67 lines
1.6 KiB
Nix
67 lines
1.6 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib)
|
|
mkIf
|
|
mapAttrs
|
|
assertMsg
|
|
pathIsRegularFile
|
|
mkForce
|
|
;
|
|
|
|
cfg = config.security.apparmor_d;
|
|
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix { };
|
|
in
|
|
{
|
|
options.security.apparmor_d = with lib; {
|
|
enable = mkEnableOption "enable apparmor.d support";
|
|
|
|
profiles = mkOption {
|
|
type = types.attrsOf (
|
|
types.enum [
|
|
"disable"
|
|
"complain"
|
|
"enforce"
|
|
]
|
|
);
|
|
default = { };
|
|
description = "set of apparmor profiles to include from apparmor.d";
|
|
};
|
|
};
|
|
|
|
config = mkIf (cfg.enable) {
|
|
security.apparmor.packages = [ apparmor-d ];
|
|
security.apparmor.policies = mapAttrs (name: state: {
|
|
inherit state;
|
|
path =
|
|
let
|
|
file = "${apparmor-d}/etc/apparmor.d/${name}";
|
|
in
|
|
assert assertMsg (pathIsRegularFile file) "profile ${name} not found in apparmor.d path (${file})";
|
|
file;
|
|
}) cfg.profiles;
|
|
|
|
security.apparmor.includes."tunables/global.d/store" = ''
|
|
@{package1}={@{w},.,-}
|
|
@{package2}=@{package1}@{package1}
|
|
@{package4}=@{package2}@{package2}
|
|
@{package8}=@{package4}@{package4}
|
|
@{package16}=@{package8}@{package8}
|
|
@{package32}=@{package16}@{package16}
|
|
@{package64}=@{package32}@{package32}
|
|
|
|
@{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},}
|
|
@{nix_store}=/nix/store/@{rand32}-@{nix_package_name}
|
|
'';
|
|
|
|
specialisation.no-apparmor.configuration = {
|
|
security.apparmor.enable = mkForce false;
|
|
};
|
|
|
|
environment.systemPackages = [ apparmor-d ];
|
|
};
|
|
}
|