From 97bac259d0deae93934357dc7c4bf7628cae88f8 Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Fri, 9 Jan 2015 13:57:04 +0100
Subject: [PATCH] dnscrypt-proxy service: update AppArmor profile

This patch fixes the AppArmor profile path clause and adds
(currently ignored) network rules.

The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy,
but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink
to bin), which permitted the service to run unconfined.

Adding the network rules has no effect other than improving correctness,
as the version of AppArmor in the NixOS kernel fails to enforce network
rules.
---
 nixos/modules/services/networking/dnscrypt-proxy.nix | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/networking/dnscrypt-proxy.nix b/nixos/modules/services/networking/dnscrypt-proxy.nix
index 26549bfe6f1..e9aa5cd9792 100644
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@@ -88,7 +88,12 @@ in
     security.apparmor.profiles = mkIf apparmorEnabled [
       (pkgs.writeText "apparmor-dnscrypt-proxy" ''
 
-        ${dnscrypt-proxy}/sbin/dnscrypt-proxy {
+        ${dnscrypt-proxy}/bin/dnscrypt-proxy {
+          network inet stream,
+          network inet6 stream,
+          network inet dgram,
+          network inet6 dgram,
+
           capability ipc_lock,
           capability net_bind_service,
           capability net_admin,
@@ -126,7 +131,7 @@ in
       wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         Type = "forking";
-        ExecStart = "${dnscrypt-proxy}/sbin/dnscrypt-proxy ${toString daemonArgs}";
+        ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
       };
     };