symlinked apparmor rules, lets gooogit add --all

2024-10-22 22:24:15 +02:00 · 2024-10-22 22:24:15 +02:00 · e841abdf9d
commit e841abdf9d
parent 247489518d
2 changed files with 12 additions and 11 deletions
--- a/aa_mod.patch
+++ b/aa_mod.patch
@ -1,5 +1,5 @@
 diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
-index a4b3807e4e0f..c7c879c39d12 100644
+index a4b3807e4e0f..87a2c2c81feb 100644
 --- a/nixos/modules/security/apparmor.nix
 +++ b/nixos/modules/security/apparmor.nix
@@ -3,15 +3,11 @@
@ -20,9 +20,12 @@ index a4b3807e4e0f..c7c879c39d12 100644
 in
 {
-@@ -47,13 +43,30 @@ in
+@@ -45,15 +41,30 @@ in
         description = ''
           AppArmor policies.
         '';
-         type = types.attrsOf (types.submodule ({ name, config, ... }: {
+-        type = types.attrsOf (types.submodule ({ name, config, ... }: {
 +        type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
           options = {
 -            enable = mkDisableOption "loading of the profile into the kernel";
 -            enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
@ -46,16 +49,14 @@ index a4b3807e4e0f..c7c879c39d12 100644
 +              type = types.nullOr types.path;
 +              default = null;
 +              description = "A path of a profile to include. Incompatible with profile.";
-+              apply = p: let
+              apply = p: assert (assertMsg ((p != null && !options.profile.isDefined) || (p == null && options.profile.isDefined))
 +                inherit (config) profile;
 +              in assert (assertMsg ((p != null && profile == "") || (p == null && profile != ""))
 +                "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile.");
-+                (if (p != null) then p else (pkgs.writeText name profile));
+                  (if (p != null) then p else (pkgs.writeText name config.profile));
 +             };
           };
         }));
         default = {};
-@@ -108,7 +121,7 @@ in
+@@ -108,7 +119,7 @@ in
     environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
       # It's important to put only enabledPolicies here and not all cfg.policies
       # because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
@ -64,7 +65,7 @@ index a4b3807e4e0f..c7c879c39d12 100644
       mapAttrsToList (name: path: { inherit name path; }) cfg.includes
     );
     environment.etc."apparmor/parser.conf".text = ''
-@@ -187,7 +200,7 @@ in
+@@ -187,7 +198,7 @@ in
           xargs --verbose --no-run-if-empty --delimiter='\n' \
           kill
         '';
--- a/common/tooling/apparmor/apparmor-d-module.nix
+++ b/common/tooling/apparmor/apparmor-d-module.nix
@ -25,11 +25,11 @@ let
    security.apparmor.packages = [ apparmor-d ];
    security.apparmor.policies = mapAttrs (name: state: {
      inherit state;
-      profile = let
+      path = let
        file = "${apparmor-d}/etc/apparmor.d/${name}";
      in
        assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
-       ''include "${file}"'';
+        file;
    }) cfg.profiles;
    specialisation.no-apparmor.configuration = {