From dcf57bebf0d28089045a29477f26ad35d1041392 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 29 Jun 2019 22:27:24 +0000 Subject: [PATCH 1/3] Create proc-hidepid.service --- lib/systemd/system/proc-hidepid.service | 26 +++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 lib/systemd/system/proc-hidepid.service diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service new file mode 100644 index 0000000..0b826bb --- /dev/null +++ b/lib/systemd/system/proc-hidepid.service @@ -0,0 +1,26 @@ +[Unit] +Description=Mounts /proc with hidepid=2 +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc +ProtectSystem=strict +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +PrivateTmp=true +PrivateMounts=true +PrivateDevices=true +PrivateNetwork=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +RestrictRealtime=true +SystemCallArchitectures=native +RestrictNamespaces=true +SystemCallFilter=mount munmap access read open close stat fstat lstat mmap mprotect brk rt_sigaction rt_sigprocmask execve readlink getrlimit getuid getgid geteuid getegid statfs prctl arch_prctl set_tid_address newfstatat set_robust_list + +[Install] +WantedBy=multi-user.target From a2c676ed48782f86e8b58d39f8bec4cd37a47cf5 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 29 Jun 2019 22:28:41 +0000 Subject: [PATCH 2/3] Update proc-hidepid.service --- lib/systemd/system/proc-hidepid.service | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service index 0b826bb..c7feada 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -1,5 +1,6 @@ [Unit] Description=Mounts /proc with hidepid=2 +Documentation=https://github.com/Whonix/security-misc Requires=local-fs.target After=local-fs.target From 22267c895b15e10c98bae365ef2bef12f95454aa Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 29 Jun 2019 22:30:41 +0000 Subject: [PATCH 3/3] Update control --- debian/control | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/control b/debian/control index 4a3352f..5ab1eb0 100644 --- a/debian/control +++ b/debian/control @@ -109,3 +109,6 @@ Description: enhances misc security settings DMA (Direct Memory Access) attacks. . IOMMU is enabled with a boot parameter to prevent DMA attacks. + . + A systemd service mounts /proc with hidepid=2 at boot to prevent users from seeing each other's processes. + .