pyrox.dev / nixpkgs
lol
fork atom

nixos/apparmor: move release note to 21.05

Julien Moutinho 03b2156d 7996dfb1

options
unified split
Changed files
+18 -18
nixos
doc
manual
release-notes
rl-2009.xml
rl-2105.xml
-18
nixos/doc/manual/release-notes/rl-2009.xml 
···

       
1515

       
1515

       
 

       
   </listitem>


     

       
1516

       
1516

       
 

       
   <listitem>


     

       
1517

       
1517

       
 

       
    <para>


     

       
1518

       

       
-

       
     The <literal>security.apparmor</literal> module,


     

       
1519

       

       
-

       
     for the <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link>


     

       
1520

       

       
-

       
     Mandatory Access Control system,


     

       
1521

       

       
-

       
     has been substantialy improved along with related tools,


     

       
1522

       

       
-

       
     so that module maintainers can now more easily write AppArmor profiles for NixOS.


     

       
1523

       

       
-

       
     The most notable change on the user-side is the new option <xref linkend="opt-security.apparmor.policies"/>,


     

       
1524

       

       
-

       
     replacing the previous <literal>profiles</literal> option


     

       
1525

       

       
-

       
     to provide a way to disable a profile


     

       
1526

       

       
-

       
     and to select whether to confine in enforce mode (default)


     

       
1527

       

       
-

       
     or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).


     

       
1528

       

       
-

       
     Before enabling this module, either directly


     

       
1529

       

       
-

       
     or by importing <literal>&lt;nixpkgs/nixos/modules/profiles/hardened.nix&gt;</literal>,


     

       
1530

       

       
-

       
     please be sure to read the documentation of <link linkend="opt-security.apparmor.enable">security.apparmor.enable</link>,


     

       
1531

       

       
-

       
     and especially the part about <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>.


     

       
1532

       

       
-

       
    </para>


     

       
1533

       

       
-

       
   </listitem>


     

       
1534

       

       
-

       
   <listitem>


     

       
1535

       

       
-

       
    <para>


     

       
1536

       
1518

       
 

       
     With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>)


     

       
1537

       
1519

       
 

       
     has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over


     

       
1538

       
1520

       
 

       
     socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual)
+18
nixos/doc/manual/release-notes/rl-2105.xml 
···

       
858

       
858

       
 

       
    </para>


     

       
859

       
859

       
 

       
   </listitem>


     

       
860

       
860

       
 

       
   <listitem>


     

       

       
861

       
+

       
    <para>


     

       

       
862

       
+

       
     The <literal>security.apparmor</literal> module,


     

       

       
863

       
+

       
     for the <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link>


     

       

       
864

       
+

       
     Mandatory Access Control system,


     

       

       
865

       
+

       
     has been substantialy improved along with related tools,


     

       

       
866

       
+

       
     so that module maintainers can now more easily write AppArmor profiles for NixOS.


     

       

       
867

       
+

       
     The most notable change on the user-side is the new option <xref linkend="opt-security.apparmor.policies"/>,


     

       

       
868

       
+

       
     replacing the previous <literal>profiles</literal> option


     

       

       
869

       
+

       
     to provide a way to disable a profile


     

       

       
870

       
+

       
     and to select whether to confine in enforce mode (default)


     

       

       
871

       
+

       
     or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).


     

       

       
872

       
+

       
     Before enabling this module, either directly


     

       

       
873

       
+

       
     or by importing <literal>&lt;nixpkgs/nixos/modules/profiles/hardened.nix&gt;</literal>,


     

       

       
874

       
+

       
     please be sure to read the documentation of <link linkend="opt-security.apparmor.enable">security.apparmor.enable</link>,


     

       

       
875

       
+

       
     and especially the part about <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>.


     

       

       
876

       
+

       
    </para>


     

       

       
877

       
+

       
   </listitem>


     

       

       
878

       
+

       
   <listitem>


     

       
861

       
879

       
 

       
     <para>


     

       
862

       
880

       
 

       
       The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default.


     

       
863

       
881

       
 

       
     </para>