pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / security / apparmor-suid.nix
at 18.09-beta 1.1 kB view raw
1{ config, lib, pkgs, ... }: 2let 3 cfg = config.security.apparmor; 4in 5with lib; 6{ 7 8 options.security.apparmor.confineSUIDApplications = mkOption { 9 default = true; 10 description = '' 11 Install AppArmor profiles for commonly-used SUID application 12 to mitigate potential privilege escalation attacks due to bugs 13 in such applications. 14 15 Currently available profiles: ping 16 ''; 17 }; 18 19 config = mkIf (cfg.confineSUIDApplications) { 20 security.apparmor.profiles = [ (pkgs.writeText "ping" '' 21 #include <tunables/global> 22 /run/wrappers/bin/ping { 23 #include <abstractions/base> 24 #include <abstractions/consoles> 25 #include <abstractions/nameservice> 26 27 capability net_raw, 28 capability setuid, 29 network inet raw, 30 31 ${pkgs.glibc.out}/lib/*.so mr, 32 ${pkgs.libcap.lib}/lib/libcap.so* mr, 33 ${pkgs.attr.out}/lib/libattr.so* mr, 34 35 ${pkgs.iputils}/bin/ping mixr, 36 37 #/etc/modules.conf r, 38 39 ## Site-specific additions and overrides. See local/README for details. 40 ##include <local/bin.ping> 41 } 42 '') ]; 43 }; 44 45}