pyrox.dev / nixpkgs
lol
fork atom

nixos: add AppArmor PAM support

Enables attaching AppArmor profiles at the user/group level.

This is not intended to be used directly, but as part of a
role-based access control scheme. For now, profile attachment
is 'session optional', but should be changed to 'required' once
a more comprehensive solution is in place.

Joachim Fasting 2e093378 6ad8fab7

options
unified split
Changed files
+12 -8
nixos
modules
security
apparmor.nix
pam.nix
-8
nixos/modules/security/apparmor.nix 
···

       
37

       
37

       
 

       
         ) cfg.profiles;


     

       
38

       
38

       
 

       
       };


     

       
39

       
39

       
 

       
     };


     

       
40

       

       
-

       



     

       
41

       

       
-

       
     security.pam.services.apparmor.text = ''


     

       
42

       

       
-

       
       ## AppArmor changes hats according to `order`: first try user, then


     

       
43

       

       
-

       
       ## group, and finally fall back to a hat called "DEFAULT"


     

       
44

       

       
-

       
       ##


     

       
45

       

       
-

       
       ## For now, enable debugging as this is an experimental feature.


     

       
46

       

       
-

       
       session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug


     

       
47

       

       
-

       
     '';


     

       
48

       
40

       
 

       
   };


     

       
49

       
41

       
 

       
}
+12
nixos/modules/security/pam.nix 
···

       
192

       
192

       
 

       
        description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>.";


     

       
193

       
193

       
 

       
      };


     

       
194

       
194

       
 

       



     

       

       
195

       
+

       
      enableAppArmor = mkOption {


     

       

       
196

       
+

       
        default = false;


     

       

       
197

       
+

       
        type = types.bool;


     

       

       
198

       
+

       
        description = ''


     

       

       
199

       
+

       
          Enable support for attaching AppArmor profiles at the


     

       

       
200

       
+

       
          user/group level, e.g., as part of a role based access


     

       

       
201

       
+

       
          control scheme.


     

       

       
202

       
+

       
        '';


     

       

       
203

       
+

       
      };


     

       

       
204

       
+

       



     

       
195

       
205

       
 

       
      text = mkOption {


     

       
196

       
206

       
 

       
        type = types.nullOr types.lines;


     

       
197

       
207

       
 

       
        description = "Contents of the PAM service file.";


     
···

       
294

       
304

       
 

       
              "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}


     

       
295

       
305

       
 

       
          ${optionalString cfg.pamMount


     

       
296

       
306

       
 

       
              "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}


     

       

       
307

       
+

       
          ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)


     

       

       
308

       
+

       
              "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}


     

       
297

       
309

       
 

       
        '';


     

       
298

       
310

       
 

       
    };


     

       
299

       
311