config, lib, ... }:
with lib;

{
  meta = {
    maintainers = [ maintainers.joachifm ];
    doc = ./hidepid.xml;
  };

  options = {
    security.hideProcessInformation = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Restrict process information to the owning user.
      '';
    };
  };

  config = mkIf config.security.hideProcessInformation {
    users.groups.proc.gid = config.ids.gids.proc;
    users.groups.proc.members = [ "polkituser" ];

    boot.specialFileSystems."/proc".options = [ "hidepid=2" "gid=${toString config.ids.gids.proc}" ];
    systemd.services.systemd-logind.serviceConfig.SupplementaryGroups = [ "proc" ];

    # Disable cgroupsv2, which doesn't work with hidepid.
    # https://github.com/NixOS/nixpkgs/pull/104094#issuecomment-729996203
    systemd.enableUnifiedCgroupHierarchy = false;
  };
}