fix aa patch

2024-12-02 10:58:45 +01:00 · 2024-12-02 10:58:45 +01:00 · a8b165e957
commit a8b165e957
parent f18654a7a5
2 changed files with 4 additions and 77 deletions
--- a/aa_mod.patch
+++ b/aa_mod.patch
@ -1,76 +0,0 @@
 diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
 index a4b3807e4e0f..87a2c2c81feb 100644
 --- a/nixos/modules/security/apparmor.nix
 +++ b/nixos/modules/security/apparmor.nix
@@ -3,15 +3,11 @@
 with lib;
 let
 -  inherit (builtins) attrNames head map match readFile;
 +  inherit (builtins) attrNames map match;
   inherit (lib) types;
   inherit (config.environment) etc;
   cfg = config.security.apparmor;
 -  mkDisableOption = name: mkEnableOption name // {
 -    default = true;
 -    example = false;
 -  };
 -  enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies;
 +  enabledPolicies = filterAttrs (n: p: p.state != "disable") cfg.policies;
 in
 {
@@ -45,15 +41,30 @@ in
         description = ''
           AppArmor policies.
         '';
 -        type = types.attrsOf (types.submodule ({ name, config, ... }: {
 +        type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
           options = {
 -            enable = mkDisableOption "loading of the profile into the kernel";
 -            enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
 +            state = mkOption {
 +              description =
 +                "The state of the profile as applied to the system by nix";
 +              type = types.enum [ "disable" "complain" "enforce" ];
 +              # should enforce really be the default?
 +              # the docs state that this should only be used once one is REALLY sure nothing's gonna break
 +              default = "enforce";
 +            };
 +
             profile = mkOption {
 -              description = "The policy of the profile.";
 +              description = "The policy of the profile. Incompatible with path.";
               type = types.lines;
 -              apply = pkgs.writeText name;
             };
 +
 +            path = mkOption {
 +              type = types.nullOr types.path;
 +              default = null;
 +              description = "A path of a profile to include. Incompatible with profile.";
 +              apply = p: assert (assertMsg ((p != null && !options.profile.isDefined) || (p == null && options.profile.isDefined))
 +                "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile.");
 +                  (if (p != null) then p else (pkgs.writeText name config.profile));
 +             };
           };
         }));
         default = {};
@@ -108,7 +119,7 @@ in
     environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
       # It's important to put only enabledPolicies here and not all cfg.policies
       # because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
 -      mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++
 +      mapAttrsToList (name: p: { inherit name; path = p.path; }) enabledPolicies ++
       mapAttrsToList (name: path: { inherit name path; }) cfg.includes
     );
     environment.etc."apparmor/parser.conf".text = ''
@@ -187,7 +198,7 @@ in
           xargs --verbose --no-run-if-empty --delimiter='\n' \
           kill
         '';
 -        commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}";
 +        commonOpts = p: "--verbose --show-cache ${optionalString (p.state == "complain") "--complain "}${p.path}";
         in {
         Type = "oneshot";
         RemainAfterExit = "yes";
--- a/flake.nix
+++ b/flake.nix
@ -53,7 +53,10 @@
    }:
    let
      patches = [
-        ./aa_mod.patch
+        {
          url = "https://patch-diff.githubusercontent.com/raw/NixOS/nixpkgs/pull/356796.patch";
          hash = "sha256-nlyqFxvD6O7MDNJxs/9pCRWzo4XvG++Znc3HvDFkiiY=";
        }
      ];
      customNixosSystem =