nixos/modules/security/apparmor.nix at release-16.03-start · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / modules / security / apparmor.nix

at release-16.03-start 1.1 kB view raw

 1{ config, lib, pkgs, ... }:
 2
 3let
 4  inherit (lib) mkIf mkOption types concatMapStrings;
 5  cfg = config.security.apparmor;
 6in
 7
 8{
 9   options = {
10     security.apparmor = {
11       enable = mkOption {
12         type = types.bool;
13         default = false;
14         description = "Enable the AppArmor Mandatory Access Control system.";
15       };
16       profiles = mkOption {
17         type = types.listOf types.path;
18         default = [];
19         description = "List of files containing AppArmor profiles.";
20       };
21     };
22   };
23
24   config = mkIf cfg.enable {
25     environment.systemPackages = [ pkgs.apparmor-utils ];
26
27     systemd.services.apparmor = {
28       wantedBy = [ "local-fs.target" ];
29       serviceConfig = {
30         Type = "oneshot";
31         RemainAfterExit = "yes";
32         ExecStart = concatMapStrings (p:
33           ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; ''
34         ) cfg.profiles;
35         ExecStop = concatMapStrings (p:
36           ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; ''
37         ) cfg.profiles;
38       };
39     };
40   };
41}