|
|
|
@ -359,55 +359,38 @@ in |
|
|
|
|
]; |
|
|
|
|
|
|
|
|
|
security.apparmor.policies."bin.transmission-daemon".profile = '' |
|
|
|
|
include <tunables/global> |
|
|
|
|
${pkgs.transmission}/bin/transmission-daemon { |
|
|
|
|
include <abstractions/base> |
|
|
|
|
include <abstractions/nameservice> |
|
|
|
|
include <abstractions/ssl_certs> |
|
|
|
|
include "${pkgs.apparmorRulesFromClosure |
|
|
|
|
{ name = "transmission-daemon"; } |
|
|
|
|
[ pkgs.transmission ]}" |
|
|
|
|
include <local/bin.transmission-daemon> |
|
|
|
|
|
|
|
|
|
r @{PROC}/sys/kernel/random/uuid, |
|
|
|
|
r @{PROC}/sys/vm/overcommit_memory, |
|
|
|
|
r @{PROC}/@{pid}/environ, |
|
|
|
|
r @{PROC}/@{pid}/mounts, |
|
|
|
|
rwk /tmp/tr_session_id_*, |
|
|
|
|
r /run/systemd/resolve/stub-resolv.conf, |
|
|
|
|
|
|
|
|
|
r ${pkgs.openssl.out}/etc/**, |
|
|
|
|
r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, |
|
|
|
|
|
|
|
|
|
owner rw ${cfg.home}/${settingsDir}/**, |
|
|
|
|
rw ${cfg.settings.download-dir}/**, |
|
|
|
|
${optionalString cfg.settings.incomplete-dir-enabled '' |
|
|
|
|
rw ${cfg.settings.incomplete-dir}/**, |
|
|
|
|
''} |
|
|
|
|
${optionalString cfg.settings.watch-dir-enabled '' |
|
|
|
|
rw ${cfg.settings.watch-dir}/**, |
|
|
|
|
''} |
|
|
|
|
profile dirs { |
|
|
|
|
rw ${cfg.settings.download-dir}/**, |
|
|
|
|
${optionalString cfg.settings.incomplete-dir-enabled '' |
|
|
|
|
rw ${cfg.settings.incomplete-dir}/**, |
|
|
|
|
''} |
|
|
|
|
${optionalString cfg.settings.watch-dir-enabled '' |
|
|
|
|
rw ${cfg.settings.watch-dir}/**, |
|
|
|
|
''} |
|
|
|
|
} |
|
|
|
|
include "${pkgs.transmission.apparmor}/bin.transmission-daemon" |
|
|
|
|
''; |
|
|
|
|
security.apparmor.includes."local/bin.transmission-daemon" = '' |
|
|
|
|
r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, |
|
|
|
|
|
|
|
|
|
owner rw ${cfg.home}/${settingsDir}/**, |
|
|
|
|
rw ${cfg.settings.download-dir}/**, |
|
|
|
|
${optionalString cfg.settings.incomplete-dir-enabled '' |
|
|
|
|
rw ${cfg.settings.incomplete-dir}/**, |
|
|
|
|
''} |
|
|
|
|
${optionalString cfg.settings.watch-dir-enabled '' |
|
|
|
|
rw ${cfg.settings.watch-dir}/**, |
|
|
|
|
''} |
|
|
|
|
profile dirs { |
|
|
|
|
rw ${cfg.settings.download-dir}/**, |
|
|
|
|
${optionalString cfg.settings.incomplete-dir-enabled '' |
|
|
|
|
rw ${cfg.settings.incomplete-dir}/**, |
|
|
|
|
''} |
|
|
|
|
${optionalString cfg.settings.watch-dir-enabled '' |
|
|
|
|
rw ${cfg.settings.watch-dir}/**, |
|
|
|
|
''} |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
${optionalString (cfg.settings.script-torrent-done-enabled && |
|
|
|
|
cfg.settings.script-torrent-done-filename != "") '' |
|
|
|
|
# Stack transmission_directories profile on top of |
|
|
|
|
# any existing profile for script-torrent-done-filename |
|
|
|
|
# FIXME: to be tested as I'm not sure it works well with NoNewPrivileges= |
|
|
|
|
# https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs |
|
|
|
|
px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, |
|
|
|
|
''} |
|
|
|
|
} |
|
|
|
|
${optionalString (cfg.settings.script-torrent-done-enabled && |
|
|
|
|
cfg.settings.script-torrent-done-filename != "") '' |
|
|
|
|
# Stack transmission_directories profile on top of |
|
|
|
|
# any existing profile for script-torrent-done-filename |
|
|
|
|
# FIXME: to be tested as I'm not sure it works well with NoNewPrivileges= |
|
|
|
|
# https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs |
|
|
|
|
px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, |
|
|
|
|
''} |
|
|
|
|
''; |
|
|
|
|
security.apparmor.includes."local/bin.transmission-daemon" = ""; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
meta.maintainers = with lib.maintainers; [ julm ]; |
|
|
|
|