diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2015-03-12 10:11:25 +0100 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2015-03-12 11:49:05 +0100 |
| commit | 7a9a24a95e70f10ebd90eda94f08508f03942963 (patch) | |
| tree | 30a96df63babdda99c2b8d649e849768139e9e2c /nixos/modules/security/apparmor.nix | |
| parent | 65e41b4f08f11ba153763daf263afd968ea3cc1d (diff) | |
| download | nixlib-7a9a24a95e70f10ebd90eda94f08508f03942963.tar nixlib-7a9a24a95e70f10ebd90eda94f08508f03942963.tar.gz nixlib-7a9a24a95e70f10ebd90eda94f08508f03942963.tar.bz2 nixlib-7a9a24a95e70f10ebd90eda94f08508f03942963.tar.lz nixlib-7a9a24a95e70f10ebd90eda94f08508f03942963.tar.xz nixlib-7a9a24a95e70f10ebd90eda94f08508f03942963.tar.zst nixlib-7a9a24a95e70f10ebd90eda94f08508f03942963.zip | |
Update AppArmor service module
- Use AppArmor 2.9 - Enable PAM support
Diffstat (limited to 'nixos/modules/security/apparmor.nix')
| -rw-r--r-- | nixos/modules/security/apparmor.nix | 90 |
1 files changed, 54 insertions, 36 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index f29e7a5ad818..92f020edce56 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,43 +1,61 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) mkIf mkOption types concatMapStrings; cfg = config.security.apparmor; in + { - options = { - security.apparmor = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable the AppArmor Mandatory Access Control system."; - }; - - profiles = mkOption { - type = types.listOf types.path; - default = []; - description = "List of files containing AppArmor profiles."; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.apparmor ]; - systemd.services.apparmor = { - wantedBy = [ "local-fs.target" ]; - path = [ pkgs.apparmor ]; - - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStart = concatMapStrings (profile: - ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' - ) cfg.profiles; - ExecStop = concatMapStrings (profile: - ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' - ) cfg.profiles; - }; - }; - }; + #### interface + options = { + + security.apparmor = { + + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the AppArmor Mandatory Access Control system."; + }; + + profiles = mkOption { + type = types.listOf types.path; + default = []; + description = "List of files containing AppArmor profiles."; + }; + + }; + + }; + + #### implementation + config = mkIf cfg.enable { + + environment.systemPackages = [ + pkgs.apparmor-utils + ]; + + systemd.services.apparmor = { + wantedBy = [ "local-fs.target" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = concatMapStrings (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; '' + ) cfg.profiles; + ExecStop = concatMapStrings (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; '' + ) cfg.profiles; + }; + }; + + security.pam.services.apparmor.text = '' + ## The AppArmor service changes hats according to order: first try + ## user, then group, and finally fall back to a hat called "DEFAULT" + ## + ## For now, enable debugging as this is an experimental feature. + session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug + ''; + + }; } |