diff options
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/apparmor.nix | 72 | ||||
| -rw-r--r-- | nixos/modules/security/grsecurity.nix | 4 | ||||
| -rw-r--r-- | nixos/modules/security/sudo.nix | 2 |
3 files changed, 42 insertions, 36 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index f29e7a5ad818..4fef62cbffd7 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,43 +1,49 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) mkIf mkOption types concatMapStrings; cfg = config.security.apparmor; in + { - options = { - security.apparmor = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable the AppArmor Mandatory Access Control system."; - }; + options = { + security.apparmor = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the AppArmor Mandatory Access Control system."; + }; + profiles = mkOption { + type = types.listOf types.path; + default = []; + description = "List of files containing AppArmor profiles."; + }; + }; + }; - profiles = mkOption { - type = types.listOf types.path; - default = []; - description = "List of files containing AppArmor profiles."; - }; - }; - }; + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.apparmor-utils ]; - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.apparmor ]; - systemd.services.apparmor = { - wantedBy = [ "local-fs.target" ]; - path = [ pkgs.apparmor ]; + systemd.services.apparmor = { + wantedBy = [ "local-fs.target" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = concatMapStrings (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; '' + ) cfg.profiles; + ExecStop = concatMapStrings (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; '' + ) cfg.profiles; + }; + }; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStart = concatMapStrings (profile: - ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' - ) cfg.profiles; - ExecStop = concatMapStrings (profile: - ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' - ) cfg.profiles; - }; - }; - }; + security.pam.services.apparmor.text = '' + ## AppArmor changes hats according to `order`: first try user, then + ## group, and finally fall back to a hat called "DEFAULT" + ## + ## For now, enable debugging as this is an experimental feature. + session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug + ''; + }; } diff --git a/nixos/modules/security/grsecurity.nix b/nixos/modules/security/grsecurity.nix index 66eeab7503db..8cd400933487 100644 --- a/nixos/modules/security/grsecurity.nix +++ b/nixos/modules/security/grsecurity.nix @@ -38,7 +38,7 @@ in type = types.bool; default = false; description = '' - Enable the testing grsecurity patch, based on Linux 3.18. + Enable the testing grsecurity patch, based on Linux 3.19. ''; }; @@ -245,7 +245,7 @@ in message = '' If grsecurity is enabled, you must select either the stable patch (with kernel 3.14), or the testing patch (with - kernel 3.18) to continue. + kernel 3.19) to continue. ''; } { assertion = (cfg.stable -> !cfg.testing) || (cfg.testing -> !cfg.stable); diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index d42a8c7f7d29..bced2a6ed757 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -77,7 +77,7 @@ in root ALL=(ALL) SETENV: ALL # Users in the "wheel" group can do anything. - %wheel ALL=(ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL + %wheel ALL=(ALL:ALL) ${if cfg.wheelNeedsPassword then "" else "NOPASSWD: ALL, "}SETENV: ALL ${cfg.extraConfig} ''; |