security: enable full systemd-status for group 'proc'

Previously, systemd-status was broken for all users except root. Use a 'default' deny policy, which is overridden for group 'proc'. Add operator to group 'proc'. Also, remove redundant XML boilerplate.
2020-08-20 13:11:08 +02:00 · 2020-08-20 13:11:08 +02:00 · 588a0b2405
commit 588a0b2405
parent 96ea2e671c
3 changed files with 25 additions and 16 deletions
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -227,6 +227,7 @@ in {
      isNormalUser = true;
      extraGroups = [
          "systemd-journal"
+          "proc" # Enable full /proc access and systemd-status
          cfg.bitcoind.group
        ]
        ++ (optionals cfg.clightning.enable [ "clightning" ])