diff options
author | Joachim F <joachifm@users.noreply.github.com> | 2019-05-12 15:17:38 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-05-12 15:17:38 +0000 |
commit | 428ddf0619184d1e1d8e5e05a5b4639edc50507e (patch) | |
tree | ecdc0e0c60ed71b7378d1d5dfea94c8b6ce27b98 | |
parent | c99a01aa7a82f10535678bf22ff348939a1bbb7a (diff) | |
parent | 92d41f83fdf8153bd76440e88302d649ea6f7b9e (diff) | |
download | nixlib-428ddf0619184d1e1d8e5e05a5b4639edc50507e.tar nixlib-428ddf0619184d1e1d8e5e05a5b4639edc50507e.tar.gz nixlib-428ddf0619184d1e1d8e5e05a5b4639edc50507e.tar.bz2 nixlib-428ddf0619184d1e1d8e5e05a5b4639edc50507e.tar.lz nixlib-428ddf0619184d1e1d8e5e05a5b4639edc50507e.tar.xz nixlib-428ddf0619184d1e1d8e5e05a5b4639edc50507e.tar.zst nixlib-428ddf0619184d1e1d8e5e05a5b4639edc50507e.zip |
Merge pull request #61306 from joachifm/feat/fix-apparmor-boot-linux_5_1
Fix apparmor boot on linux 5.1
-rw-r--r-- | nixos/modules/security/apparmor.nix | 2 | ||||
-rw-r--r-- | nixos/tests/hardened.nix | 10 |
2 files changed, 12 insertions, 0 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 4512a7a80f6d..cfc65b347bc6 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -29,6 +29,8 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.apparmor-utils ]; + boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; + systemd.services.apparmor = let paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") ([ pkgs.apparmor-profiles ] ++ cfg.packages); diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index 07bd10963bab..614889c4d73c 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -30,6 +30,16 @@ import ./make-test.nix ({ pkgs, ...} : { '' $machine->waitForUnit("multi-user.target"); + subtest "apparmor-loaded", sub { + $machine->succeed("systemctl status apparmor.service"); + }; + + # AppArmor securityfs + subtest "apparmor-securityfs", sub { + $machine->succeed("mountpoint -q /sys/kernel/security"); + $machine->succeed("cat /sys/kernel/security/apparmor/profiles"); + }; + # Test loading out-of-tree modules subtest "extra-module-packages", sub { $machine->succeed("grep -Fq wireguard /proc/modules"); |