diff options
-rw-r--r-- | nixos/modules/security/apparmor.nix | 2 | ||||
-rw-r--r-- | nixos/tests/hardened.nix | 10 |
2 files changed, 12 insertions, 0 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 4512a7a80f6d..cfc65b347bc6 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -29,6 +29,8 @@ in config = mkIf cfg.enable { environment.systemPackages = [ pkgs.apparmor-utils ]; + boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; + systemd.services.apparmor = let paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") ([ pkgs.apparmor-profiles ] ++ cfg.packages); diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index 07bd10963bab..614889c4d73c 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -30,6 +30,16 @@ import ./make-test.nix ({ pkgs, ...} : { '' $machine->waitForUnit("multi-user.target"); + subtest "apparmor-loaded", sub { + $machine->succeed("systemctl status apparmor.service"); + }; + + # AppArmor securityfs + subtest "apparmor-securityfs", sub { + $machine->succeed("mountpoint -q /sys/kernel/security"); + $machine->succeed("cat /sys/kernel/security/apparmor/profiles"); + }; + # Test loading out-of-tree modules subtest "extra-module-packages", sub { $machine->succeed("grep -Fq wireguard /proc/modules"); |