Update AppArmor service module
- Use AppArmor 2.9 - Enable PAM support
This commit is contained in:
Joachim Fasting
parent
65e41b4f08
commit
7a9a24a95e
@ -1,43 +1,61 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
let
|
||||||
|
inherit (lib) mkIf mkOption types concatMapStrings;
|
||||||
cfg = config.security.apparmor;
|
cfg = config.security.apparmor;
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
options = {
|
#### interface
|
||||||
security.apparmor = {
|
options = {
|
||||||
enable = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description = "Enable the AppArmor Mandatory Access Control system.";
|
|
||||||
};
|
|
||||||
|
|
||||||
profiles = mkOption {
|
security.apparmor = {
|
||||||
type = types.listOf types.path;
|
|
||||||
default = [];
|
|
||||||
description = "List of files containing AppArmor profiles.";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
enable = mkOption {
|
||||||
environment.systemPackages = [ pkgs.apparmor ];
|
type = types.bool;
|
||||||
systemd.services.apparmor = {
|
default = false;
|
||||||
wantedBy = [ "local-fs.target" ];
|
description = "Enable the AppArmor Mandatory Access Control system.";
|
||||||
path = [ pkgs.apparmor ];
|
};
|
||||||
|
|
||||||
serviceConfig = {
|
profiles = mkOption {
|
||||||
Type = "oneshot";
|
type = types.listOf types.path;
|
||||||
RemainAfterExit = "yes";
|
default = [];
|
||||||
ExecStart = concatMapStrings (profile:
|
description = "List of files containing AppArmor profiles.";
|
||||||
''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
|
};
|
||||||
) cfg.profiles;
|
|
||||||
ExecStop = concatMapStrings (profile:
|
};
|
||||||
''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
|
|
||||||
) cfg.profiles;
|
};
|
||||||
};
|
|
||||||
};
|
#### implementation
|
||||||
};
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
environment.systemPackages = [
|
||||||
|
pkgs.apparmor-utils
|
||||||
|
];
|
||||||
|
|
||||||
|
systemd.services.apparmor = {
|
||||||
|
wantedBy = [ "local-fs.target" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = "yes";
|
||||||
|
ExecStart = concatMapStrings (p:
|
||||||
|
''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; ''
|
||||||
|
) cfg.profiles;
|
||||||
|
ExecStop = concatMapStrings (p:
|
||||||
|
''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; ''
|
||||||
|
) cfg.profiles;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
security.pam.services.apparmor.text = ''
|
||||||
|
## The AppArmor service changes hats according to order: first try
|
||||||
|
## user, then group, and finally fall back to a hat called "DEFAULT"
|
||||||
|
##
|
||||||
|
## For now, enable debugging as this is an experimental feature.
|
||||||
|
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
|
||||||
|
'';
|
||||||
|
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user