76 lines
3.2 KiB
Diff
76 lines
3.2 KiB
Diff
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
|
|
index a4b3807e4e0f..c7c879c39d12 100644
|
|
--- a/nixos/modules/security/apparmor.nix
|
|
+++ b/nixos/modules/security/apparmor.nix
|
|
@@ -3,15 +3,11 @@
|
|
with lib;
|
|
|
|
let
|
|
- inherit (builtins) attrNames head map match readFile;
|
|
+ inherit (builtins) attrNames map match;
|
|
inherit (lib) types;
|
|
inherit (config.environment) etc;
|
|
cfg = config.security.apparmor;
|
|
- mkDisableOption = name: mkEnableOption name // {
|
|
- default = true;
|
|
- example = false;
|
|
- };
|
|
- enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies;
|
|
+ enabledPolicies = filterAttrs (n: p: p.state != "disable") cfg.policies;
|
|
in
|
|
|
|
{
|
|
@@ -47,13 +43,30 @@ in
|
|
'';
|
|
type = types.attrsOf (types.submodule ({ name, config, ... }: {
|
|
options = {
|
|
- enable = mkDisableOption "loading of the profile into the kernel";
|
|
- enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
|
|
+ state = mkOption {
|
|
+ description =
|
|
+ "The state of the profile as applied to the system by nix";
|
|
+ type = types.enum [ "disable" "complain" "enforce" ];
|
|
+ # should enforce really be the default?
|
|
+ # the docs state that this should only be used once one is REALLY sure nothing's gonna break
|
|
+ default = "enforce";
|
|
+ };
|
|
+
|
|
profile = mkOption {
|
|
- description = "The policy of the profile.";
|
|
+ description = "The policy of the profile. Incompatible with path.";
|
|
type = types.lines;
|
|
- apply = pkgs.writeText name;
|
|
};
|
|
+
|
|
+ path = mkOption {
|
|
+ type = types.nullOr types.path;
|
|
+ default = null;
|
|
+ description = "A path of a profile to include. Incompatible with profile.";
|
|
+ apply = p: let
|
|
+ inherit (config) profile;
|
|
+ in assert (assertMsg ((p != null && profile == "") || (p == null && profile != ""))
|
|
+ "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile.");
|
|
+ (if (p != null) then p else (pkgs.writeText name profile));
|
|
+ };
|
|
};
|
|
}));
|
|
default = {};
|
|
@@ -108,7 +121,7 @@ in
|
|
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
|
|
# It's important to put only enabledPolicies here and not all cfg.policies
|
|
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
|
|
- mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++
|
|
+ mapAttrsToList (name: p: { inherit name; path = p.path; }) enabledPolicies ++
|
|
mapAttrsToList (name: path: { inherit name path; }) cfg.includes
|
|
);
|
|
environment.etc."apparmor/parser.conf".text = ''
|
|
@@ -187,7 +200,7 @@ in
|
|
xargs --verbose --no-run-if-empty --delimiter='\n' \
|
|
kill
|
|
'';
|
|
- commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}";
|
|
+ commonOpts = p: "--verbose --show-cache ${optionalString (p.state == "complain") "--complain "}${p.path}";
|
|
in {
|
|
Type = "oneshot";
|
|
RemainAfterExit = "yes";
|