Remove tabs
This commit is contained in:
Eelco Dolstra
parent
2c4db1a6cf
commit
f5233bbf82
@ -20,21 +20,21 @@ with pkgs.lib;
|
|||||||
security.apparmor.profiles = [ (pkgs.writeText "ping" ''
|
security.apparmor.profiles = [ (pkgs.writeText "ping" ''
|
||||||
#include <tunables/global>
|
#include <tunables/global>
|
||||||
/var/setuid-wrappers/ping {
|
/var/setuid-wrappers/ping {
|
||||||
#include <abstractions/base>
|
#include <abstractions/base>
|
||||||
#include <abstractions/consoles>
|
#include <abstractions/consoles>
|
||||||
#include <abstractions/nameservice>
|
#include <abstractions/nameservice>
|
||||||
|
|
||||||
capability net_raw,
|
capability net_raw,
|
||||||
capability setuid,
|
capability setuid,
|
||||||
network inet raw,
|
network inet raw,
|
||||||
|
|
||||||
${pkgs.glibc}/lib/*.so mr,
|
${pkgs.glibc}/lib/*.so mr,
|
||||||
/var/setuid-wrappers/ping.real mixr,
|
/var/setuid-wrappers/ping.real mixr,
|
||||||
${pkgs.iputils}/sbin/ping mixr,
|
${pkgs.iputils}/sbin/ping mixr,
|
||||||
#/etc/modules.conf r,
|
#/etc/modules.conf r,
|
||||||
|
|
||||||
## Site-specific additions and overrides. See local/README for details.
|
## Site-specific additions and overrides. See local/README for details.
|
||||||
##include <local/bin.ping>
|
##include <local/bin.ping>
|
||||||
}
|
}
|
||||||
'') ];
|
'') ];
|
||||||
};
|
};
|
||||||
|
|||||||
@ -1,8 +1,11 @@
|
|||||||
{pkgs, config, ...}:
|
{pkgs, config, ...}:
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.security.apparmor;
|
cfg = config.security.apparmor;
|
||||||
in
|
in
|
||||||
|
|
||||||
with pkgs.lib;
|
with pkgs.lib;
|
||||||
|
|
||||||
{
|
{
|
||||||
|
|
||||||
###### interface
|
###### interface
|
||||||
@ -14,17 +17,17 @@ with pkgs.lib;
|
|||||||
enable = mkOption {
|
enable = mkOption {
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Enable AppArmor application security system. Enable only if you want to further improve
|
Enable AppArmor application security system. Enable only if
|
||||||
AppArmor.
|
you want to further improve AppArmor.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
profiles = mkOption {
|
profiles = mkOption {
|
||||||
default = [];
|
default = [];
|
||||||
merge = mergeListOption;
|
merge = mergeListOption;
|
||||||
description = ''
|
description = ''
|
||||||
List of file names of AppArmor profiles.
|
List of file names of AppArmor profiles.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
@ -48,8 +51,8 @@ AppArmor.
|
|||||||
path = [ pkgs.apparmor ];
|
path = [ pkgs.apparmor ];
|
||||||
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = "yes";
|
RemainAfterExit = "yes";
|
||||||
ExecStart = concatMapStrings (profile: ''
|
ExecStart = concatMapStrings (profile: ''
|
||||||
${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}"
|
${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}"
|
||||||
'') cfg.profiles;
|
'') cfg.profiles;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user