diff options
Diffstat (limited to 'nixpkgs/nixos/modules/security/pam.nix')
-rw-r--r-- | nixpkgs/nixos/modules/security/pam.nix | 81 |
1 files changed, 78 insertions, 3 deletions
diff --git a/nixpkgs/nixos/modules/security/pam.nix b/nixpkgs/nixos/modules/security/pam.nix index 103cf2050123..3cde7e951551 100644 --- a/nixpkgs/nixos/modules/security/pam.nix +++ b/nixpkgs/nixos/modules/security/pam.nix @@ -433,7 +433,7 @@ let ("auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring - "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} + "auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"} ${optionalString cfg.gnupg.enable "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + optionalString cfg.gnupg.storeOnly " store-only" @@ -471,7 +471,7 @@ let ${optionalString config.krb5.enable "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} ${optionalString cfg.enableGnomeKeyring - "password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} + "password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} # Session management. ${optionalString cfg.setEnvironment '' @@ -512,7 +512,7 @@ let ("session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")} ${optionalString (cfg.enableGnomeKeyring) - "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} + "session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} ${optionalString cfg.gnupg.enable "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" + optionalString cfg.gnupg.noAutostart " no-autostart" @@ -895,6 +895,81 @@ in runuser-l = { rootOK = true; unixAuth = false; }; }; + security.apparmor.includes."abstractions/pam" = let + isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); + in + lib.concatMapStringsSep "\n" + (name: "r ${config.environment.etc."pam.d/${name}".source},") + (attrNames config.security.pam.services) + + '' + mr ${getLib pkgs.pam}/lib/security/pam_filter/*, + mr ${getLib pkgs.pam}/lib/security/pam_*.so, + r ${getLib pkgs.pam}/lib/security/, + '' + + optionalString use_ldap '' + mr ${pam_ldap}/lib/security/pam_ldap.so, + '' + + optionalString config.services.sssd.enable '' + mr ${pkgs.sssd}/lib/security/pam_sss.so, + '' + + optionalString config.krb5.enable '' + mr ${pam_krb5}/lib/security/pam_krb5.so, + mr ${pam_ccreds}/lib/security/pam_ccreds.so, + '' + + optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, + '' + + optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + '' + + optionalString (config.security.pam.enableSSHAgentAuth + && isEnabled (cfg: cfg.sshAgentAuth)) '' + mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so, + '' + + optionalString (isEnabled (cfg: cfg.fprintAuth)) '' + mr ${pkgs.fprintd}/lib/security/pam_fprintd.so, + '' + + optionalString (isEnabled (cfg: cfg.u2fAuth)) '' + mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so, + '' + + optionalString (isEnabled (cfg: cfg.usbAuth)) '' + mr ${pkgs.pam_usb}/lib/security/pam_usb.so, + '' + + optionalString (isEnabled (cfg: cfg.oathAuth)) '' + "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so, + '' + + optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' + mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, + '' + + optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) '' + mr ${pkgs.duo-unix}/lib/security/pam_duo.so, + '' + + optionalString (isEnabled (cfg: cfg.otpwAuth)) '' + mr ${pkgs.otpw}/lib/security/pam_otpw.so, + '' + + optionalString config.security.pam.enableEcryptfs '' + mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so, + '' + + optionalString (isEnabled (cfg: cfg.pamMount)) '' + mr ${pkgs.pam_mount}/lib/security/pam_mount.so, + '' + + optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) '' + mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so, + '' + + optionalString (isEnabled (cfg: cfg.startSession)) '' + mr ${pkgs.systemd}/lib/security/pam_systemd.so, + '' + + optionalString (isEnabled (cfg: cfg.enableAppArmor) + && config.security.apparmor.enable) '' + mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so, + '' + + optionalString (isEnabled (cfg: cfg.enableKwallet)) '' + mr ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so, + '' + + optionalString config.virtualisation.lxc.lxcfs.enable '' + mr ${pkgs.lxc}/lib/security/pam_cgfs.so + ''; }; } |