symlinked apparmor rules, lets gooogit add --all
This commit is contained in:
parent
247489518d
commit
e841abdf9d
2 changed files with 12 additions and 11 deletions
19
aa_mod.patch
19
aa_mod.patch
|
@ -1,5 +1,5 @@
|
|||
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
|
||||
index a4b3807e4e0f..c7c879c39d12 100644
|
||||
index a4b3807e4e0f..87a2c2c81feb 100644
|
||||
--- a/nixos/modules/security/apparmor.nix
|
||||
+++ b/nixos/modules/security/apparmor.nix
|
||||
@@ -3,15 +3,11 @@
|
||||
|
@ -20,9 +20,12 @@ index a4b3807e4e0f..c7c879c39d12 100644
|
|||
in
|
||||
|
||||
{
|
||||
@@ -47,13 +43,30 @@ in
|
||||
@@ -45,15 +41,30 @@ in
|
||||
description = ''
|
||||
AppArmor policies.
|
||||
'';
|
||||
type = types.attrsOf (types.submodule ({ name, config, ... }: {
|
||||
- type = types.attrsOf (types.submodule ({ name, config, ... }: {
|
||||
+ type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
|
||||
options = {
|
||||
- enable = mkDisableOption "loading of the profile into the kernel";
|
||||
- enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
|
||||
|
@ -46,16 +49,14 @@ index a4b3807e4e0f..c7c879c39d12 100644
|
|||
+ type = types.nullOr types.path;
|
||||
+ default = null;
|
||||
+ description = "A path of a profile to include. Incompatible with profile.";
|
||||
+ apply = p: let
|
||||
+ inherit (config) profile;
|
||||
+ in assert (assertMsg ((p != null && profile == "") || (p == null && profile != ""))
|
||||
+ apply = p: assert (assertMsg ((p != null && !options.profile.isDefined) || (p == null && options.profile.isDefined))
|
||||
+ "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile.");
|
||||
+ (if (p != null) then p else (pkgs.writeText name profile));
|
||||
+ (if (p != null) then p else (pkgs.writeText name config.profile));
|
||||
+ };
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
@@ -108,7 +121,7 @@ in
|
||||
@@ -108,7 +119,7 @@ in
|
||||
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
|
||||
# It's important to put only enabledPolicies here and not all cfg.policies
|
||||
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
|
||||
|
@ -64,7 +65,7 @@ index a4b3807e4e0f..c7c879c39d12 100644
|
|||
mapAttrsToList (name: path: { inherit name path; }) cfg.includes
|
||||
);
|
||||
environment.etc."apparmor/parser.conf".text = ''
|
||||
@@ -187,7 +200,7 @@ in
|
||||
@@ -187,7 +198,7 @@ in
|
||||
xargs --verbose --no-run-if-empty --delimiter='\n' \
|
||||
kill
|
||||
'';
|
||||
|
|
|
@ -25,11 +25,11 @@ let
|
|||
security.apparmor.packages = [ apparmor-d ];
|
||||
security.apparmor.policies = mapAttrs (name: state: {
|
||||
inherit state;
|
||||
profile = let
|
||||
path = let
|
||||
file = "${apparmor-d}/etc/apparmor.d/${name}";
|
||||
in
|
||||
assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
|
||||
''include "${file}"'';
|
||||
file;
|
||||
}) cfg.profiles;
|
||||
|
||||
specialisation.no-apparmor.configuration = {
|
||||
|
|
Loading…
Reference in a new issue