nixpkgs/nixos/modules/security/apparmor.nix

{ config, lib, pkgs, ... }:

let
  inherit (lib) mkIf mkOption types concatMapStrings;
  cfg = config.security.apparmor;
in

{
   options = {
     security.apparmor = {
       enable = mkOption {
         type = types.bool;
         default = false;
         description = "Enable the AppArmor Mandatory Access Control system.";
       };
       profiles = mkOption {
         type = types.listOf types.path;
         default = [];
         description = "List of files containing AppArmor profiles.";
       };
     };
   };

   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.apparmor-utils ];

     systemd.services.apparmor = {
       wantedBy = [ "local-fs.target" ];
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = "yes";
         ExecStart = concatMapStrings (p:
           ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; ''
         ) cfg.profiles;
         ExecStop = concatMapStrings (p:
           ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; ''
         ) cfg.profiles;
       };
     };
   };
}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
Remove tabs 2013-05-13 15:13:06 +02:00
AppArmor: packaged 2012-07-17 02:47:41 +03:00			`let`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00			`inherit (lib) mkIf mkOption types concatMapStrings;`
AppArmor: packaged 2012-07-17 02:47:41 +03:00			`cfg = config.security.apparmor;`
			`in`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00
AppArmor: packaged 2012-07-17 02:47:41 +03:00			`{`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00			`options = {`
			`security.apparmor = {`
			`enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Enable the AppArmor Mandatory Access Control system.";`
			`};`
			`profiles = mkOption {`
			`type = types.listOf types.path;`
			`default = [];`
			`description = "List of files containing AppArmor profiles.";`
			`};`
			`};`
			`};`

			`config = mkIf cfg.enable {`
Cleanup AppArmor module Remove excessive whitespace & comment sections 2015-03-17 11:04:31 +01:00			`environment.systemPackages = [ pkgs.apparmor-utils ];`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00
			`systemd.services.apparmor = {`
			`wantedBy = [ "local-fs.target" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = "yes";`
			`ExecStart = concatMapStrings (p:`
			`''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; ''`
			`) cfg.profiles;`
			`ExecStop = concatMapStrings (p:`
			`''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; ''`
			`) cfg.profiles;`
			`};`
			`};`
			`};`
AppArmor: packaged 2012-07-17 02:47:41 +03:00			`}`