pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / security / apparmor / includes.nix
at master 14 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7let 8 inherit (builtins) attrNames hasAttr isAttrs; 9 inherit (lib) getLib; 10 inherit (config.environment) etc; 11 # Utility to generate an AppArmor rule 12 # only when the given path exists in config.environment.etc 13 etcRule = 14 arg: 15 let 16 go = 17 { 18 path ? null, 19 mode ? "r", 20 trail ? "", 21 }: 22 lib.optionalString (hasAttr path etc) "${mode} ${config.environment.etc.${path}.source}${trail},"; 23 in 24 if isAttrs arg then go arg else go { path = arg; }; 25in 26{ 27 # FIXME: most of the etcRule calls below have been 28 # written systematically by converting from apparmor-profiles's profiles 29 # without testing nor deep understanding of their uses, 30 # and thus may need more rules or can have less rules; 31 # this remains to be determined case by case, 32 # some may even be completely useless. 33 config.security.apparmor.includes = { 34 # This one is included by <tunables/global> 35 # which is usually included before any profile. 36 "abstractions/tunables/alias" = '' 37 alias /bin -> /run/current-system/sw/bin, 38 alias /lib/modules -> /run/current-system/kernel/lib/modules, 39 alias /sbin -> /run/current-system/sw/sbin, 40 alias /usr -> /run/current-system/sw, 41 ''; 42 "abstractions/audio" = '' 43 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" 44 '' 45 + lib.concatMapStringsSep "\n" etcRule [ 46 "asound.conf" 47 "esound/esd.conf" 48 "libao.conf" 49 { 50 path = "pulse"; 51 trail = "/"; 52 } 53 { 54 path = "pulse"; 55 trail = "/**"; 56 } 57 { 58 path = "sound"; 59 trail = "/"; 60 } 61 { 62 path = "sound"; 63 trail = "/**"; 64 } 65 { 66 path = "alsa/conf.d"; 67 trail = "/"; 68 } 69 { 70 path = "alsa/conf.d"; 71 trail = "/*"; 72 } 73 "openal/alsoft.conf" 74 "wildmidi/wildmidi.conf" 75 ]; 76 "abstractions/authentication" = '' 77 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" 78 # Defined in security.pam 79 include <abstractions/pam> 80 '' 81 + lib.concatMapStringsSep "\n" etcRule [ 82 "nologin" 83 "securetty" 84 { 85 path = "security"; 86 trail = "/*"; 87 } 88 "shadow" 89 "gshadow" 90 "pwdb.conf" 91 "default/passwd" 92 "login.defs" 93 ]; 94 "abstractions/base" = '' 95 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" 96 r ${pkgs.stdenv.cc.libc}/share/locale/**, 97 r ${pkgs.stdenv.cc.libc}/share/locale.alias, 98 r ${config.i18n.glibcLocales}/lib/locale/locale-archive, 99 ${etcRule "localtime"} 100 r ${pkgs.tzdata}/share/zoneinfo/**, 101 r ${pkgs.stdenv.cc.libc}/share/i18n/**, 102 ''; 103 "abstractions/bash" = '' 104 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" 105 106 # bash inspects filesystems at startup 107 # and /etc/mtab is linked to /proc/mounts 108 r @{PROC}/mounts, 109 110 # system-wide bash configuration 111 '' 112 + lib.concatMapStringsSep "\n" etcRule [ 113 "profile.dos" 114 "profile" 115 "profile.d" 116 { 117 path = "profile.d"; 118 trail = "/*"; 119 } 120 "bashrc" 121 "bash.bashrc" 122 "bash.bashrc.local" 123 "bash_completion" 124 "bash_completion.d" 125 { 126 path = "bash_completion.d"; 127 trail = "/*"; 128 } 129 # bash relies on system-wide readline configuration 130 "inputrc" 131 # run out of /etc/bash.bashrc 132 "DIR_COLORS" 133 ]; 134 "abstractions/consoles" = '' 135 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" 136 ''; 137 "abstractions/cups-client" = '' 138 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cups-client" 139 ${etcRule "cups/cups-client.conf"} 140 ''; 141 "abstractions/dbus-session-strict" = '' 142 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" 143 ${etcRule "machine-id"} 144 ''; 145 "abstractions/dconf" = '' 146 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" 147 ${etcRule { 148 path = "dconf"; 149 trail = "/**"; 150 }} 151 ''; 152 "abstractions/dri-common" = '' 153 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" 154 ${etcRule "drirc"} 155 ''; 156 # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ 157 # by symlinking them but without exporting them outside of its NixOS module, 158 # those are therefore added there to this "abstractions/fonts". 159 "abstractions/fonts" = '' 160 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" 161 ${etcRule { 162 path = "fonts"; 163 trail = "/**"; 164 }} 165 ''; 166 "abstractions/gnome" = '' 167 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" 168 include <abstractions/fonts> 169 '' 170 + lib.concatMapStringsSep "\n" etcRule [ 171 { 172 path = "gnome"; 173 trail = "/gtkrc*"; 174 } 175 { 176 path = "gtk"; 177 trail = "/*"; 178 } 179 { 180 path = "gtk-2.0"; 181 trail = "/*"; 182 } 183 { 184 path = "gtk-3.0"; 185 trail = "/*"; 186 } 187 "orbitrc" 188 { 189 path = "pango"; 190 trail = "/*"; 191 } 192 { 193 path = "/etc/gnome-vfs-2.0"; 194 trail = "/modules/"; 195 } 196 { 197 path = "/etc/gnome-vfs-2.0"; 198 trail = "/modules/*"; 199 } 200 "papersize" 201 { 202 path = "cups"; 203 trail = "/lpoptions"; 204 } 205 { 206 path = "gnome"; 207 trail = "/defaults.list"; 208 } 209 { 210 path = "xdg"; 211 trail = "/{,*-}mimeapps.list"; 212 } 213 "xdg/mimeapps.list" 214 ]; 215 "abstractions/kde" = '' 216 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" 217 '' 218 + lib.concatMapStringsSep "\n" etcRule [ 219 { 220 path = "qt3"; 221 trail = "/kstylerc"; 222 } 223 { 224 path = "qt3"; 225 trail = "/qt_plugins_3.3rc"; 226 } 227 { 228 path = "qt3"; 229 trail = "/qtrc"; 230 } 231 "kderc" 232 { 233 path = "kde3"; 234 trail = "/*"; 235 } 236 "kde4rc" 237 { 238 path = "xdg"; 239 trail = "/kdeglobals"; 240 } 241 { 242 path = "xdg"; 243 trail = "/Trolltech.conf"; 244 } 245 ]; 246 "abstractions/kerberosclient" = '' 247 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" 248 '' 249 + lib.concatMapStringsSep "\n" etcRule [ 250 { 251 path = "krb5.keytab"; 252 mode = "rk"; 253 } 254 "krb5.conf" 255 "krb5.conf.d" 256 { 257 path = "krb5.conf.d"; 258 trail = "/*"; 259 } 260 261 # config files found via strings on libs 262 "krb.conf" 263 "krb.realms" 264 "srvtab" 265 ]; 266 "abstractions/ldapclient" = '' 267 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" 268 '' 269 + lib.concatMapStringsSep "\n" etcRule [ 270 "ldap.conf" 271 "ldap.secret" 272 { 273 path = "openldap"; 274 trail = "/*"; 275 } 276 { 277 path = "openldap"; 278 trail = "/cacerts/*"; 279 } 280 { 281 path = "sasl2"; 282 trail = "/*"; 283 } 284 ]; 285 "abstractions/likewise" = '' 286 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" 287 ''; 288 "abstractions/mdns" = '' 289 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" 290 ${etcRule "nss_mdns.conf"} 291 ''; 292 "abstractions/nameservice" = '' 293 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" 294 295 # Many programs wish to perform nameservice-like operations, such as 296 # looking up users by name or id, groups by name or id, hosts by name 297 # or IP, etc. These operations may be performed through files, dns, 298 # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. 299 mr ${getLib pkgs.nss}/lib/libnss_*.so*, 300 mr ${getLib pkgs.nss}/lib64/libnss_*.so*, 301 '' 302 + lib.concatMapStringsSep "\n" etcRule [ 303 "group" 304 "host.conf" 305 "hosts" 306 "nsswitch.conf" 307 "gai.conf" 308 "passwd" 309 "protocols" 310 311 # libtirpc (used for NIS/YP login) needs this 312 "netconfig" 313 314 "resolv.conf" 315 316 { 317 path = "samba"; 318 trail = "/lmhosts"; 319 } 320 "services" 321 322 "default/nss" 323 324 # libnl-3-200 via libnss-gw-name 325 { 326 path = "libnl"; 327 trail = "/classid"; 328 } 329 { 330 path = "libnl-3"; 331 trail = "/classid"; 332 } 333 ]; 334 "abstractions/nis" = '' 335 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" 336 ''; 337 "abstractions/nss-systemd" = '' 338 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nss-systemd" 339 ''; 340 "abstractions/nvidia" = '' 341 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" 342 ${etcRule "vdpau_wrapper.cfg"} 343 ''; 344 "abstractions/opencl-common" = '' 345 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" 346 ${etcRule { 347 path = "OpenCL"; 348 trail = "/**"; 349 }} 350 ''; 351 "abstractions/opencl-mesa" = '' 352 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" 353 ${etcRule "default/drirc"} 354 ''; 355 "abstractions/openssl" = '' 356 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" 357 ${etcRule { 358 path = "ssl"; 359 trail = "/openssl.cnf"; 360 }} 361 ''; 362 "abstractions/p11-kit" = '' 363 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" 364 '' 365 + lib.concatMapStringsSep "\n" etcRule [ 366 { 367 path = "pkcs11"; 368 trail = "/"; 369 } 370 { 371 path = "pkcs11"; 372 trail = "/pkcs11.conf"; 373 } 374 { 375 path = "pkcs11"; 376 trail = "/modules/"; 377 } 378 { 379 path = "pkcs11"; 380 trail = "/modules/*"; 381 } 382 ]; 383 "abstractions/perl" = '' 384 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" 385 ${etcRule { 386 path = "perl"; 387 trail = "/**"; 388 }} 389 ''; 390 "abstractions/php" = '' 391 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" 392 '' 393 + lib.concatMapStringsSep "\n" etcRule [ 394 { 395 path = "php"; 396 trail = "/**/"; 397 } 398 { 399 path = "php5"; 400 trail = "/**/"; 401 } 402 { 403 path = "php7"; 404 trail = "/**/"; 405 } 406 { 407 path = "php"; 408 trail = "/**.ini"; 409 } 410 { 411 path = "php5"; 412 trail = "/**.ini"; 413 } 414 { 415 path = "php7"; 416 trail = "/**.ini"; 417 } 418 ]; 419 "abstractions/postfix-common" = '' 420 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" 421 '' 422 + lib.concatMapStringsSep "\n" etcRule [ 423 "mailname" 424 { 425 path = "postfix"; 426 trail = "/*.cf"; 427 } 428 "postfix/main.cf" 429 "postfix/master.cf" 430 ]; 431 "abstractions/python" = '' 432 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" 433 ''; 434 "abstractions/qt5" = '' 435 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" 436 '' 437 + lib.concatMapStringsSep "\n" etcRule [ 438 { 439 path = "xdg"; 440 trail = "/QtProject/qtlogging.ini"; 441 } 442 { 443 path = "xdg/QtProject"; 444 trail = "/qtlogging.ini"; 445 } 446 "xdg/QtProject/qtlogging.ini" 447 ]; 448 "abstractions/samba" = '' 449 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" 450 ${etcRule { 451 path = "samba"; 452 trail = "/*"; 453 }} 454 ''; 455 "abstractions/ssl_certs" = '' 456 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" 457 458 # For the NixOS module: security.acme 459 r /var/lib/acme/*/cert.pem, 460 r /var/lib/acme/*/chain.pem, 461 r /var/lib/acme/*/fullchain.pem, 462 463 r /etc/pki/tls/certs/, 464 465 '' 466 + lib.concatMapStringsSep "\n" etcRule [ 467 "ssl/certs/ca-certificates.crt" 468 "ssl/certs/ca-bundle.crt" 469 "pki/tls/certs/ca-bundle.crt" 470 471 { 472 path = "ssl/trust"; 473 trail = "/"; 474 } 475 { 476 path = "ssl/trust"; 477 trail = "/*"; 478 } 479 { 480 path = "ssl/trust/anchors"; 481 trail = "/"; 482 } 483 { 484 path = "ssl/trust/anchors"; 485 trail = "/**"; 486 } 487 { 488 path = "pki/trust"; 489 trail = "/"; 490 } 491 { 492 path = "pki/trust"; 493 trail = "/*"; 494 } 495 { 496 path = "pki/trust/anchors"; 497 trail = "/"; 498 } 499 { 500 path = "pki/trust/anchors"; 501 trail = "/**"; 502 } 503 ]; 504 "abstractions/ssl_keys" = '' 505 # security.acme NixOS module 506 r /var/lib/acme/*/full.pem, 507 r /var/lib/acme/*/key.pem, 508 ''; 509 "abstractions/vulkan" = '' 510 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" 511 ${etcRule { 512 path = "vulkan/icd.d"; 513 trail = "/"; 514 }} 515 ${etcRule { 516 path = "vulkan/icd.d"; 517 trail = "/*.json"; 518 }} 519 ''; 520 "abstractions/winbind" = '' 521 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" 522 ${etcRule { 523 path = "samba"; 524 trail = "/smb.conf"; 525 }} 526 ${etcRule { 527 path = "samba"; 528 trail = "/dhcp.conf"; 529 }} 530 ''; 531 "abstractions/X" = '' 532 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" 533 ${etcRule { 534 path = "X11/cursors"; 535 trail = "/"; 536 }} 537 ${etcRule { 538 path = "X11/cursors"; 539 trail = "/**"; 540 }} 541 ''; 542 }; 543}