about summary refs log tree commit diff
path: root/nixpkgs/nixos/modules/security/pam.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/nixos/modules/security/pam.nix')
-rw-r--r--nixpkgs/nixos/modules/security/pam.nix81
1 files changed, 78 insertions, 3 deletions
diff --git a/nixpkgs/nixos/modules/security/pam.nix b/nixpkgs/nixos/modules/security/pam.nix
index 103cf2050123..3cde7e951551 100644
--- a/nixpkgs/nixos/modules/security/pam.nix
+++ b/nixpkgs/nixos/modules/security/pam.nix
@@ -433,7 +433,7 @@ let
                 ("auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" +
                  " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")}
               ${optionalString cfg.enableGnomeKeyring
-                "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
+                "auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
               ${optionalString cfg.gnupg.enable
                 "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"
                 + optionalString cfg.gnupg.storeOnly " store-only"
@@ -471,7 +471,7 @@ let
           ${optionalString config.krb5.enable
               "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
           ${optionalString cfg.enableGnomeKeyring
-              "password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"}
+              "password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"}
 
           # Session management.
           ${optionalString cfg.setEnvironment ''
@@ -512,7 +512,7 @@ let
               ("session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" +
                " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")}
           ${optionalString (cfg.enableGnomeKeyring)
-              "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}
+              "session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}
           ${optionalString cfg.gnupg.enable
               "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"
               + optionalString cfg.gnupg.noAutostart " no-autostart"
@@ -895,6 +895,81 @@ in
         runuser-l = { rootOK = true; unixAuth = false; };
       };
 
+    security.apparmor.includes."abstractions/pam" = let
+      isEnabled = test: fold or false (map test (attrValues config.security.pam.services));
+      in
+      lib.concatMapStringsSep "\n"
+        (name: "r ${config.environment.etc."pam.d/${name}".source},")
+        (attrNames config.security.pam.services) +
+      ''
+      mr ${getLib pkgs.pam}/lib/security/pam_filter/*,
+      mr ${getLib pkgs.pam}/lib/security/pam_*.so,
+      r ${getLib pkgs.pam}/lib/security/,
+      '' +
+      optionalString use_ldap ''
+         mr ${pam_ldap}/lib/security/pam_ldap.so,
+      '' +
+      optionalString config.services.sssd.enable ''
+        mr ${pkgs.sssd}/lib/security/pam_sss.so,
+      '' +
+      optionalString config.krb5.enable ''
+        mr ${pam_krb5}/lib/security/pam_krb5.so,
+        mr ${pam_ccreds}/lib/security/pam_ccreds.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''
+        mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
+        mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) ''
+        mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
+      '' +
+      optionalString (config.security.pam.enableSSHAgentAuth
+                     && isEnabled (cfg: cfg.sshAgentAuth)) ''
+        mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.fprintAuth)) ''
+        mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.u2fAuth)) ''
+        mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.usbAuth)) ''
+        mr ${pkgs.pam_usb}/lib/security/pam_usb.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.oathAuth)) ''
+        "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''
+        mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) ''
+        mr ${pkgs.duo-unix}/lib/security/pam_duo.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.otpwAuth)) ''
+        mr ${pkgs.otpw}/lib/security/pam_otpw.so,
+      '' +
+      optionalString config.security.pam.enableEcryptfs ''
+        mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.pamMount)) ''
+        mr ${pkgs.pam_mount}/lib/security/pam_mount.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) ''
+        mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.startSession)) ''
+        mr ${pkgs.systemd}/lib/security/pam_systemd.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.enableAppArmor)
+                     && config.security.apparmor.enable) ''
+        mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,
+      '' +
+      optionalString (isEnabled (cfg: cfg.enableKwallet)) ''
+        mr ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so,
+      '' +
+      optionalString config.virtualisation.lxc.lxcfs.enable ''
+        mr ${pkgs.lxc}/lib/security/pam_cgfs.so
+      '';
   };
 
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-10 11:56:10 +0000