diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2019-04-28 15:12:37 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2019-04-28 17:38:12 +0200 |
| commit | aa24c4e95b54acb8bcd526ee04afb5492808457c (patch) | |
| tree | 46e634b3edc748f15835042430367fc063a8ce37 /nixos | |
| parent | f824dad19aa3605d0178a3121bfcba9bda8a4ddb (diff) | |
| download | nixlib-aa24c4e95b54acb8bcd526ee04afb5492808457c.tar nixlib-aa24c4e95b54acb8bcd526ee04afb5492808457c.tar.gz nixlib-aa24c4e95b54acb8bcd526ee04afb5492808457c.tar.bz2 nixlib-aa24c4e95b54acb8bcd526ee04afb5492808457c.tar.lz nixlib-aa24c4e95b54acb8bcd526ee04afb5492808457c.tar.xz nixlib-aa24c4e95b54acb8bcd526ee04afb5492808457c.tar.zst nixlib-aa24c4e95b54acb8bcd526ee04afb5492808457c.zip | |
nixos/apparmor: allow reloading profiles without losing confinement
Define ExecReload, otherwise reload implies stop followed by start, which leaves existing processes in unconfined state [1]. [1]: https://gitlab.com/apparmor/apparmor/wikis/AppArmorInSystemd
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/security/apparmor.nix | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index fdff85774a2f..4512a7a80f6d 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -48,6 +48,9 @@ in ExecStop = map (p: ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' ) cfg.profiles; + ExecReload = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' + ) cfg.profiles; }; }; }; |