This reverts commit fb6d63f3fd
.
I really hope this finally fixes #99236: evaluation on Hydra.
This time I really did check basically the same commit on Hydra:
https://hydra.nixos.org/eval/1618011
Right now I don't have energy to find what exactly is wrong in the
commit, and it doesn't seem important in comparison to nixos-unstable
channel being stuck on a commit over one week old.
wip/yesman
parent
3b0886c9af
commit
420f89ceb2
@ -0,0 +1,49 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
let |
||||
cfg = config.security.apparmor; |
||||
in |
||||
with lib; |
||||
{ |
||||
imports = [ |
||||
(mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) |
||||
]; |
||||
|
||||
options.security.apparmor.confineSUIDApplications = mkOption { |
||||
type = types.bool; |
||||
default = true; |
||||
description = '' |
||||
Install AppArmor profiles for commonly-used SUID application |
||||
to mitigate potential privilege escalation attacks due to bugs |
||||
in such applications. |
||||
|
||||
Currently available profiles: ping |
||||
''; |
||||
}; |
||||
|
||||
config = mkIf (cfg.confineSUIDApplications) { |
||||
security.apparmor.profiles = [ (pkgs.writeText "ping" '' |
||||
#include <tunables/global> |
||||
/run/wrappers/bin/ping { |
||||
#include <abstractions/base> |
||||
#include <abstractions/consoles> |
||||
#include <abstractions/nameservice> |
||||
|
||||
capability net_raw, |
||||
capability setuid, |
||||
network inet raw, |
||||
|
||||
${pkgs.stdenv.cc.libc.out}/lib/*.so mr, |
||||
${pkgs.libcap.lib}/lib/libcap.so* mr, |
||||
${pkgs.attr.out}/lib/libattr.so* mr, |
||||
|
||||
${pkgs.iputils}/bin/ping mixr, |
||||
|
||||
#/etc/modules.conf r, |
||||
|
||||
## Site-specific additions and overrides. See local/README for details. |
||||
##include <local/bin.ping> |
||||
} |
||||
'') ]; |
||||
}; |
||||
|
||||
} |
@ -1,198 +1,59 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
|
||||
let |
||||
inherit (builtins) attrNames head map match readFile; |
||||
inherit (lib) types; |
||||
inherit (config.environment) etc; |
||||
inherit (lib) mkIf mkOption types concatMapStrings; |
||||
cfg = config.security.apparmor; |
||||
mkDisableOption = name: lib.mkEnableOption name // { |
||||
default = true; |
||||
example = false; |
||||
}; |
||||
enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies; |
||||
in |
||||
|
||||
{ |
||||
imports = [ |
||||
(lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) |
||||
(lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.") |
||||
(lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") |
||||
apparmor/includes.nix |
||||
apparmor/profiles.nix |
||||
]; |
||||
|
||||
options = { |
||||
security.apparmor = { |
||||
enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system. |
||||
|
||||
If you're enabling this module on a running system, |
||||
note that a reboot will be required to activate AppArmor in the kernel. |
||||
|
||||
Also, beware that enabling this module will by default |
||||
try to kill unconfined but confinable running processes, |
||||
in order to obtain a confinement matching what is declared in the NixOS configuration. |
||||
This will happen when upgrading to a NixOS revision |
||||
introducing an AppArmor profile for the executable of a running process. |
||||
This is because enabling an AppArmor profile for an executable |
||||
can only confine new or already confined processes of that executable, |
||||
but leaves already running processes unconfined. |
||||
Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link> |
||||
to <literal>false</literal> if you prefer to leave those processes running''; |
||||
policies = lib.mkOption { |
||||
description = '' |
||||
AppArmor policies. |
||||
''; |
||||
type = types.attrsOf (types.submodule ({ name, config, ... }: { |
||||
options = { |
||||
enable = mkDisableOption "loading of the profile into the kernel"; |
||||
enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; |
||||
profile = lib.mkOption { |
||||
description = "The policy of the profile."; |
||||
type = types.lines; |
||||
apply = pkgs.writeText name; |
||||
}; |
||||
}; |
||||
})); |
||||
default = {}; |
||||
}; |
||||
includes = lib.mkOption { |
||||
type = types.attrsOf types.lines; |
||||
default = {}; |
||||
description = '' |
||||
List of paths to be added to AppArmor's searched paths |
||||
when resolving <literal>include</literal> directives. |
||||
''; |
||||
apply = lib.mapAttrs pkgs.writeText; |
||||
}; |
||||
packages = lib.mkOption { |
||||
type = types.listOf types.package; |
||||
default = []; |
||||
description = "List of packages to be added to AppArmor's include path"; |
||||
}; |
||||
enableCache = lib.mkEnableOption ''caching of AppArmor policies |
||||
in <literal>/var/cache/apparmor/</literal>. |
||||
|
||||
Beware that AppArmor policies almost always contain Nix store paths, |
||||
and thus produce at each change of these paths |
||||
a new cached version accumulating in the cache''; |
||||
killUnconfinedConfinables = mkDisableOption ''killing of processes |
||||
which have an AppArmor profile enabled |
||||
(in <link linkend="opt-security.apparmor.policies">policies</link>) |
||||
but are not confined (because AppArmor can only confine new processes). |
||||
Beware that due to a current limitation of AppArmor, |
||||
only profiles with exact paths (and no name) can enable such kills''; |
||||
}; |
||||
}; |
||||
|
||||
config = lib.mkIf cfg.enable { |
||||
assertions = map (policy: |
||||
{ assertion = match ".*/.*" policy == null; |
||||
message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; |
||||
# Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions |
||||
# which does not recurse into sub-directories. |
||||
} |
||||
) (attrNames cfg.policies); |
||||
|
||||
environment.systemPackages = [ pkgs.apparmor-utils ]; |
||||
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( |
||||
# It's important to put only enabledPolicies here and not all cfg.policies |
||||
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/* |
||||
lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++ |
||||
lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes |
||||
); |
||||
environment.etc."apparmor/parser.conf".text = '' |
||||
${if cfg.enableCache then "write-cache" else "skip-cache"} |
||||
cache-loc /var/cache/apparmor |
||||
Include /etc/apparmor.d |
||||
'' + |
||||
lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; |
||||
# For aa-logprof |
||||
environment.etc."apparmor/apparmor.conf".text = '' |
||||
''; |
||||
# For aa-logprof |
||||
environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; |
||||
environment.etc."apparmor/logprof.conf".text = '' |
||||
[settings] |
||||
# /etc/apparmor.d/ is read-only on NixOS |
||||
profiledir = /var/cache/apparmor/logprof |
||||
inactive_profiledir = /etc/apparmor.d/disable |
||||
# Use: journalctl -b --since today --grep audit: | aa-logprof |
||||
logfiles = /dev/stdin |
||||
|
||||
parser = ${pkgs.apparmor-parser}/bin/apparmor_parser |
||||
ldd = ${pkgs.glibc.bin}/bin/ldd |
||||
logger = ${pkgs.utillinux}/bin/logger |
||||
|
||||
# customize how file ownership permissions are presented |
||||
# 0 - off |
||||
# 1 - default of what ever mode the log reported |
||||
# 2 - force the new permissions to be user |
||||
# 3 - force all perms on the rule to be user |
||||
default_owner_prompt = 1 |
||||
|
||||
custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} |
||||
|
||||
[qualifiers] |
||||
${pkgs.runtimeShell} = icnu |
||||
${pkgs.bashInteractive}/bin/sh = icnu |
||||
${pkgs.bashInteractive}/bin/bash = icnu |
||||
'' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section. |
||||
(readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf")); |
||||
|
||||
boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; |
||||
|
||||
systemd.services.apparmor = { |
||||
after = [ |
||||
"local-fs.target" |
||||
"systemd-journald-audit.socket" |
||||
]; |
||||
before = [ "sysinit.target" ]; |
||||
wantedBy = [ "multi-user.target" ]; |
||||
unitConfig = { |
||||
Description="Load AppArmor policies"; |
||||
DefaultDependencies = "no"; |
||||
ConditionSecurity = "apparmor"; |
||||
}; |
||||
# Reloading instead of restarting enables to load new AppArmor profiles |
||||
# without necessarily restarting all services which have Requires=apparmor.service |
||||
reloadIfChanged = true; |
||||
restartTriggers = [ |
||||
etc."apparmor/parser.conf".source |
||||
etc."apparmor.d".source |
||||
]; |
||||
serviceConfig = let |
||||
killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" '' |
||||
set -eu |
||||
${pkgs.apparmor-utils}/bin/aa-status --json | |
||||
${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' | |
||||
xargs --verbose --no-run-if-empty --delimiter='\n' \ |
||||
kill |
||||
''; |
||||
commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}"; |
||||
in { |
||||
Type = "oneshot"; |
||||
RemainAfterExit = "yes"; |
||||
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; |
||||
ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; |
||||
ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; |
||||
ExecReload = |
||||
# Add or replace into the kernel profiles in enabledPolicies |
||||
# (because AppArmor can do that without stopping the processes already confined). |
||||
lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ |
||||
# Remove from the kernel any profile whose name is not |
||||
# one of the names within the content of the profiles in enabledPolicies |
||||
# (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). |
||||
# Note that this does not remove profiles dynamically generated by libvirt. |
||||
[ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ |
||||
# Optionaly kill the processes which are unconfined but now have a profile loaded |
||||
# (because AppArmor can only start to confine new processes). |
||||
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; |
||||
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; |
||||
CacheDirectory = [ "apparmor" "apparmor/logprof" ]; |
||||
CacheDirectoryMode = "0700"; |
||||
}; |
||||
}; |
||||
}; |
||||
|
||||
meta.maintainers = with lib.maintainers; [ julm ]; |
||||
options = { |
||||
security.apparmor = { |
||||
enable = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = "Enable the AppArmor Mandatory Access Control system."; |
||||
}; |
||||
profiles = mkOption { |
||||
type = types.listOf types.path; |
||||
default = []; |
||||
description = "List of files containing AppArmor profiles."; |
||||
}; |
||||
packages = mkOption { |
||||
type = types.listOf types.package; |
||||
default = []; |
||||
description = "List of packages to be added to apparmor's include path"; |
||||
}; |
||||
}; |
||||
}; |
||||
|
||||
config = mkIf cfg.enable { |
||||
environment.systemPackages = [ pkgs.apparmor-utils ]; |
||||
|
||||
boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; |
||||
|
||||
systemd.services.apparmor = let |
||||
paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") |
||||
([ pkgs.apparmor-profiles ] ++ cfg.packages); |
||||
in { |
||||
after = [ "local-fs.target" ]; |
||||
before = [ "sysinit.target" ]; |
||||
wantedBy = [ "multi-user.target" ]; |
||||
unitConfig = { |
||||
DefaultDependencies = "no"; |
||||
}; |
||||
serviceConfig = { |
||||
Type = "oneshot"; |
||||
RemainAfterExit = "yes"; |
||||
ExecStart = map (p: |
||||
''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"'' |
||||
) cfg.profiles; |
||||
ExecStop = map (p: |
||||
''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' |
||||
) cfg.profiles; |
||||
ExecReload = map (p: |
||||
''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' |
||||
) cfg.profiles; |
||||
}; |
||||
}; |
||||
}; |
||||
} |
||||
|
@ -1,301 +0,0 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
let |
||||
inherit (builtins) attrNames hasAttr isAttrs; |
||||
inherit (lib) getLib; |
||||
inherit (config.environment) etc; |
||||
etcRule = arg: |
||||
let go = {path ? null, mode ? "r", trail ? ""}: |
||||
lib.optionalString (hasAttr path etc) |
||||
"${mode} ${config.environment.etc.${path}.source}${trail},"; |
||||
in if isAttrs arg |
||||
then go arg |
||||
else go {path=arg;}; |
||||
in |
||||
{ |
||||
# FIXME: most of the etcRule calls below have been |
||||
# written systematically by converting from apparmor-profiles's profiles |
||||
# without testing nor deep understanding of their uses, |
||||
# and thus may need more rules or can have less rules; |
||||
# this remains to be determined case by case, |
||||
# some may even be completely useless. |
||||
config.security.apparmor.includes = { |
||||
# This one is included by <tunables/global> |
||||
# which is usualy included before any profile. |
||||
"abstractions/tunables/alias" = '' |
||||
alias /bin -> /run/current-system/sw/bin, |
||||
alias /lib/modules -> /run/current-system/kernel/lib/modules, |
||||
alias /sbin -> /run/current-system/sw/sbin, |
||||
alias /usr -> /run/current-system/sw, |
||||
''; |
||||
"abstractions/audio" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" |
||||
${etcRule "asound.conf"} |
||||
${etcRule "esound/esd.conf"} |
||||
${etcRule "libao.conf"} |
||||
${etcRule {path="pulse"; trail="/";}} |
||||
${etcRule {path="pulse"; trail="/**";}} |
||||
${etcRule {path="sound"; trail="/";}} |
||||
${etcRule {path="sound"; trail="/**";}} |
||||
${etcRule {path="alsa/conf.d"; trail="/";}} |
||||
${etcRule {path="alsa/conf.d"; trail="/*";}} |
||||
${etcRule "openal/alsoft.conf"} |
||||
${etcRule "wildmidi/wildmidi.conf"} |
||||
''; |
||||
"abstractions/authentication" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" |
||||
# Defined in security.pam |
||||
include <abstractions/pam> |
||||
${etcRule "nologin"} |
||||
${etcRule "securetty"} |
||||
${etcRule {path="security"; trail="/*";}} |
||||
${etcRule "shadow"} |
||||
${etcRule "gshadow"} |
||||
${etcRule "pwdb.conf"} |
||||
${etcRule "default/passwd"} |
||||
${etcRule "login.defs"} |
||||
''; |
||||
"abstractions/base" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" |
||||
r ${pkgs.stdenv.cc.libc}/share/locale/**, |
||||
r ${pkgs.stdenv.cc.libc}/share/locale.alias, |
||||
${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} |
||||
${etcRule "localtime"} |
||||
r ${pkgs.tzdata}/share/zoneinfo/**, |
||||
r ${pkgs.stdenv.cc.libc}/share/i18n/**, |
||||
''; |
||||
"abstractions/bash" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" |
||||
# system-wide bash configuration |
||||
${etcRule "profile.dos"} |
||||
${etcRule "profile"} |
||||
${etcRule "profile.d"} |
||||
${etcRule {path="profile.d"; trail="/*";}} |
||||
${etcRule "bashrc"} |
||||
${etcRule "bash.bashrc"} |
||||
${etcRule "bash.bashrc.local"} |
||||
${etcRule "bash_completion"} |
||||
${etcRule "bash_completion.d"} |
||||
${etcRule {path="bash_completion.d"; trail="/*";}} |
||||
# bash relies on system-wide readline configuration |
||||
${etcRule "inputrc"} |
||||
# bash inspects filesystems at startup |
||||
# and /etc/mtab is linked to /proc/mounts |
||||
@{PROC}/mounts |
||||
|
||||
# run out of /etc/bash.bashrc |
||||
${etcRule "DIR_COLORS"} |
||||
''; |
||||
"abstractions/cups-client" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client" |
||||
${etcRule "cups/cups-client.conf"} |
||||
''; |
||||
"abstractions/consoles" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" |
||||
''; |
||||
"abstractions/dbus-session-strict" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" |
||||
${etcRule "machine-id"} |
||||
''; |
||||
"abstractions/dconf" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" |
||||
${etcRule {path="dconf"; trail="/**";}} |
||||
''; |
||||
"abstractions/dri-common" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" |
||||
${etcRule "drirc"} |
||||
''; |
||||
# The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ |
||||
# by symlinking them but without exporting them outside of its NixOS module, |
||||
# those are therefore added there to this "abstractions/fonts". |
||||
"abstractions/fonts" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" |
||||
${etcRule {path="fonts"; trail="/**";}} |
||||
''; |
||||
"abstractions/gnome" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" |
||||
${etcRule {path="gnome"; trail="/gtkrc*";}} |
||||
${etcRule {path="gtk"; trail="/*";}} |
||||
${etcRule {path="gtk-2.0"; trail="/*";}} |
||||
${etcRule {path="gtk-3.0"; trail="/*";}} |
||||
${etcRule "orbitrc"} |
||||
include <abstractions/fonts> |
||||
${etcRule {path="pango"; trail="/*";}} |
||||
${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}} |
||||
${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}} |
||||
${etcRule "papersize"} |
||||
${etcRule {path="cups"; trail="/lpoptions";}} |
||||
${etcRule {path="gnome"; trail="/defaults.list";}} |
||||
${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}} |
||||
${etcRule "xdg/mimeapps.list"} |
||||
''; |
||||
"abstractions/kde" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" |
||||
${etcRule {path="qt3"; trail="/kstylerc";}} |
||||
${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}} |
||||
${etcRule {path="qt3"; trail="/qtrc";}} |
||||
${etcRule "kderc"} |
||||
${etcRule {path="kde3"; trail="/*";}} |
||||
${etcRule "kde4rc"} |
||||
${etcRule {path="xdg"; trail="/kdeglobals";}} |
||||
${etcRule {path="xdg"; trail="/Trolltech.conf";}} |
||||
''; |
||||
"abstractions/kerberosclient" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" |
||||
${etcRule {path="krb5.keytab"; mode="rk";}} |
||||
${etcRule "krb5.conf"} |
||||
${etcRule "krb5.conf.d"} |
||||
${etcRule {path="krb5.conf.d"; trail="/*";}} |
||||
|
||||
# config files found via strings on libs |
||||
${etcRule "krb.conf"} |
||||
${etcRule "krb.realms"} |
||||
${etcRule "srvtab"} |
||||
''; |
||||
"abstractions/ldapclient" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" |
||||
${etcRule "ldap.conf"} |
||||
${etcRule "ldap.secret"} |
||||
${etcRule {path="openldap"; trail="/*";}} |
||||
${etcRule {path="openldap"; trail="/cacerts/*";}} |
||||
${etcRule {path="sasl2"; trail="/*";}} |
||||
''; |
||||
"abstractions/likewise" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" |
||||
''; |
||||
"abstractions/mdns" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" |
||||
${etcRule "nss_mdns.conf"} |
||||
''; |
||||
"abstractions/nameservice" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" |
||||
|
||||
# Many programs wish to perform nameservice-like operations, such as |
||||
# looking up users by name or id, groups by name or id, hosts by name |
||||
# or IP, etc. These operations may be performed through files, dns, |
||||
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. |
||||
${etcRule "group"} |
||||
${etcRule "host.conf"} |
||||
${etcRule "hosts"} |
||||
${etcRule "nsswitch.conf"} |
||||
${etcRule "gai.conf"} |
||||
${etcRule "passwd"} |
||||
${etcRule "protocols"} |
||||
|
||||
# libtirpc (used for NIS/YP login) needs this |
||||
${etcRule "netconfig"} |
||||
|
||||
${etcRule "resolv.conf"} |
||||
|
||||
${etcRule {path="samba"; trail="/lmhosts";}} |
||||
${etcRule "services"} |
||||
|
||||
${etcRule "default/nss"} |
||||
|
||||
# libnl-3-200 via libnss-gw-name |
||||
${etcRule {path="libnl"; trail="/classid";}} |
||||
${etcRule {path="libnl-3"; trail="/classid";}} |
||||
|
||||
mr ${getLib pkgs.nss}/lib/libnss_*.so*, |
||||
mr ${getLib pkgs.nss}/lib64/libnss_*.so*, |
||||
''; |
||||
"abstractions/nis" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" |
||||
''; |
||||
"abstractions/nvidia" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" |
||||
${etcRule "vdpau_wrapper.cfg"} |
||||
''; |
||||
"abstractions/opencl-common" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" |
||||
${etcRule {path="OpenCL"; trail="/**";}} |
||||
''; |
||||
"abstractions/opencl-mesa" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" |
||||
${etcRule "default/drirc"} |
||||
''; |
||||
"abstractions/openssl" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" |
||||
${etcRule {path="ssl"; trail="/openssl.cnf";}} |
||||
''; |
||||
"abstractions/p11-kit" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" |
||||
${etcRule {path="pkcs11"; trail="/";}} |
||||
${etcRule {path="pkcs11"; trail="/pkcs11.conf";}} |
||||
${etcRule {path="pkcs11"; trail="/modules/";}} |
||||
${etcRule {path="pkcs11"; trail="/modules/*";}} |
||||
''; |
||||
"abstractions/perl" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" |
||||
${etcRule {path="perl"; trail="/**";}} |
||||
''; |
||||
"abstractions/php" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" |
||||
${etcRule {path="php"; trail="/**/";}} |
||||
${etcRule {path="php5"; trail="/**/";}} |
||||
${etcRule {path="php7"; trail="/**/";}} |
||||
${etcRule {path="php"; trail="/**.ini";}} |
||||
${etcRule {path="php5"; trail="/**.ini";}} |
||||
${etcRule {path="php7"; trail="/**.ini";}} |
||||
''; |
||||
"abstractions/postfix-common" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" |
||||
${etcRule "mailname"} |
||||
${etcRule {path="postfix"; trail="/*.cf";}} |
||||
${etcRule "postfix/main.cf"} |
||||
${etcRule "postfix/master.cf"} |
||||
''; |
||||
"abstractions/python" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" |
||||
''; |
||||
"abstractions/qt5" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" |
||||
${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}} |
||||
${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}} |
||||
${etcRule "xdg/QtProject/qtlogging.ini"} |
||||
''; |
||||
"abstractions/samba" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" |
||||
${etcRule {path="samba"; trail="/*";}} |
||||
''; |
||||
"abstractions/ssl_certs" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" |
||||
${etcRule "ssl/certs/ca-certificates.crt"} |
||||
${etcRule "ssl/certs/ca-bundle.crt"} |
||||
${etcRule "pki/tls/certs/ca-bundle.crt"} |
||||
|
||||
${etcRule {path="ssl/trust"; trail="/";}} |
||||
${etcRule {path="ssl/trust"; trail="/*";}} |
||||
${etcRule {path="ssl/trust/anchors"; trail="/";}} |
||||
${etcRule {path="ssl/trust/anchors"; trail="/**";}} |
||||
${etcRule {path="pki/trust"; trail="/";}} |
||||
${etcRule {path="pki/trust"; trail="/*";}} |
||||
${etcRule {path="pki/trust/anchors"; trail="/";}} |
||||
${etcRule {path="pki/trust/anchors"; trail="/**";}} |
||||
|
||||
# security.acme NixOS module |
||||
r /var/lib/acme/*/cert.pem, |
||||
r /var/lib/acme/*/chain.pem, |
||||
r /var/lib/acme/*/fullchain.pem, |
||||
''; |
||||
"abstractions/ssl_keys" = '' |
||||
# security.acme NixOS module |
||||
r /var/lib/acme/*/full.pem, |
||||
r /var/lib/acme/*/key.pem, |
||||
''; |
||||
"abstractions/vulkan" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" |
||||
${etcRule {path="vulkan/icd.d"; trail="/";}} |
||||
${etcRule {path="vulkan/icd.d"; trail="/*.json";}} |
||||
''; |
||||
"abstractions/winbind" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" |
||||
${etcRule {path="samba"; trail="/smb.conf";}} |
||||
${etcRule {path="samba"; trail="/dhcp.conf";}} |
||||
''; |
||||
"abstractions/X" = '' |
||||
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" |
||||
${etcRule {path="X11/cursors"; trail="/";}} |
||||
${etcRule {path="X11/cursors"; trail="/**";}} |
||||
''; |
||||
}; |
||||
} |
@ -1,11 +0,0 @@ |
||||
{ config, lib, pkgs, ... }: |
||||
let apparmor = config.security.apparmor; in |
||||
{ |
||||
config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; |
||||
config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' |
||||
include "${pkgs.iputils.apparmor}/bin.ping" |
||||
include "${pkgs.inetutils.apparmor}/bin.ping" |
||||
# Note that including those two profiles in the same profile |
||||
# would not work if the second one were to re-include <tunables/global>. |
||||
''; |
||||
} |
@ -1,32 +0,0 @@ |
||||
aa_action() { |
||||
STRING=$1 |
||||
shift |
||||
$* |
||||
rc=$? |
||||
if [ $rc -eq 0 ] ; then |
||||
aa_log_success_msg $"$STRING " |
||||
else |
||||
aa_log_failure_msg $"$STRING " |
||||
fi |
||||
return $rc |
||||
} |
||||
|
||||
aa_log_success_msg() { |
||||
[ -n "$1" ] && echo -n $1 |
||||
echo ": done." |
||||
} |
||||
|
||||
aa_log_warning_msg() { |
||||
[ -n "$1" ] && echo -n $1 |
||||
echo ": Warning." |
||||
} |
||||
|
||||
aa_log_failure_msg() { |
||||
[ -n "$1" ] && echo -n $1 |
||||
echo ": Failed." |
||||
} |
||||
|
||||
aa_log_skipped_msg() { |
||||
[ -n "$1" ] && echo -n $1 |
||||
echo ": Skipped." |
||||
} |
Loading…
Reference in new issue