nixpkgs/nixos/modules/security/apparmor-suid.nix

{ config, lib, pkgs, ... }:
let
  cfg = config.security.apparmor;
in
with lib;
{
  imports = [
    (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
  ];

  options.security.apparmor.confineSUIDApplications = mkOption {
    type = types.bool;
    default = true;
    description = ''
      Install AppArmor profiles for commonly-used SUID application
      to mitigate potential privilege escalation attacks due to bugs
      in such applications.

      Currently available profiles: ping
    '';
  };

  config = mkIf (cfg.confineSUIDApplications) {
    security.apparmor.profiles = [ (pkgs.writeText "ping" ''
      #include <tunables/global>
      /run/wrappers/bin/ping {
        #include <abstractions/base>
        #include <abstractions/consoles>
        #include <abstractions/nameservice>

        capability net_raw,
        capability setuid,
        network inet raw,

        ${pkgs.stdenv.cc.libc.out}/lib/*.so mr,
        ${pkgs.libcap.lib}/lib/libcap.so* mr,
        ${pkgs.attr.out}/lib/libattr.so* mr,

        ${pkgs.iputils}/bin/ping mixr,

        #/etc/modules.conf r,

        ## Site-specific additions and overrides. See local/README for details.
        ##include <local/bin.ping>
      }
    '') ];
  };

}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
AppArmor profiles for SUID binaries. At this moment only for ping. 2013-05-11 08:41:36 +03:00			`let`
			`cfg = config.security.apparmor;`
			`in`
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`with lib;`
AppArmor profiles for SUID binaries. At this moment only for ping. 2013-05-11 08:41:36 +03:00			`{`
nixos/treewide: Move rename.nix imports to their respective modules A centralized list for these renames is not good because: - It breaks disabledModules for modules that have a rename defined - Adding/removing renames for a module means having to find them in the central file - Merge conflicts due to multiple people editing the central file 2019-12-10 02:51:19 +01:00			`imports = [`
			`(mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])`
			`];`
AppArmor profiles for SUID binaries. At this moment only for ping. 2013-05-11 08:41:36 +03:00
			`options.security.apparmor.confineSUIDApplications = mkOption {`
treewide: add types to boolean / enable options or make use of mkEnableOption 2020-04-27 09:04:07 +02:00			`type = types.bool;`
AppArmor profiles for SUID binaries. At this moment only for ping. 2013-05-11 08:41:36 +03:00			`default = true;`
			`description = ''`
			`Install AppArmor profiles for commonly-used SUID application`
			`to mitigate potential privilege escalation attacks due to bugs`
			`in such applications.`

			`Currently available profiles: ping`
			`'';`
			`};`

			`config = mkIf (cfg.confineSUIDApplications) {`
			`security.apparmor.profiles = [ (pkgs.writeText "ping" ''`
			`#include <tunables/global>`
Getting rid of the var indirection and using a bin path instead 2017-01-29 04:11:01 -06:00			`/run/wrappers/bin/ping {`
Remove tabs 2013-05-13 15:13:06 +02:00			`#include <abstractions/base>`
			`#include <abstractions/consoles>`
			`#include <abstractions/nameservice>`
AppArmor profiles for SUID binaries. At this moment only for ping. 2013-05-11 08:41:36 +03:00
Remove tabs 2013-05-13 15:13:06 +02:00			`capability net_raw,`
			`capability setuid,`
			`network inet raw,`
AppArmor profiles for SUID binaries. At this moment only for ping. 2013-05-11 08:41:36 +03:00
apparmor-suid: don't force glibc (cherry picked from commit 131131e58fc66365854f37f4fe2bf6ca01c8aed6) 2018-03-24 20:51:32 -05:00			`${pkgs.stdenv.cc.libc.out}/lib/*.so mr,`
apparmor-suid module: fix libcap lib output reference After 7382afac40c23841e5d6a491bd4a9412d766ecab 2016-05-07 21:48:29 +02:00			`${pkgs.libcap.lib}/lib/libcap.so* mr,`
treewide: Mass replace 'attr}/lib' to refer the 'out' output 2016-01-24 09:28:56 +02:00			`${pkgs.attr.out}/lib/libattr.so* mr,`
apparmor: Fix broken iputils/ping profile 2013-05-28 14:15:10 +00:00
			`${pkgs.iputils}/bin/ping mixr,`

Remove tabs 2013-05-13 15:13:06 +02:00			`#/etc/modules.conf r,`
AppArmor profiles for SUID binaries. At this moment only for ping. 2013-05-11 08:41:36 +03:00
Remove tabs 2013-05-13 15:13:06 +02:00			`## Site-specific additions and overrides. See local/README for details.`
			`##include <local/bin.ping>`
AppArmor profiles for SUID binaries. At this moment only for ping. 2013-05-11 08:41:36 +03:00			`}`
			`'') ];`
			`};`

			`}`