security: enable full systemd-status for group 'proc'

Previously, systemd-status was broken for all users except root.

Use a 'default' deny policy, which is overridden for group 'proc'.

Add operator to group 'proc'.

Also, remove redundant XML boilerplate.

modules/presets/secure-node.nix

@@ -227,6 +227,7 @@ in {
       isNormalUser = true;
       extraGroups = [
           "systemd-journal"
+          "proc" # Enable full /proc access and systemd-status
           cfg.bitcoind.group
         ]
         ++ (optionals cfg.clightning.enable [ "clightning" ])

modules/security.nix

@@ -7,21 +7,27 @@
 
   # This mitigates a systemd security issue leaking (sub)process
   # command lines.
-  # Only allow root to retrieve systemd unit information like
+  # Only allow users with group 'proc' to retrieve systemd unit information like
   # cgroup paths (i.e. (sub)process command lines) via D-Bus.
   # This D-Bus call is used by `systemctl status`.
-  services.dbus.packages = [ (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
+  services.dbus.packages = lib.mkAfter [ # Apply at the end to override the default policy
-    <?xml version="1.0" encoding="UTF-8"?> <!-- -*- XML -*- -->
+    (pkgs.writeTextDir "etc/dbus-1/system.d/dbus.conf" ''
-
+      <busconfig>
-    <!DOCTYPE busconfig PUBLIC
+        <policy context="default">
-     "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+          <deny
-     "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+            send_destination="org.freedesktop.systemd1"
-
+            send_interface="org.freedesktop.systemd1.Manager"
-      <policy context="mandatory">
+            send_member="GetUnitProcesses"
-        <deny send_destination="org.freedesktop.systemd1"
+          />
-          send_interface="org.freedesktop.systemd1.Manager"
+        </policy>
-          send_member="GetUnitProcesses"/>
+        <policy group="proc">
-      </policy>
+          <allow
-    </busconfig>
+            send_destination="org.freedesktop.systemd1"
-  '') ];
+            send_interface="org.freedesktop.systemd1.Manager"
+            send_member="GetUnitProcesses"
+          />
+        </policy>
+      </busconfig>
+    '')
+  ];
 }

test/scenarios/lib.py

@@ -103,11 +103,13 @@ def run_tests(extra_tests):
     machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
     assert_no_failure("bitcoind-import-banlist")
 
-    # test that `systemctl status` can't leak credentials
+    # `systemctl status` run by unprivileged users shouldn't leak cgroup info
     assert_matches(
         "sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
         "Failed to dump process list for 'clightning.service', ignoring: Access denied",
     )
+    # The 'operator' with group 'proc' has full access
+    assert_full_match("sudo -u operator systemctl status clightning 2>&1 >/dev/null", "")
     machine.succeed("grep -Fq hidepid=2 /proc/mounts")
 
     ### Additional tests