nixos/modules/security/default.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / security / default.nix

at master 896 B view raw

 1{ config, lib, ... }:
 2let
 3  cfg = config.security;
 4in
 5{
 6  options = {
 7    security.lsm = lib.mkOption {
 8      type = lib.types.listOf lib.types.str;
 9      default = [ ];
10      description = ''
11        A list of the LSMs to initialize in order.
12      '';
13    };
14  };
15
16  config = lib.mkMerge [
17    {
18      # We set the default LSM's here due to them not being present if set when enabling AppArmor.
19      security.lsm = [
20        "landlock"
21        "yama"
22        "bpf"
23      ];
24    }
25    (lib.mkIf (lib.lists.length cfg.lsm > 0) {
26      assertions = [
27        {
28          assertion = builtins.length (lib.filter (lib.hasPrefix "security=") config.boot.kernelParams) == 0;
29          message = "security parameter in boot.kernelParams cannot be used when security.lsm is used";
30        }
31      ];
32
33      boot.kernelParams = [
34        "lsm=${lib.concatStringsSep "," cfg.lsm}"
35      ];
36    })
37  ];
38}