Restrict users to only see their own processes

https://github.com/madaidan/security-misc/blob/master/lib/systemd/system/proc-hidepid.service https://madaidans-insecurities.github.io/guides/linux-hardening.html#hidepid
aguslr · Jul 22, 2023 · 4e01228 · 4e01228
1 parent ebd80f7
commit 4e01228
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 0 deletions.
diff --git a/Containerfile b/Containerfile
@@ -6,6 +6,7 @@ FROM quay.io/fedora-ostree-desktops/silverblue:${FEDORA_MAJOR_VERSION}
 COPY rootfs/ /
 
 RUN systemctl enable rpm-ostree-kargs.service && \
+    systemctl enable proc-hidepid.service && \
     rpm-ostree install chromium haveged && \
     rpm-ostree override remove firefox firefox-langpacks && \
     rpm-ostree cleanup -m && \

diff --git a/README.md b/README.md
@@ -18,6 +18,7 @@ Features
 - Set additional kernel runtime parameters.
 - Blacklist rarely used kernel modules.
 - Replace Firefox with Chromium.
+- Restrict users to only see their own processes.
 
 Verification
 ------------

diff --git a/rootfs/etc/systemd/system/systemd-logind.service.d/hidepid.conf b/rootfs/etc/systemd/system/systemd-logind.service.d/hidepid.conf
@@ -0,0 +1,2 @@
+[Service]
+SupplementaryGroups=adm
diff --git a/rootfs/usr/lib/systemd/system/proc-hidepid.service b/rootfs/usr/lib/systemd/system/proc-hidepid.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Restrict users to only see their own processes
+Documentation=https://github.com/Whonix/security-misc
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2,gid=adm /proc
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target