public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

transmission: move apparmor profile to Nixpkgs

Browse Source
This commit is contained in:
Julien Moutinho 2020-12-03 18:03:32 +01:00
parent 03b2156d26
commit b280e64078
2 changed files with 58 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nixos/modules/services/torrent/transmission.nix
View File

@ -359,24 +359,9 @@ in
]; ];
security.apparmor.policies."bin.transmission-daemon".profile = '' security.apparmor.policies."bin.transmission-daemon".profile = ''
include <tunables/global> include "${pkgs.transmission.apparmor}/bin.transmission-daemon"
${pkgs.transmission}/bin/transmission-daemon { '';
include <abstractions/base> security.apparmor.includes."local/bin.transmission-daemon" = ''
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include "${pkgs.apparmorRulesFromClosure
{ name = "transmission-daemon"; }
[ pkgs.transmission ]}"
include <local/bin.transmission-daemon>
r @{PROC}/sys/kernel/random/uuid,
r @{PROC}/sys/vm/overcommit_memory,
r @{PROC}/@{pid}/environ,
r @{PROC}/@{pid}/mounts,
rwk /tmp/tr_session_id_*,
r /run/systemd/resolve/stub-resolv.conf,
r ${pkgs.openssl.out}/etc/**,
r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},
owner rw ${cfg.home}/${settingsDir}/**, owner rw ${cfg.home}/${settingsDir}/**,
@ -405,9 +390,7 @@ in
# https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs
px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},
''} ''}
}
''; '';
security.apparmor.includes."local/bin.transmission-daemon" = "";
}; };
meta.maintainers = with lib.maintainers; [ julm ]; meta.maintainers = with lib.maintainers; [ julm ];

27
pkgs/applications/networking/p2p/transmission/default.nix
View File

@ -21,6 +21,7 @@
, enableDaemon ? true , enableDaemon ? true
, enableCli ? true , enableCli ? true
, installLib ? false , installLib ? false
, apparmorRulesFromClosure
}: }:
let let
@ -38,6 +39,8 @@ in stdenv.mkDerivation {
fetchSubmodules = true; fetchSubmodules = true;
}; };
outputs = [ "out" "apparmor" ];
cmakeFlags = cmakeFlags =
let let
mkFlag = opt: if opt then "ON" else "OFF"; mkFlag = opt: if opt then "ON" else "OFF";
@ -74,6 +77,30 @@ in stdenv.mkDerivation {
NIX_LDFLAGS = lib.optionalString stdenv.isDarwin "-framework CoreFoundation"; NIX_LDFLAGS = lib.optionalString stdenv.isDarwin "-framework CoreFoundation";
postInstall = ''
install -D -m 644 /dev/stdin $apparmor/bin.transmission-daemon <<EOF
include <tunables/global>
$out/bin/transmission-daemon {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include "${apparmorRulesFromClosure { name = "transmission-daemon"; } ([
curl libevent openssl pcre zlib
] ++ lib.optionals enableSystemd [ systemd ]
++ lib.optionals stdenv.isLinux [ inotify-tools ]
)}"
r @{PROC}/sys/kernel/random/uuid,
r @{PROC}/sys/vm/overcommit_memory,
r @{PROC}/@{pid}/environ,
r @{PROC}/@{pid}/mounts,
rwk /tmp/tr_session_id_*,
r /run/systemd/resolve/stub-resolv.conf,
include <local/bin.transmission-daemon>
}
EOF
'';
meta = { meta = {
description = "A fast, easy and free BitTorrent client"; description = "A fast, easy and free BitTorrent client";
longDescription = '' longDescription = ''