Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/hidepid: remove module, it's broken #111635

Merged
merged 2 commits into from
Feb 22, 2021
Merged

nixos/hidepid: remove module, it's broken #111635

merged 2 commits into from
Feb 22, 2021

Conversation

xaverdh
Copy link
Contributor

@xaverdh xaverdh commented Feb 2, 2021

Motivation for this change

hidepid is currently broken.
cf. #73800 and #111629

Things done

Built the manual.

  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@xaverdh
Copy link
Contributor Author

xaverdh commented Feb 2, 2021

How would I go about adding a trace to the module / is there some official infrastructure for doing this?
Or should I just add builtins.trace in config after mkIf config.security.hideProcessInformation (hopefully this is lazy enough then)?

@joachifm
Copy link
Contributor

joachifm commented Feb 5, 2021

If it cannot be fixed/is broken for all kernels, I propose removing the module & adding an entry to https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/rename.nix

@joachifm
Copy link
Contributor

joachifm commented Feb 5, 2021

If the problem is only with wayland/graphical configs, I suggest adding a warning via the module assert mechanism.

@flokli
Copy link
Contributor

flokli commented Feb 21, 2021

hidepid is sufficiently broken, doesn't work with cgroupsv2 (so is a dead end on that front already).

It breaks userspace, like gdm. Having it in the hardened profile is yet another footgun.

Removing it from the module system entirely seems to be the right course of action - if people want to bring it back once these bugs are fixed, there's always the possibility to re-introduce, but we should probably ship less footguns.

@xaverdh, can you update the PR, and add a small release note entry?

flokli
flokli requested changes Feb 21, 2021
View reviewed changes
Copy link
Contributor

@flokli flokli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also add a line to nixos/doc/manual/release-notes/rl-2105.xml.

nixos/modules/rename.nix Outdated Show resolved Hide resolved
@xaverdh xaverdh force-pushed the hide-pid-broken branch 2 times, most recently from 2d432f5 to 5261636 Compare February 21, 2021 12:34
@xaverdh
Copy link
Contributor Author

xaverdh commented Feb 21, 2021

I think this should be good now

@flokli flokli changed the title nixos/hidpid: add warning (it is broken currently) nixos/hidepid: remove module, it's broken Feb 21, 2021
@flokli
Copy link
Contributor

flokli commented Feb 21, 2021

@GrahamcOfBorg eval

@flokli flokli merged commit f3af2df into NixOS:master Feb 22, 2021
@xaverdh xaverdh deleted the hide-pid-broken branch February 23, 2021 09:11
@xaverdh xaverdh mentioned this pull request Feb 23, 2021
Closed
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/whats-the-state-of-hidepid/51886/1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flokli flokli flokli approved these changes

@joachifm joachifm Awaiting requested review from joachifm joachifm is a code owner

Assignees
No one assigned
Labels
6.topic: nixos 8.has: changelog 8.has: documentation 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@xaverdh @joachifm @flokli @nixos-discourse