symlinked apparmor rules, lets gooogit add --all
This commit is contained in:
parent
247489518d
commit
e841abdf9d
2 changed files with 12 additions and 11 deletions
19
aa_mod.patch
19
aa_mod.patch
|
@ -1,5 +1,5 @@
|
||||||
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
|
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
|
||||||
index a4b3807e4e0f..c7c879c39d12 100644
|
index a4b3807e4e0f..87a2c2c81feb 100644
|
||||||
--- a/nixos/modules/security/apparmor.nix
|
--- a/nixos/modules/security/apparmor.nix
|
||||||
+++ b/nixos/modules/security/apparmor.nix
|
+++ b/nixos/modules/security/apparmor.nix
|
||||||
@@ -3,15 +3,11 @@
|
@@ -3,15 +3,11 @@
|
||||||
|
@ -20,9 +20,12 @@ index a4b3807e4e0f..c7c879c39d12 100644
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
@@ -47,13 +43,30 @@ in
|
@@ -45,15 +41,30 @@ in
|
||||||
|
description = ''
|
||||||
|
AppArmor policies.
|
||||||
'';
|
'';
|
||||||
type = types.attrsOf (types.submodule ({ name, config, ... }: {
|
- type = types.attrsOf (types.submodule ({ name, config, ... }: {
|
||||||
|
+ type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
|
||||||
options = {
|
options = {
|
||||||
- enable = mkDisableOption "loading of the profile into the kernel";
|
- enable = mkDisableOption "loading of the profile into the kernel";
|
||||||
- enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
|
- enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
|
||||||
|
@ -46,16 +49,14 @@ index a4b3807e4e0f..c7c879c39d12 100644
|
||||||
+ type = types.nullOr types.path;
|
+ type = types.nullOr types.path;
|
||||||
+ default = null;
|
+ default = null;
|
||||||
+ description = "A path of a profile to include. Incompatible with profile.";
|
+ description = "A path of a profile to include. Incompatible with profile.";
|
||||||
+ apply = p: let
|
+ apply = p: assert (assertMsg ((p != null && !options.profile.isDefined) || (p == null && options.profile.isDefined))
|
||||||
+ inherit (config) profile;
|
|
||||||
+ in assert (assertMsg ((p != null && profile == "") || (p == null && profile != ""))
|
|
||||||
+ "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile.");
|
+ "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile.");
|
||||||
+ (if (p != null) then p else (pkgs.writeText name profile));
|
+ (if (p != null) then p else (pkgs.writeText name config.profile));
|
||||||
+ };
|
+ };
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
default = {};
|
default = {};
|
||||||
@@ -108,7 +121,7 @@ in
|
@@ -108,7 +119,7 @@ in
|
||||||
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
|
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
|
||||||
# It's important to put only enabledPolicies here and not all cfg.policies
|
# It's important to put only enabledPolicies here and not all cfg.policies
|
||||||
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
|
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
|
||||||
|
@ -64,7 +65,7 @@ index a4b3807e4e0f..c7c879c39d12 100644
|
||||||
mapAttrsToList (name: path: { inherit name path; }) cfg.includes
|
mapAttrsToList (name: path: { inherit name path; }) cfg.includes
|
||||||
);
|
);
|
||||||
environment.etc."apparmor/parser.conf".text = ''
|
environment.etc."apparmor/parser.conf".text = ''
|
||||||
@@ -187,7 +200,7 @@ in
|
@@ -187,7 +198,7 @@ in
|
||||||
xargs --verbose --no-run-if-empty --delimiter='\n' \
|
xargs --verbose --no-run-if-empty --delimiter='\n' \
|
||||||
kill
|
kill
|
||||||
'';
|
'';
|
||||||
|
|
|
@ -25,11 +25,11 @@ let
|
||||||
security.apparmor.packages = [ apparmor-d ];
|
security.apparmor.packages = [ apparmor-d ];
|
||||||
security.apparmor.policies = mapAttrs (name: state: {
|
security.apparmor.policies = mapAttrs (name: state: {
|
||||||
inherit state;
|
inherit state;
|
||||||
profile = let
|
path = let
|
||||||
file = "${apparmor-d}/etc/apparmor.d/${name}";
|
file = "${apparmor-d}/etc/apparmor.d/${name}";
|
||||||
in
|
in
|
||||||
assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
|
assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
|
||||||
''include "${file}"'';
|
file;
|
||||||
}) cfg.profiles;
|
}) cfg.profiles;
|
||||||
|
|
||||||
specialisation.no-apparmor.configuration = {
|
specialisation.no-apparmor.configuration = {
|
||||||
|
|
Loading…
Reference in a new issue