nixos/modules/security/apparmor.nix at 18.09-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / security / apparmor.nix

at 18.09-beta 1.4 kB view raw

 1{ config, lib, pkgs, ... }:
 2
 3let
 4  inherit (lib) mkIf mkOption types concatMapStrings;
 5  cfg = config.security.apparmor;
 6in
 7
 8{
 9   options = {
10     security.apparmor = {
11       enable = mkOption {
12         type = types.bool;
13         default = false;
14         description = "Enable the AppArmor Mandatory Access Control system.";
15       };
16       profiles = mkOption {
17         type = types.listOf types.path;
18         default = [];
19         description = "List of files containing AppArmor profiles.";
20       };
21       packages = mkOption {
22         type = types.listOf types.package;
23         default = [];
24         description = "List of packages to be added to apparmor's include path";
25       };
26     };
27   };
28
29   config = mkIf cfg.enable {
30     environment.systemPackages = [ pkgs.apparmor-utils ];
31
32     systemd.services.apparmor = let
33       paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d")
34         ([ pkgs.apparmor-profiles ] ++ cfg.packages);
35     in {
36       wantedBy = [ "local-fs.target" ];
37       serviceConfig = {
38         Type = "oneshot";
39         RemainAfterExit = "yes";
40         ExecStart = map (p:
41           ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"''
42         ) cfg.profiles;
43         ExecStop = map (p:
44           ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"''
45         ) cfg.profiles;
46       };
47     };
48   };
49}