security: update /proc restriction mechanism
NixOS option `security.hideProcessInformation` for globally restricting access to /proc has been removed. Use per-service restrictions via 'ProtectProc' instead. Rename `nix-bitcoin.security.hideProcessInformation` to `nix-bitcoin.security.dbusHideProcessInformation` because this option now only implements the dbus restriction.
This commit is contained in:
Erik Arvstedt
parent
178a0dcf8f
commit
35fe939cf8
4 changed files with 23 additions and 19 deletions
|
|
@ -85,9 +85,6 @@ def _():
|
|||
succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
|
||||
|
||||
if "secure-node" in enabled_tests:
|
||||
# Access to '/proc' should be restricted
|
||||
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
|
||||
|
||||
machine.wait_for_unit("bitcoind")
|
||||
# `systemctl status` run by unprivileged users shouldn't leak cgroup info
|
||||
assert_matches(
|
||||
|
|
@ -97,7 +94,6 @@ def _():
|
|||
# The 'operator' with group 'proc' has full access
|
||||
assert_full_match("runuser -u operator -- systemctl status bitcoind 2>&1 >/dev/null", "")
|
||||
|
||||
|
||||
@test("bitcoind")
|
||||
def _():
|
||||
assert_running("bitcoind")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue