public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/apparmor: remove an IFD

Browse Source 
First because IFD (import-from-derivation) is not allowed on hydra.nixos.org,
and second because without https://github.com/NixOS/hydra/pull/825
hydra-eval-jobs crashes instead of skipping aggregated jobs which fail
(here because they required an IFD).
This commit is contained in:
Tony Olagbaiye 2020-12-03 13:45:43 +00:00 committed by Julien Moutinho
parent 05d334cfe2
commit fca06b142a
1 changed files with 29 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
nixos/modules/security/apparmor.nix
View File

@ -111,33 +111,39 @@ in
''; '';
# For aa-logprof # For aa-logprof
environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db";
environment.etc."apparmor/logprof.conf".text = '' environment.etc."apparmor/logprof.conf".source = pkgs.runCommand "logprof.conf" {
[settings] header = ''
# /etc/apparmor.d/ is read-only on NixOS [settings]
profiledir = /var/cache/apparmor/logprof # /etc/apparmor.d/ is read-only on NixOS
inactive_profiledir = /etc/apparmor.d/disable profiledir = /var/cache/apparmor/logprof
# Use: journalctl -b --since today --grep audit: | aa-logprof inactive_profiledir = /etc/apparmor.d/disable
logfiles = /dev/stdin # Use: journalctl -b --since today --grep audit: | aa-logprof
logfiles = /dev/stdin
parser = ${pkgs.apparmor-parser}/bin/apparmor_parser parser = ${pkgs.apparmor-parser}/bin/apparmor_parser
ldd = ${pkgs.glibc.bin}/bin/ldd ldd = ${pkgs.glibc.bin}/bin/ldd
logger = ${pkgs.utillinux}/bin/logger logger = ${pkgs.utillinux}/bin/logger
# customize how file ownership permissions are presented # customize how file ownership permissions are presented
# 0 - off # 0 - off
# 1 - default of what ever mode the log reported # 1 - default of what ever mode the log reported
# 2 - force the new permissions to be user # 2 - force the new permissions to be user
# 3 - force all perms on the rule to be user # 3 - force all perms on the rule to be user
default_owner_prompt = 1 default_owner_prompt = 1
custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}
[qualifiers] [qualifiers]
${pkgs.runtimeShell} = icnu ${pkgs.runtimeShell} = icnu
${pkgs.bashInteractive}/bin/sh = icnu ${pkgs.bashInteractive}/bin/sh = icnu
${pkgs.bashInteractive}/bin/bash = icnu ${pkgs.bashInteractive}/bin/bash = icnu
'' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section. '';
(readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf")); footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf";
passAsFile = [ "header" ];
} ''
cp $headerPath $out
sed -n '/\\[qualifiers\\]/,''${n;p}' $footer > $out
'';
boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; boot.kernelParams = [ "apparmor=1" "security=apparmor" ];