75 lines
1.9 KiB
Nix
75 lines
1.9 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib) mkIf mergeAttrsList last path;
|
|
|
|
cfg = config.security.apparmor_d;
|
|
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
|
|
in
|
|
{
|
|
options.security.apparmor_d = with lib; let
|
|
profile = types.submodule ({ config, ... }: {
|
|
options = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = "whether to enable this profile";
|
|
};
|
|
|
|
enforce = mkOption {
|
|
type = types.bool;
|
|
default = true;
|
|
description = "whether to enforce this profile";
|
|
};
|
|
|
|
path = mkOption {
|
|
type = types.nonEmptyStr;
|
|
description = "path of the apparmor profile within apparmor.d, as copied from github";
|
|
example = "apparmor.d/profiles-s-z/vesktop";
|
|
};
|
|
|
|
name = mkOption {
|
|
type = types.nonEmptyStr;
|
|
description = "Name of the profile as placed in /etc/apparmor.d. Default is the profile name as given in apparmor.d.";
|
|
default = last (path.subpath.components config.path);
|
|
example = "vesktop";
|
|
};
|
|
};
|
|
});
|
|
in {
|
|
enable = mkEnableOption "enable apparmor.d support";
|
|
|
|
profiles = mkOption {
|
|
type = types.listOf (types.either types.nonEmptyStr profile);
|
|
default = [];
|
|
description = "set of apparmor profiles to include from apparmor.d";
|
|
};
|
|
};
|
|
|
|
options.test = lib.mkOption { default = null; };
|
|
|
|
config = mkIf (cfg.enable) {
|
|
security.apparmor.packages = [ apparmor-d ];
|
|
security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then (let name = last (path.subpath.components p); in {
|
|
"${name}" = {
|
|
enable = true;
|
|
enforce = true;
|
|
profile = ''
|
|
include "${apparmor-d}/etc/${p}"
|
|
'';
|
|
};
|
|
}) else {
|
|
${p.name} = {
|
|
inherit (p) enable enforce;
|
|
profile = ''
|
|
include "${apparmor-d}/etc/${p.path}"
|
|
'';
|
|
};
|
|
}) cfg.profiles );
|
|
};
|
|
}
|