pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / security / apparmor / includes.nix
at 25.11-pre 14 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 inherit (builtins) attrNames hasAttr isAttrs; 9 inherit (lib) getLib; 10 inherit (config.environment) etc; 11 # Utility to generate an AppArmor rule 12 # only when the given path exists in config.environment.etc 13 etcRule = 14 arg: 15 let 16 go = 17 { 18 path ? null, 19 mode ? "r", 20 trail ? "", 21 }: 22 lib.optionalString (hasAttr path etc) "${mode} ${config.environment.etc.${path}.source}${trail},"; 23 in 24 if isAttrs arg then go arg else go { path = arg; }; 25in 26{ 27 # FIXME: most of the etcRule calls below have been 28 # written systematically by converting from apparmor-profiles's profiles 29 # without testing nor deep understanding of their uses, 30 # and thus may need more rules or can have less rules; 31 # this remains to be determined case by case, 32 # some may even be completely useless. 33 config.security.apparmor.includes = { 34 # This one is included by <tunables/global> 35 # which is usually included before any profile. 36 "abstractions/tunables/alias" = '' 37 alias /bin -> /run/current-system/sw/bin, 38 alias /lib/modules -> /run/current-system/kernel/lib/modules, 39 alias /sbin -> /run/current-system/sw/sbin, 40 alias /usr -> /run/current-system/sw, 41 ''; 42 "abstractions/audio" = 43 '' 44 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" 45 '' 46 + lib.concatMapStringsSep "\n" etcRule [ 47 "asound.conf" 48 "esound/esd.conf" 49 "libao.conf" 50 { 51 path = "pulse"; 52 trail = "/"; 53 } 54 { 55 path = "pulse"; 56 trail = "/**"; 57 } 58 { 59 path = "sound"; 60 trail = "/"; 61 } 62 { 63 path = "sound"; 64 trail = "/**"; 65 } 66 { 67 path = "alsa/conf.d"; 68 trail = "/"; 69 } 70 { 71 path = "alsa/conf.d"; 72 trail = "/*"; 73 } 74 "openal/alsoft.conf" 75 "wildmidi/wildmidi.conf" 76 ]; 77 "abstractions/authentication" = 78 '' 79 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" 80 # Defined in security.pam 81 include <abstractions/pam> 82 '' 83 + lib.concatMapStringsSep "\n" etcRule [ 84 "nologin" 85 "securetty" 86 { 87 path = "security"; 88 trail = "/*"; 89 } 90 "shadow" 91 "gshadow" 92 "pwdb.conf" 93 "default/passwd" 94 "login.defs" 95 ]; 96 "abstractions/base" = '' 97 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" 98 r ${pkgs.stdenv.cc.libc}/share/locale/**, 99 r ${pkgs.stdenv.cc.libc}/share/locale.alias, 100 r ${config.i18n.glibcLocales}/lib/locale/locale-archive, 101 ${etcRule "localtime"} 102 r ${pkgs.tzdata}/share/zoneinfo/**, 103 r ${pkgs.stdenv.cc.libc}/share/i18n/**, 104 ''; 105 "abstractions/bash" = 106 '' 107 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" 108 109 # bash inspects filesystems at startup 110 # and /etc/mtab is linked to /proc/mounts 111 r @{PROC}/mounts, 112 113 # system-wide bash configuration 114 '' 115 + lib.concatMapStringsSep "\n" etcRule [ 116 "profile.dos" 117 "profile" 118 "profile.d" 119 { 120 path = "profile.d"; 121 trail = "/*"; 122 } 123 "bashrc" 124 "bash.bashrc" 125 "bash.bashrc.local" 126 "bash_completion" 127 "bash_completion.d" 128 { 129 path = "bash_completion.d"; 130 trail = "/*"; 131 } 132 # bash relies on system-wide readline configuration 133 "inputrc" 134 # run out of /etc/bash.bashrc 135 "DIR_COLORS" 136 ]; 137 "abstractions/consoles" = '' 138 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" 139 ''; 140 "abstractions/cups-client" = '' 141 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cups-client" 142 ${etcRule "cups/cups-client.conf"} 143 ''; 144 "abstractions/dbus-session-strict" = '' 145 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" 146 ${etcRule "machine-id"} 147 ''; 148 "abstractions/dconf" = '' 149 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" 150 ${etcRule { 151 path = "dconf"; 152 trail = "/**"; 153 }} 154 ''; 155 "abstractions/dri-common" = '' 156 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" 157 ${etcRule "drirc"} 158 ''; 159 # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ 160 # by symlinking them but without exporting them outside of its NixOS module, 161 # those are therefore added there to this "abstractions/fonts". 162 "abstractions/fonts" = '' 163 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" 164 ${etcRule { 165 path = "fonts"; 166 trail = "/**"; 167 }} 168 ''; 169 "abstractions/gnome" = 170 '' 171 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" 172 include <abstractions/fonts> 173 '' 174 + lib.concatMapStringsSep "\n" etcRule [ 175 { 176 path = "gnome"; 177 trail = "/gtkrc*"; 178 } 179 { 180 path = "gtk"; 181 trail = "/*"; 182 } 183 { 184 path = "gtk-2.0"; 185 trail = "/*"; 186 } 187 { 188 path = "gtk-3.0"; 189 trail = "/*"; 190 } 191 "orbitrc" 192 { 193 path = "pango"; 194 trail = "/*"; 195 } 196 { 197 path = "/etc/gnome-vfs-2.0"; 198 trail = "/modules/"; 199 } 200 { 201 path = "/etc/gnome-vfs-2.0"; 202 trail = "/modules/*"; 203 } 204 "papersize" 205 { 206 path = "cups"; 207 trail = "/lpoptions"; 208 } 209 { 210 path = "gnome"; 211 trail = "/defaults.list"; 212 } 213 { 214 path = "xdg"; 215 trail = "/{,*-}mimeapps.list"; 216 } 217 "xdg/mimeapps.list" 218 ]; 219 "abstractions/kde" = 220 '' 221 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" 222 '' 223 + lib.concatMapStringsSep "\n" etcRule [ 224 { 225 path = "qt3"; 226 trail = "/kstylerc"; 227 } 228 { 229 path = "qt3"; 230 trail = "/qt_plugins_3.3rc"; 231 } 232 { 233 path = "qt3"; 234 trail = "/qtrc"; 235 } 236 "kderc" 237 { 238 path = "kde3"; 239 trail = "/*"; 240 } 241 "kde4rc" 242 { 243 path = "xdg"; 244 trail = "/kdeglobals"; 245 } 246 { 247 path = "xdg"; 248 trail = "/Trolltech.conf"; 249 } 250 ]; 251 "abstractions/kerberosclient" = 252 '' 253 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" 254 '' 255 + lib.concatMapStringsSep "\n" etcRule [ 256 { 257 path = "krb5.keytab"; 258 mode = "rk"; 259 } 260 "krb5.conf" 261 "krb5.conf.d" 262 { 263 path = "krb5.conf.d"; 264 trail = "/*"; 265 } 266 267 # config files found via strings on libs 268 "krb.conf" 269 "krb.realms" 270 "srvtab" 271 ]; 272 "abstractions/ldapclient" = 273 '' 274 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" 275 '' 276 + lib.concatMapStringsSep "\n" etcRule [ 277 "ldap.conf" 278 "ldap.secret" 279 { 280 path = "openldap"; 281 trail = "/*"; 282 } 283 { 284 path = "openldap"; 285 trail = "/cacerts/*"; 286 } 287 { 288 path = "sasl2"; 289 trail = "/*"; 290 } 291 ]; 292 "abstractions/likewise" = '' 293 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" 294 ''; 295 "abstractions/mdns" = '' 296 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" 297 ${etcRule "nss_mdns.conf"} 298 ''; 299 "abstractions/nameservice" = 300 '' 301 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" 302 303 # Many programs wish to perform nameservice-like operations, such as 304 # looking up users by name or id, groups by name or id, hosts by name 305 # or IP, etc. These operations may be performed through files, dns, 306 # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. 307 mr ${getLib pkgs.nss}/lib/libnss_*.so*, 308 mr ${getLib pkgs.nss}/lib64/libnss_*.so*, 309 '' 310 + lib.concatMapStringsSep "\n" etcRule [ 311 "group" 312 "host.conf" 313 "hosts" 314 "nsswitch.conf" 315 "gai.conf" 316 "passwd" 317 "protocols" 318 319 # libtirpc (used for NIS/YP login) needs this 320 "netconfig" 321 322 "resolv.conf" 323 324 { 325 path = "samba"; 326 trail = "/lmhosts"; 327 } 328 "services" 329 330 "default/nss" 331 332 # libnl-3-200 via libnss-gw-name 333 { 334 path = "libnl"; 335 trail = "/classid"; 336 } 337 { 338 path = "libnl-3"; 339 trail = "/classid"; 340 } 341 ]; 342 "abstractions/nis" = '' 343 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" 344 ''; 345 "abstractions/nss-systemd" = '' 346 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nss-systemd" 347 ''; 348 "abstractions/nvidia" = '' 349 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" 350 ${etcRule "vdpau_wrapper.cfg"} 351 ''; 352 "abstractions/opencl-common" = '' 353 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" 354 ${etcRule { 355 path = "OpenCL"; 356 trail = "/**"; 357 }} 358 ''; 359 "abstractions/opencl-mesa" = '' 360 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" 361 ${etcRule "default/drirc"} 362 ''; 363 "abstractions/openssl" = '' 364 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" 365 ${etcRule { 366 path = "ssl"; 367 trail = "/openssl.cnf"; 368 }} 369 ''; 370 "abstractions/p11-kit" = 371 '' 372 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" 373 '' 374 + lib.concatMapStringsSep "\n" etcRule [ 375 { 376 path = "pkcs11"; 377 trail = "/"; 378 } 379 { 380 path = "pkcs11"; 381 trail = "/pkcs11.conf"; 382 } 383 { 384 path = "pkcs11"; 385 trail = "/modules/"; 386 } 387 { 388 path = "pkcs11"; 389 trail = "/modules/*"; 390 } 391 ]; 392 "abstractions/perl" = '' 393 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" 394 ${etcRule { 395 path = "perl"; 396 trail = "/**"; 397 }} 398 ''; 399 "abstractions/php" = 400 '' 401 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" 402 '' 403 + lib.concatMapStringsSep "\n" etcRule [ 404 { 405 path = "php"; 406 trail = "/**/"; 407 } 408 { 409 path = "php5"; 410 trail = "/**/"; 411 } 412 { 413 path = "php7"; 414 trail = "/**/"; 415 } 416 { 417 path = "php"; 418 trail = "/**.ini"; 419 } 420 { 421 path = "php5"; 422 trail = "/**.ini"; 423 } 424 { 425 path = "php7"; 426 trail = "/**.ini"; 427 } 428 ]; 429 "abstractions/postfix-common" = 430 '' 431 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" 432 '' 433 + lib.concatMapStringsSep "\n" etcRule [ 434 "mailname" 435 { 436 path = "postfix"; 437 trail = "/*.cf"; 438 } 439 "postfix/main.cf" 440 "postfix/master.cf" 441 ]; 442 "abstractions/python" = '' 443 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" 444 ''; 445 "abstractions/qt5" = 446 '' 447 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" 448 '' 449 + lib.concatMapStringsSep "\n" etcRule [ 450 { 451 path = "xdg"; 452 trail = "/QtProject/qtlogging.ini"; 453 } 454 { 455 path = "xdg/QtProject"; 456 trail = "/qtlogging.ini"; 457 } 458 "xdg/QtProject/qtlogging.ini" 459 ]; 460 "abstractions/samba" = '' 461 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" 462 ${etcRule { 463 path = "samba"; 464 trail = "/*"; 465 }} 466 ''; 467 "abstractions/ssl_certs" = 468 '' 469 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" 470 471 # For the NixOS module: security.acme 472 r /var/lib/acme/*/cert.pem, 473 r /var/lib/acme/*/chain.pem, 474 r /var/lib/acme/*/fullchain.pem, 475 476 r /etc/pki/tls/certs/, 477 478 '' 479 + lib.concatMapStringsSep "\n" etcRule [ 480 "ssl/certs/ca-certificates.crt" 481 "ssl/certs/ca-bundle.crt" 482 "pki/tls/certs/ca-bundle.crt" 483 484 { 485 path = "ssl/trust"; 486 trail = "/"; 487 } 488 { 489 path = "ssl/trust"; 490 trail = "/*"; 491 } 492 { 493 path = "ssl/trust/anchors"; 494 trail = "/"; 495 } 496 { 497 path = "ssl/trust/anchors"; 498 trail = "/**"; 499 } 500 { 501 path = "pki/trust"; 502 trail = "/"; 503 } 504 { 505 path = "pki/trust"; 506 trail = "/*"; 507 } 508 { 509 path = "pki/trust/anchors"; 510 trail = "/"; 511 } 512 { 513 path = "pki/trust/anchors"; 514 trail = "/**"; 515 } 516 ]; 517 "abstractions/ssl_keys" = '' 518 # security.acme NixOS module 519 r /var/lib/acme/*/full.pem, 520 r /var/lib/acme/*/key.pem, 521 ''; 522 "abstractions/vulkan" = '' 523 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" 524 ${etcRule { 525 path = "vulkan/icd.d"; 526 trail = "/"; 527 }} 528 ${etcRule { 529 path = "vulkan/icd.d"; 530 trail = "/*.json"; 531 }} 532 ''; 533 "abstractions/winbind" = '' 534 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" 535 ${etcRule { 536 path = "samba"; 537 trail = "/smb.conf"; 538 }} 539 ${etcRule { 540 path = "samba"; 541 trail = "/dhcp.conf"; 542 }} 543 ''; 544 "abstractions/X" = '' 545 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" 546 ${etcRule { 547 path = "X11/cursors"; 548 trail = "/"; 549 }} 550 ${etcRule { 551 path = "X11/cursors"; 552 trail = "/**"; 553 }} 554 ''; 555 }; 556}