security: update /proc restriction mechanism

NixOS option `security.hideProcessInformation` for globally restricting
access to /proc has been removed.
Use per-service restrictions via 'ProtectProc' instead.

Rename
`nix-bitcoin.security.hideProcessInformation` to
`nix-bitcoin.security.dbusHideProcessInformation`
because this option now only implements the dbus restriction.

modules/presets/secure-node.nix

@@ -18,7 +18,7 @@ in {
 
     networking.firewall.enable = true;
 
-    nix-bitcoin.security.hideProcessInformation = true;
+    nix-bitcoin.security.dbusHideProcessInformation = true;
 
     # Use doas instead of sudo
     security.doas.enable = true;

modules/security.nix

@@ -1,20 +1,29 @@
-{ config, lib, pkgs, options, ... }:
+{ config, lib, pkgs, ... }:
 
+with lib;
 {
   options = {
-    nix-bitcoin.security.hideProcessInformation = options.security.hideProcessInformation;
+    nix-bitcoin.security.dbusHideProcessInformation = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Only allow users with group 'proc' to retrieve systemd unit information like
+        cgroup paths (i.e. (sub)process command lines) via D-Bus.
+
+        This mitigates a systemd security issue where (sub)process command lines can
+        be retrieved by services even when their access to /proc is restricted
+        (via ProtectProc).
+
+        This option works by restricting the D-Bus method 'GetUnitProcesses', which
+        is also used internally by `systemctl status`.
+      '';
+    };
   };
 
-  config = lib.mkIf config.nix-bitcoin.security.hideProcessInformation {
+  config = mkIf config.nix-bitcoin.security.dbusHideProcessInformation {
-    # Only show the current user's processes in /proc.
+    users.groups.proc = {};
-    # Users with group 'proc' can still access all processes.
+    nix-bitcoin.operator.groups = [ "proc" ]; # Enable operator access to systemd-status
-    security.hideProcessInformation = true;
 
-    # This mitigates a systemd security issue leaking (sub)process
-    # command lines.
-    # Only allow users with group 'proc' to retrieve systemd unit information like
-    # cgroup paths (i.e. (sub)process command lines) via D-Bus.
-    # This D-Bus call is used by `systemctl status`.
     services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
       (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
         <busconfig>

pkgs/lib.nix

@@ -17,9 +17,8 @@ let self = {
       ProtectKernelModules = "true";
       ProtectKernelLogs = "true";
       ProtectClock = "true";
-      # Test and enable these when systemd v247 is available
+      ProtectProc = "invisible";
-      # ProtectProc = "invisible";
+      ProcSubset = "pid";
-      # ProcSubset = "pid";
       ProtectControlGroups = "true";
       RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
       RestrictNamespaces = "true";

test/tests.py

@@ -85,9 +85,6 @@ def _():
     succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
 
     if "secure-node" in enabled_tests:
-        # Access to '/proc' should be restricted
-        machine.succeed("grep -Fq hidepid=2 /proc/mounts")
-
         machine.wait_for_unit("bitcoind")
         # `systemctl status` run by unprivileged users shouldn't leak cgroup info
         assert_matches(
@@ -97,7 +94,6 @@ def _():
         # The 'operator' with group 'proc' has full access
         assert_full_match("runuser -u operator -- systemctl status bitcoind 2>&1 >/dev/null", "")
 
-
 @test("bitcoind")
 def _():
     assert_running("bitcoind")