From 2e61811284e1116e1700bd505d95161ebf07bb9d Mon Sep 17 00:00:00 2001 From: "Ricardo M. Correia" Date: Tue, 28 May 2013 17:19:15 +0000 Subject: [PATCH 1/2] transmission: Add apparmor profile --- modules/services/torrent/transmission.nix | 40 +++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/modules/services/torrent/transmission.nix b/modules/services/torrent/transmission.nix index 02ec25d1294..742e5bee70c 100644 --- a/modules/services/torrent/transmission.nix +++ b/modules/services/torrent/transmission.nix @@ -89,6 +89,11 @@ in description = "TCP port number to run the RPC/web interface."; }; + apparmor = mkOption { + type = types.uniq types.bool; + default = true; + description = "Generate apparmor profile for transmission-daemon."; + }; }; }; @@ -104,8 +109,8 @@ in # 1) Only the "transmission" user and group have access to torrents. # 2) Optionally update/force specific fields into the configuration file. serviceConfig.ExecStartPre = - if config.services.transmission.settings != {} then '' - ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs config.services.transmission.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}" + if cfg.settings != {} then '' + ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir} && mkdir -p ${settingsDir} && ${pkgs.transmission}/bin/transmission-daemon -d |& sed ${attrsToSedArgs cfg.settings} > ${settingsFile}.tmp && mv ${settingsFile}.tmp ${settingsFile}" '' else '' ${pkgs.stdenv.shell} -c "chmod 770 ${homeDir}" @@ -129,6 +134,37 @@ in users.extraGroups.transmission = {}; + # AppArmor profile + security.apparmor.profiles = mkIf (config.security.apparmor.enable && cfg.apparmor) [ + (pkgs.writeText "apparmor-transmission-daemon" '' + #include + + ${pkgs.transmission}/bin/transmission-daemon { + #include + #include + + ${pkgs.glibc}/lib/*.so mr, + ${pkgs.libevent}/lib/libevent*.so* mr, + ${pkgs.curl}/lib/libcurl*.so* mr, + ${pkgs.openssl}/lib/libssl*.so* mr, + ${pkgs.openssl}/lib/libcrypto*.so* mr, + ${pkgs.zlib}/lib/libz*.so* mr, + ${pkgs.libssh2}/lib/libssh2*.so* mr, + + @{PROC}/sys/kernel/random/uuid r, + @{PROC}/sys/vm/overcommit_memory r, + + ${pkgs.transmission}/share/transmission/** r, + + owner ${settingsDir}/** rw, + + ${cfg.settings.download-dir}/** rw, + ${optionalString cfg.settings.incomplete-dir-enabled '' + ${cfg.settings.incomplete-dir}/** rw, + ''} + } + '') + ]; }; } From 0a0beadecd5bce5fca73baae2dc075d15f8dd85e Mon Sep 17 00:00:00 2001 From: "Ricardo M. Correia" Date: Tue, 28 May 2013 17:48:08 +0000 Subject: [PATCH 2/2] transmission: Add apparmor service dependency --- modules/services/torrent/transmission.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/services/torrent/transmission.nix b/modules/services/torrent/transmission.nix index 742e5bee70c..4c989f09fea 100644 --- a/modules/services/torrent/transmission.nix +++ b/modules/services/torrent/transmission.nix @@ -104,8 +104,10 @@ in systemd.services.transmission = { description = "Transmission BitTorrent Daemon"; - after = [ "network.target" ]; + after = [ "network.target" ] ++ optional (config.security.apparmor.enable && cfg.apparmor) "apparmor.service"; + requires = mkIf (config.security.apparmor.enable && cfg.apparmor) [ "apparmor.service" ]; wantedBy = [ "multi-user.target" ]; + # 1) Only the "transmission" user and group have access to torrents. # 2) Optionally update/force specific fields into the configuration file. serviceConfig.ExecStartPre =