nixpkgs/nixos/modules/security/apparmor.nix

{ config, lib, pkgs, ... }:

let
  inherit (lib) mkIf mkOption types concatMapStrings;
  cfg = config.security.apparmor;
in

{
   options = {
     security.apparmor = {
       enable = mkOption {
         type = types.bool;
         default = false;
         description = "Enable the AppArmor Mandatory Access Control system.";
       };
       profiles = mkOption {
         type = types.listOf types.path;
         default = [];
         description = "List of files containing AppArmor profiles.";
       };
       packages = mkOption {
         type = types.listOf types.package;
         default = [];
         description = "List of packages to be added to apparmor's include path";
       };
     };
   };

   config = mkIf cfg.enable {
     environment.systemPackages = [ pkgs.apparmor-utils ];

     systemd.services.apparmor = let
       paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d")
         ([ pkgs.apparmor-profiles ] ++ cfg.packages);
     in {
       wantedBy = [ "local-fs.target" ];
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = "yes";
         ExecStart = map (p:
           ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"''
         ) cfg.profiles;
         ExecStop = map (p:
           ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"''
         ) cfg.profiles;
       };
     };
   };
}
Rewrite ‘with pkgs.lib’ -> ‘with lib’ Using pkgs.lib on the spine of module evaluation is problematic because the pkgs argument depends on the result of module evaluation. To prevent an infinite recursion, pkgs and some of the modules are evaluated twice, which is inefficient. Using ‘with lib’ prevents this problem. 2014-04-14 16:26:48 +02:00			`{ config, lib, pkgs, ... }:`
Remove tabs 2013-05-13 15:13:06 +02:00
AppArmor: packaged 2012-07-17 02:47:41 +03:00			`let`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00			`inherit (lib) mkIf mkOption types concatMapStrings;`
AppArmor: packaged 2012-07-17 02:47:41 +03:00			`cfg = config.security.apparmor;`
			`in`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00
AppArmor: packaged 2012-07-17 02:47:41 +03:00			`{`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00			`options = {`
			`security.apparmor = {`
			`enable = mkOption {`
			`type = types.bool;`
			`default = false;`
			`description = "Enable the AppArmor Mandatory Access Control system.";`
			`};`
			`profiles = mkOption {`
			`type = types.listOf types.path;`
			`default = [];`
			`description = "List of files containing AppArmor profiles.";`
			`};`
apparmor: support for lxc profiles 2017-01-10 22:47:23 +01:00			`packages = mkOption {`
			`type = types.listOf types.package;`
			`default = [];`
			`description = "List of packages to be added to apparmor's include path";`
			`};`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00			`};`
			`};`

			`config = mkIf cfg.enable {`
Cleanup AppArmor module Remove excessive whitespace & comment sections 2015-03-17 11:04:31 +01:00			`environment.systemPackages = [ pkgs.apparmor-utils ];`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00
apparmor: support for lxc profiles 2017-01-10 22:47:23 +01:00			`systemd.services.apparmor = let`
			`paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d")`
			`([ pkgs.apparmor-profiles ] ++ cfg.packages);`
			`in {`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00			`wantedBy = [ "local-fs.target" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`RemainAfterExit = "yes";`
apparmor: support for lxc profiles 2017-01-10 22:47:23 +01:00			`ExecStart = map (p:`
			`''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"''`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00			`) cfg.profiles;`
apparmor: support for lxc profiles 2017-01-10 22:47:23 +01:00			`ExecStop = map (p:`
			`''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"''`
Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support 2015-03-12 10:11:25 +01:00			`) cfg.profiles;`
			`};`
			`};`
			`};`
AppArmor: packaged 2012-07-17 02:47:41 +03:00			`}`