diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2015-01-09 13:57:04 +0100 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2015-01-09 15:08:07 +0100 |
commit | 97bac259d0deae93934357dc7c4bf7628cae88f8 (patch) | |
tree | 31c77d8c0180381b70a7a579efb362a9bccf8a6b | |
parent | b6f8d1f6d5c45cc0dbbe72ea4bc518c46d47a239 (diff) | |
download | nixlib-97bac259d0deae93934357dc7c4bf7628cae88f8.tar nixlib-97bac259d0deae93934357dc7c4bf7628cae88f8.tar.gz nixlib-97bac259d0deae93934357dc7c4bf7628cae88f8.tar.bz2 nixlib-97bac259d0deae93934357dc7c4bf7628cae88f8.tar.lz nixlib-97bac259d0deae93934357dc7c4bf7628cae88f8.tar.xz nixlib-97bac259d0deae93934357dc7c4bf7628cae88f8.tar.zst nixlib-97bac259d0deae93934357dc7c4bf7628cae88f8.zip |
dnscrypt-proxy service: update AppArmor profile
This patch fixes the AppArmor profile path clause and adds (currently ignored) network rules. The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy, but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink to bin), which permitted the service to run unconfined. Adding the network rules has no effect other than improving correctness, as the version of AppArmor in the NixOS kernel fails to enforce network rules.
-rw-r--r-- | nixos/modules/services/networking/dnscrypt-proxy.nix | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix index 26549bfe6f14..e9aa5cd9792b 100644 --- a/nixos/modules/services/networking/dnscrypt-proxy.nix +++ b/nixos/modules/services/networking/dnscrypt-proxy.nix @@ -88,7 +88,12 @@ in security.apparmor.profiles = mkIf apparmorEnabled [ (pkgs.writeText "apparmor-dnscrypt-proxy" '' - ${dnscrypt-proxy}/sbin/dnscrypt-proxy { + ${dnscrypt-proxy}/bin/dnscrypt-proxy { + network inet stream, + network inet6 stream, + network inet dgram, + network inet6 dgram, + capability ipc_lock, capability net_bind_service, capability net_admin, @@ -126,7 +131,7 @@ in wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "forking"; - ExecStart = "${dnscrypt-proxy}/sbin/dnscrypt-proxy ${toString daemonArgs}"; + ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}"; }; }; |