From 11080f85e90e1909d3dd116489a050d0c40eb342 Mon Sep 17 00:00:00 2001
From: Agus Lopez <contact@aguslr.com>
Date: Fri, 21 Jul 2023 14:18:08 +0200
Subject: [PATCH] Restrict users to only see their own processes

https://github.com/madaidan/security-misc/blob/master/lib/systemd/system/proc-hidepid.service
https://wiki.archlinux.org/title/Security#hidepid
https://madaidans-insecurities.github.io/guides/linux-hardening.html#hidepid
---
 Containerfile                                     |  1 +
 README.md                                         |  1 +
 .../system/systemd-logind.service.d/hidepid.conf  |  2 ++
 .../usr/lib/systemd/system/proc-hidepid.service   | 15 +++++++++++++++
 4 files changed, 19 insertions(+)
 create mode 100644 rootfs/etc/systemd/system/systemd-logind.service.d/hidepid.conf
 create mode 100644 rootfs/usr/lib/systemd/system/proc-hidepid.service

diff --git a/Containerfile b/Containerfile
index b66076e..502a4cb 100644
--- a/Containerfile
+++ b/Containerfile
@@ -6,6 +6,7 @@ FROM quay.io/fedora-ostree-desktops/silverblue:${FEDORA_MAJOR_VERSION}
 COPY rootfs/ /
 
 RUN systemctl enable rpm-ostree-kargs.service && \
+    systemctl enable proc-hidepid.service && \
     rpm-ostree install chromium haveged && \
     rpm-ostree override remove firefox firefox-langpacks && \
     rpm-ostree cleanup -m && \
diff --git a/README.md b/README.md
index 51b4a3a..98d6c00 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,7 @@ Features
 - Set additional kernel runtime parameters.
 - Blacklist rarely used kernel modules.
 - Replace Firefox with Chromium.
+- Restrict users to only see their own processes.
 
 Verification
 ------------
diff --git a/rootfs/etc/systemd/system/systemd-logind.service.d/hidepid.conf b/rootfs/etc/systemd/system/systemd-logind.service.d/hidepid.conf
new file mode 100644
index 0000000..48e13cb
--- /dev/null
+++ b/rootfs/etc/systemd/system/systemd-logind.service.d/hidepid.conf
@@ -0,0 +1,2 @@
+[Service]
+SupplementaryGroups=adm
diff --git a/rootfs/usr/lib/systemd/system/proc-hidepid.service b/rootfs/usr/lib/systemd/system/proc-hidepid.service
new file mode 100644
index 0000000..cf03765
--- /dev/null
+++ b/rootfs/usr/lib/systemd/system/proc-hidepid.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Restrict users to only see their own processes
+Documentation=https://github.com/Whonix/security-misc
+DefaultDependencies=no
+Before=sysinit.target
+Requires=local-fs.target
+After=local-fs.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2,gid=adm /proc
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target