2014-04-14 16:26:48 +02:00
|
|
|
{ config, lib, pkgs, ... }:
|
2013-05-11 08:41:36 +03:00
|
|
|
let
|
|
|
|
|
cfg = config.security.apparmor;
|
|
|
|
|
in
|
2014-04-14 16:26:48 +02:00
|
|
|
with lib;
|
2013-05-11 08:41:36 +03:00
|
|
|
{
|
|
|
|
|
|
|
|
|
|
options.security.apparmor.confineSUIDApplications = mkOption {
|
|
|
|
|
default = true;
|
|
|
|
|
description = ''
|
|
|
|
|
Install AppArmor profiles for commonly-used SUID application
|
|
|
|
|
to mitigate potential privilege escalation attacks due to bugs
|
|
|
|
|
in such applications.
|
|
|
|
|
|
|
|
|
|
Currently available profiles: ping
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = mkIf (cfg.confineSUIDApplications) {
|
|
|
|
|
security.apparmor.profiles = [ (pkgs.writeText "ping" ''
|
|
|
|
|
#include <tunables/global>
|
2017-01-29 04:11:01 -06:00
|
|
|
/run/wrappers/bin/ping {
|
2013-05-13 15:13:06 +02:00
|
|
|
#include <abstractions/base>
|
|
|
|
|
#include <abstractions/consoles>
|
|
|
|
|
#include <abstractions/nameservice>
|
2013-05-11 08:41:36 +03:00
|
|
|
|
2013-05-13 15:13:06 +02:00
|
|
|
capability net_raw,
|
|
|
|
|
capability setuid,
|
|
|
|
|
network inet raw,
|
2013-05-11 08:41:36 +03:00
|
|
|
|
2018-03-24 20:51:32 -05:00
|
|
|
${pkgs.stdenv.cc.libc.out}/lib/*.so mr,
|
2016-05-07 21:48:29 +02:00
|
|
|
${pkgs.libcap.lib}/lib/libcap.so* mr,
|
2016-01-24 09:28:56 +02:00
|
|
|
${pkgs.attr.out}/lib/libattr.so* mr,
|
2013-05-28 14:15:10 +00:00
|
|
|
|
|
|
|
|
${pkgs.iputils}/bin/ping mixr,
|
|
|
|
|
|
2013-05-13 15:13:06 +02:00
|
|
|
#/etc/modules.conf r,
|
2013-05-11 08:41:36 +03:00
|
|
|
|
2013-05-13 15:13:06 +02:00
|
|
|
## Site-specific additions and overrides. See local/README for details.
|
|
|
|
|
##include <local/bin.ping>
|
2013-05-11 08:41:36 +03:00
|
|
|
}
|
|
|
|
|
'') ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
}
|
