diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2015-04-18 23:15:35 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2015-07-15 12:40:06 +0200 |
commit | 2e0933787bff6772a698a3e8e8f3c93cb2bb7370 (patch) | |
tree | 468ff850b31a52e184450e5baf2a1736d36a6c27 /nixos/modules/security/pam.nix | |
parent | 6ad8fab785695d04a6925e8b3464ca7c71a85c3f (diff) | |
download | nixlib-2e0933787bff6772a698a3e8e8f3c93cb2bb7370.tar nixlib-2e0933787bff6772a698a3e8e8f3c93cb2bb7370.tar.gz nixlib-2e0933787bff6772a698a3e8e8f3c93cb2bb7370.tar.bz2 nixlib-2e0933787bff6772a698a3e8e8f3c93cb2bb7370.tar.lz nixlib-2e0933787bff6772a698a3e8e8f3c93cb2bb7370.tar.xz nixlib-2e0933787bff6772a698a3e8e8f3c93cb2bb7370.tar.zst nixlib-2e0933787bff6772a698a3e8e8f3c93cb2bb7370.zip |
nixos: add AppArmor PAM support
Enables attaching AppArmor profiles at the user/group level. This is not intended to be used directly, but as part of a role-based access control scheme. For now, profile attachment is 'session optional', but should be changed to 'required' once a more comprehensive solution is in place.
Diffstat (limited to 'nixos/modules/security/pam.nix')
-rw-r--r-- | nixos/modules/security/pam.nix | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 02520fb88cdd..15533fbdc3d5 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -192,6 +192,16 @@ let description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>."; }; + enableAppArmor = mkOption { + default = false; + type = types.bool; + description = '' + Enable support for attaching AppArmor profiles at the + user/group level, e.g., as part of a role based access + control scheme. + ''; + }; + text = mkOption { type = types.nullOr types.lines; description = "Contents of the PAM service file."; @@ -294,6 +304,8 @@ let "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} ${optionalString cfg.pamMount "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} + ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable) + "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"} ''; }; |