symlinked apparmor rules, lets gooogit add --all

This commit is contained in:
Grimmauld 2024-10-22 22:24:15 +02:00
parent 247489518d
commit e841abdf9d
Signed by: Grimmauld
GPG key ID: C2946668769F91FB
2 changed files with 12 additions and 11 deletions

View file

@ -1,5 +1,5 @@
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index a4b3807e4e0f..c7c879c39d12 100644
index a4b3807e4e0f..87a2c2c81feb 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -3,15 +3,11 @@
@ -20,9 +20,12 @@ index a4b3807e4e0f..c7c879c39d12 100644
in
{
@@ -47,13 +43,30 @@ in
@@ -45,15 +41,30 @@ in
description = ''
AppArmor policies.
'';
type = types.attrsOf (types.submodule ({ name, config, ... }: {
- type = types.attrsOf (types.submodule ({ name, config, ... }: {
+ type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
options = {
- enable = mkDisableOption "loading of the profile into the kernel";
- enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
@ -46,16 +49,14 @@ index a4b3807e4e0f..c7c879c39d12 100644
+ type = types.nullOr types.path;
+ default = null;
+ description = "A path of a profile to include. Incompatible with profile.";
+ apply = p: let
+ inherit (config) profile;
+ in assert (assertMsg ((p != null && profile == "") || (p == null && profile != ""))
+ apply = p: assert (assertMsg ((p != null && !options.profile.isDefined) || (p == null && options.profile.isDefined))
+ "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile.");
+ (if (p != null) then p else (pkgs.writeText name profile));
+ (if (p != null) then p else (pkgs.writeText name config.profile));
+ };
};
}));
default = {};
@@ -108,7 +121,7 @@ in
@@ -108,7 +119,7 @@ in
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
# It's important to put only enabledPolicies here and not all cfg.policies
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
@ -64,7 +65,7 @@ index a4b3807e4e0f..c7c879c39d12 100644
mapAttrsToList (name: path: { inherit name path; }) cfg.includes
);
environment.etc."apparmor/parser.conf".text = ''
@@ -187,7 +200,7 @@ in
@@ -187,7 +198,7 @@ in
xargs --verbose --no-run-if-empty --delimiter='\n' \
kill
'';

View file

@ -25,11 +25,11 @@ let
security.apparmor.packages = [ apparmor-d ];
security.apparmor.policies = mapAttrs (name: state: {
inherit state;
profile = let
path = let
file = "${apparmor-d}/etc/apparmor.d/${name}";
in
assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
''include "${file}"'';
file;
}) cfg.profiles;
specialisation.no-apparmor.configuration = {