pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / security / apparmor / includes.nix
at 24.11-pre 12 kB view raw
1{ config, lib, pkgs, ... }: 2let 3 inherit (builtins) attrNames hasAttr isAttrs; 4 inherit (lib) getLib; 5 inherit (config.environment) etc; 6 # Utility to generate an AppArmor rule 7 # only when the given path exists in config.environment.etc 8 etcRule = arg: 9 let go = { path ? null, mode ? "r", trail ? "" }: 10 lib.optionalString (hasAttr path etc) 11 "${mode} ${config.environment.etc.${path}.source}${trail},"; 12 in if isAttrs arg 13 then go arg 14 else go { path = arg; }; 15in 16{ 17# FIXME: most of the etcRule calls below have been 18# written systematically by converting from apparmor-profiles's profiles 19# without testing nor deep understanding of their uses, 20# and thus may need more rules or can have less rules; 21# this remains to be determined case by case, 22# some may even be completely useless. 23config.security.apparmor.includes = { 24 # This one is included by <tunables/global> 25 # which is usually included before any profile. 26 "abstractions/tunables/alias" = '' 27 alias /bin -> /run/current-system/sw/bin, 28 alias /lib/modules -> /run/current-system/kernel/lib/modules, 29 alias /sbin -> /run/current-system/sw/sbin, 30 alias /usr -> /run/current-system/sw, 31 ''; 32 "abstractions/audio" = '' 33 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" 34 '' + lib.concatMapStringsSep "\n" etcRule [ 35 "asound.conf" 36 "esound/esd.conf" 37 "libao.conf" 38 { path = "pulse"; trail = "/"; } 39 { path = "pulse"; trail = "/**"; } 40 { path = "sound"; trail = "/"; } 41 { path = "sound"; trail = "/**"; } 42 { path = "alsa/conf.d"; trail = "/"; } 43 { path = "alsa/conf.d"; trail = "/*"; } 44 "openal/alsoft.conf" 45 "wildmidi/wildmidi.conf" 46 ]; 47 "abstractions/authentication" = '' 48 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" 49 # Defined in security.pam 50 include <abstractions/pam> 51 '' + lib.concatMapStringsSep "\n" etcRule [ 52 "nologin" 53 "securetty" 54 { path = "security"; trail = "/*"; } 55 "shadow" 56 "gshadow" 57 "pwdb.conf" 58 "default/passwd" 59 "login.defs" 60 ]; 61 "abstractions/base" = '' 62 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" 63 r ${pkgs.stdenv.cc.libc}/share/locale/**, 64 r ${pkgs.stdenv.cc.libc}/share/locale.alias, 65 r ${config.i18n.glibcLocales}/lib/locale/locale-archive, 66 ${etcRule "localtime"} 67 r ${pkgs.tzdata}/share/zoneinfo/**, 68 r ${pkgs.stdenv.cc.libc}/share/i18n/**, 69 ''; 70 "abstractions/bash" = '' 71 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" 72 73 # bash inspects filesystems at startup 74 # and /etc/mtab is linked to /proc/mounts 75 r @{PROC}/mounts, 76 77 # system-wide bash configuration 78 '' + lib.concatMapStringsSep "\n" etcRule [ 79 "profile.dos" 80 "profile" 81 "profile.d" 82 { path = "profile.d"; trail = "/*"; } 83 "bashrc" 84 "bash.bashrc" 85 "bash.bashrc.local" 86 "bash_completion" 87 "bash_completion.d" 88 { path = "bash_completion.d"; trail = "/*"; } 89 # bash relies on system-wide readline configuration 90 "inputrc" 91 # run out of /etc/bash.bashrc 92 "DIR_COLORS" 93 ]; 94 "abstractions/consoles" = '' 95 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" 96 ''; 97 "abstractions/cups-client" = '' 98 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cups-client" 99 ${etcRule "cups/cups-client.conf"} 100 ''; 101 "abstractions/dbus-session-strict" = '' 102 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" 103 ${etcRule "machine-id"} 104 ''; 105 "abstractions/dconf" = '' 106 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" 107 ${etcRule { path = "dconf"; trail = "/**"; }} 108 ''; 109 "abstractions/dri-common" = '' 110 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" 111 ${etcRule "drirc"} 112 ''; 113 # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ 114 # by symlinking them but without exporting them outside of its NixOS module, 115 # those are therefore added there to this "abstractions/fonts". 116 "abstractions/fonts" = '' 117 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" 118 ${etcRule { path = "fonts"; trail = "/**"; }} 119 ''; 120 "abstractions/gnome" = '' 121 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" 122 include <abstractions/fonts> 123 '' + lib.concatMapStringsSep "\n" etcRule [ 124 { path = "gnome"; trail = "/gtkrc*"; } 125 { path = "gtk"; trail = "/*"; } 126 { path = "gtk-2.0"; trail = "/*"; } 127 { path = "gtk-3.0"; trail = "/*"; } 128 "orbitrc" 129 { path = "pango"; trail = "/*"; } 130 { path = "/etc/gnome-vfs-2.0"; trail = "/modules/"; } 131 { path = "/etc/gnome-vfs-2.0"; trail = "/modules/*"; } 132 "papersize" 133 { path = "cups"; trail = "/lpoptions"; } 134 { path = "gnome"; trail = "/defaults.list"; } 135 { path = "xdg"; trail = "/{,*-}mimeapps.list"; } 136 "xdg/mimeapps.list" 137 ]; 138 "abstractions/kde" = '' 139 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" 140 '' + lib.concatMapStringsSep "\n" etcRule [ 141 { path = "qt3"; trail = "/kstylerc"; } 142 { path = "qt3"; trail = "/qt_plugins_3.3rc"; } 143 { path = "qt3"; trail = "/qtrc"; } 144 "kderc" 145 { path = "kde3"; trail = "/*"; } 146 "kde4rc" 147 { path = "xdg"; trail = "/kdeglobals"; } 148 { path = "xdg"; trail = "/Trolltech.conf"; } 149 ]; 150 "abstractions/kerberosclient" = '' 151 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" 152 '' + lib.concatMapStringsSep "\n" etcRule [ 153 { path = "krb5.keytab"; mode="rk"; } 154 "krb5.conf" 155 "krb5.conf.d" 156 { path = "krb5.conf.d"; trail = "/*"; } 157 158 # config files found via strings on libs 159 "krb.conf" 160 "krb.realms" 161 "srvtab" 162 ]; 163 "abstractions/ldapclient" = '' 164 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" 165 '' + lib.concatMapStringsSep "\n" etcRule [ 166 "ldap.conf" 167 "ldap.secret" 168 { path = "openldap"; trail = "/*"; } 169 { path = "openldap"; trail = "/cacerts/*"; } 170 { path = "sasl2"; trail = "/*"; } 171 ]; 172 "abstractions/likewise" = '' 173 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" 174 ''; 175 "abstractions/mdns" = '' 176 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" 177 ${etcRule "nss_mdns.conf"} 178 ''; 179 "abstractions/nameservice" = '' 180 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" 181 182 # Many programs wish to perform nameservice-like operations, such as 183 # looking up users by name or id, groups by name or id, hosts by name 184 # or IP, etc. These operations may be performed through files, dns, 185 # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. 186 mr ${getLib pkgs.nss}/lib/libnss_*.so*, 187 mr ${getLib pkgs.nss}/lib64/libnss_*.so*, 188 '' + lib.concatMapStringsSep "\n" etcRule [ 189 "group" 190 "host.conf" 191 "hosts" 192 "nsswitch.conf" 193 "gai.conf" 194 "passwd" 195 "protocols" 196 197 # libtirpc (used for NIS/YP login) needs this 198 "netconfig" 199 200 "resolv.conf" 201 202 { path = "samba"; trail = "/lmhosts"; } 203 "services" 204 205 "default/nss" 206 207 # libnl-3-200 via libnss-gw-name 208 { path = "libnl"; trail = "/classid"; } 209 { path = "libnl-3"; trail = "/classid"; } 210 ]; 211 "abstractions/nis" = '' 212 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" 213 ''; 214 "abstractions/nss-systemd" = '' 215 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nss-systemd" 216 ''; 217 "abstractions/nvidia" = '' 218 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" 219 ${etcRule "vdpau_wrapper.cfg"} 220 ''; 221 "abstractions/opencl-common" = '' 222 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" 223 ${etcRule { path = "OpenCL"; trail = "/**"; }} 224 ''; 225 "abstractions/opencl-mesa" = '' 226 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" 227 ${etcRule "default/drirc"} 228 ''; 229 "abstractions/openssl" = '' 230 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" 231 ${etcRule { path = "ssl"; trail = "/openssl.cnf"; }} 232 ''; 233 "abstractions/p11-kit" = '' 234 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" 235 '' + lib.concatMapStringsSep "\n" etcRule [ 236 { path = "pkcs11"; trail = "/"; } 237 { path = "pkcs11"; trail = "/pkcs11.conf"; } 238 { path = "pkcs11"; trail = "/modules/"; } 239 { path = "pkcs11"; trail = "/modules/*"; } 240 ]; 241 "abstractions/perl" = '' 242 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" 243 ${etcRule { path = "perl"; trail = "/**"; }} 244 ''; 245 "abstractions/php" = '' 246 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" 247 '' + lib.concatMapStringsSep "\n" etcRule [ 248 { path = "php"; trail = "/**/"; } 249 { path = "php5"; trail = "/**/"; } 250 { path = "php7"; trail = "/**/"; } 251 { path = "php"; trail = "/**.ini"; } 252 { path = "php5"; trail = "/**.ini"; } 253 { path = "php7"; trail = "/**.ini"; } 254 ]; 255 "abstractions/postfix-common" = '' 256 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" 257 '' + lib.concatMapStringsSep "\n" etcRule [ 258 "mailname" 259 { path = "postfix"; trail = "/*.cf"; } 260 "postfix/main.cf" 261 "postfix/master.cf" 262 ]; 263 "abstractions/python" = '' 264 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" 265 ''; 266 "abstractions/qt5" = '' 267 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" 268 '' + lib.concatMapStringsSep "\n" etcRule [ 269 { path = "xdg"; trail = "/QtProject/qtlogging.ini"; } 270 { path = "xdg/QtProject"; trail = "/qtlogging.ini"; } 271 "xdg/QtProject/qtlogging.ini" 272 ]; 273 "abstractions/samba" = '' 274 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" 275 ${etcRule { path = "samba"; trail = "/*"; }} 276 ''; 277 "abstractions/ssl_certs" = '' 278 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" 279 280 # For the NixOS module: security.acme 281 r /var/lib/acme/*/cert.pem, 282 r /var/lib/acme/*/chain.pem, 283 r /var/lib/acme/*/fullchain.pem, 284 285 r /etc/pki/tls/certs/, 286 287 '' + lib.concatMapStringsSep "\n" etcRule [ 288 "ssl/certs/ca-certificates.crt" 289 "ssl/certs/ca-bundle.crt" 290 "pki/tls/certs/ca-bundle.crt" 291 292 { path = "ssl/trust"; trail = "/"; } 293 { path = "ssl/trust"; trail = "/*"; } 294 { path = "ssl/trust/anchors"; trail = "/"; } 295 { path = "ssl/trust/anchors"; trail = "/**"; } 296 { path = "pki/trust"; trail = "/"; } 297 { path = "pki/trust"; trail = "/*"; } 298 { path = "pki/trust/anchors"; trail = "/"; } 299 { path = "pki/trust/anchors"; trail = "/**"; } 300 ]; 301 "abstractions/ssl_keys" = '' 302 # security.acme NixOS module 303 r /var/lib/acme/*/full.pem, 304 r /var/lib/acme/*/key.pem, 305 ''; 306 "abstractions/vulkan" = '' 307 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" 308 ${etcRule { path = "vulkan/icd.d"; trail = "/"; }} 309 ${etcRule { path = "vulkan/icd.d"; trail = "/*.json"; }} 310 ''; 311 "abstractions/winbind" = '' 312 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" 313 ${etcRule { path = "samba"; trail = "/smb.conf"; }} 314 ${etcRule { path = "samba"; trail = "/dhcp.conf"; }} 315 ''; 316 "abstractions/X" = '' 317 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" 318 ${etcRule { path = "X11/cursors"; trail = "/"; }} 319 ${etcRule { path = "X11/cursors"; trail = "/**"; }} 320 ''; 321}; 322}