From 84c0af80d77348ca9b1d6d3f3ae18e23eb8c5ed5 Mon Sep 17 00:00:00 2001 From: "Ricardo M. Correia" Date: Tue, 28 May 2013 16:15:16 +0000 Subject: [PATCH 1/2] apparmor: Fix loading multiple profiles apparmor's systemd service wasn't working when multiple profiles were defined, due to the ExecStart commands in the service file being broken into multiple lines, instead of being separated by ';'. --- modules/security/apparmor.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/security/apparmor.nix b/modules/security/apparmor.nix index 8aa933e2996..63098fdc661 100644 --- a/modules/security/apparmor.nix +++ b/modules/security/apparmor.nix @@ -53,12 +53,12 @@ with pkgs.lib; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; - ExecStart = concatMapStrings (profile: '' - ${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" - '') cfg.profiles; - ExecStop = concatMapStrings (profile: '' - ${pkgs.apparmor}/sbin/apparmor_parser -Rv "${profile}" - '') cfg.profiles; + ExecStart = concatMapStrings (profile: + ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' + ) cfg.profiles; + ExecStop = concatMapStrings (profile: + ''${pkgs.apparmor}/sbin/apparmor_parser -Rv "${profile}" ; '' + ) cfg.profiles; }; }; From 531b5816363534fc53f219241ea08a82b310341e Mon Sep 17 00:00:00 2001 From: "Ricardo M. Correia" Date: Tue, 28 May 2013 17:49:52 +0000 Subject: [PATCH 2/2] apparmor: Fix service stop When stopping the apparmor service, the profile removal failed with parsing errors due to not including the ${pkgs.apparmor}/etc/apparmor.d directory. --- modules/security/apparmor.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/security/apparmor.nix b/modules/security/apparmor.nix index 63098fdc661..d4aa0598dd3 100644 --- a/modules/security/apparmor.nix +++ b/modules/security/apparmor.nix @@ -57,7 +57,7 @@ with pkgs.lib; ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' ) cfg.profiles; ExecStop = concatMapStrings (profile: - ''${pkgs.apparmor}/sbin/apparmor_parser -Rv "${profile}" ; '' + ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' ) cfg.profiles; };