commit 45e5d726b22db783731f0460870e9ab4f06bc5c4 · pyrox.dev/nixpkgs

+33 -29

nixos/modules/security/apparmor.nix

···

       1
        
       { config, lib, pkgs, ... }:

     

       2
        
       

     

       0
        
       
     

       0
        
       
     

       3
        
       let

     

       4
        
         inherit (builtins) attrNames head map match readFile;

     

       5
        
         inherit (lib) types;

     

       6
        
         inherit (config.environment) etc;

     

       7
        
         cfg = config.security.apparmor;

     

       8
       -
         mkDisableOption = name: lib.mkEnableOption name // {

     

       9
        
           default = true;

     

       10
        
           example = false;

     

       11
        
         };

     

       12
       -
         enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies;

     

       13
        
       in

     

       14
        
       

     

       15
        
       {

     

       16
        
         imports = [

     

       17
       -
           (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])

     

       18
       -
           (lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")

     

       19
       -
           (lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")

     

       20
        
           apparmor/includes.nix

     

       21
        
           apparmor/profiles.nix

     

       22
        
         ];

     

       23
        
       

     

       24
        
         options = {

     

       25
        
           security.apparmor = {

     

       26
       -
             enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system.

     

       0
        
       
     

       27
        
       

     

       28
        
               If you're enabling this module on a running system,

     

       29
        
               note that a reboot will be required to activate AppArmor in the kernel.

     
···

       38
        
               but leaves already running processes unconfined.

     

       39
        
               Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link>

     

       40
        
               to <literal>false</literal> if you prefer to leave those processes running'';

     

       41
       -
             policies = lib.mkOption {

     

       42
        
               description = ''

     

       43
        
                 AppArmor policies.

     

       44
        
               '';

     
···

       46
        
                 options = {

     

       47
        
                   enable = mkDisableOption "loading of the profile into the kernel";

     

       48
        
                   enforce = mkDisableOption "enforcing of the policy or only complain in the logs";

     

       49
       -
                   profile = lib.mkOption {

     

       50
        
                     description = "The policy of the profile.";

     

       51
        
                     type = types.lines;

     

       52
        
                     apply = pkgs.writeText name;

     
···

       55
        
               }));

     

       56
        
               default = {};

     

       57
        
             };

     

       58
       -
             includes = lib.mkOption {

     

       59
        
               type = types.attrsOf types.lines;

     

       60
        
               default = {};

     

       61
        
               description = ''

     

       62
        
                 List of paths to be added to AppArmor's searched paths

     

       63
        
                 when resolving <literal>include</literal> directives.

     

       64
        
               '';

     

       65
       -
               apply = lib.mapAttrs pkgs.writeText;

     

       66
        
             };

     

       67
       -
             packages = lib.mkOption {

     

       68
        
               type = types.listOf types.package;

     

       69
        
               default = [];

     

       70
        
               description = "List of packages to be added to AppArmor's include path";

     

       71
        
             };

     

       72
       -
             enableCache = lib.mkEnableOption ''caching of AppArmor policies

     

       0
        
       
     

       73
        
               in <literal>/var/cache/apparmor/</literal>.

     

       74
        
       

     

       75
        
               Beware that AppArmor policies almost always contain Nix store paths,

     

       76
        
               and thus produce at each change of these paths

     

       77
        
               a new cached version accumulating in the cache'';

     

       78
       -
             killUnconfinedConfinables = mkDisableOption ''killing of processes

     

       79
       -
               which have an AppArmor profile enabled

     

       80
        
               (in <link linkend="opt-security.apparmor.policies">policies</link>)

     

       81
        
               but are not confined (because AppArmor can only confine new processes).

     

       82
        
               Beware that due to a current limitation of AppArmor,

     
···

       84
        
           };

     

       85
        
         };

     

       86
        
       

     

       87
       -
         config = lib.mkIf cfg.enable {

     

       88
        
           assertions = map (policy:

     

       89
        
             { assertion = match ".*/.*" policy == null;

     

       90
        
               message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";

     
···

       100
        
           environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (

     

       101
        
             # It's important to put only enabledPolicies here and not all cfg.policies

     

       102
        
             # because aa-remove-unknown reads profiles from all /etc/apparmor.d/*

     

       103
       -
             lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++

     

       104
       -
             lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes

     

       105
        
           );

     

       106
        
           environment.etc."apparmor/parser.conf".text = ''

     

       107
       -
             ${if cfg.enableCache then "write-cache" else "skip-cache"}

     

       108
       -
             cache-loc /var/cache/apparmor

     

       109
       -
             Include /etc/apparmor.d

     

       110
       -
           '' +

     

       111
       -
           lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;

     

       112
        
           # For aa-logprof

     

       113
        
           environment.etc."apparmor/apparmor.conf".text = ''

     

       114
        
           '';

     
···

       134
        
                 # 3 - force all perms on the rule to be user

     

       135
        
                 default_owner_prompt = 1

     

       136
        
       

     

       137
       -
                 custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}

     

       138
        
       

     

       139
        
               [qualifiers]

     

       140
        
                 ${pkgs.runtimeShell} = icnu

     

       141
        
                 ${pkgs.bashInteractive}/bin/sh = icnu

     

       142
        
                 ${pkgs.bashInteractive}/bin/bash = icnu

     

       0
        
       
     

       143
        
             '';

     

       144
        
             footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf";

     

       145
        
             passAsFile = [ "header" ];

     
···

       177
        
                 xargs --verbose --no-run-if-empty --delimiter='\n' \

     

       178
        
                 kill

     

       179
        
               '';

     

       180
       -
               commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}";

     

       181
        
               in {

     

       182
        
               Type = "oneshot";

     

       183
        
               RemainAfterExit = "yes";

     

       184
        
               ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";

     

       185
       -
               ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;

     

       186
       -
               ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;

     

       187
        
               ExecReload =

     

       188
        
                 # Add or replace into the kernel profiles in enabledPolicies

     

       189
        
                 # (because AppArmor can do that without stopping the processes already confined).

     

       190
       -
                 lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++

     

       191
        
                 # Remove from the kernel any profile whose name is not

     

       192
        
                 # one of the names within the content of the profiles in enabledPolicies

     

       193
        
                 # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).

     
···

       195
        
                 [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++

     

       196
        
                 # Optionaly kill the processes which are unconfined but now have a profile loaded

     

       197
        
                 # (because AppArmor can only start to confine new processes).

     

       198
       -
                 lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;

     

       199
        
               ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";

     

       200
        
               CacheDirectory = [ "apparmor" "apparmor/logprof" ];

     

       201
        
               CacheDirectoryMode = "0700";

     
···

       203
        
           };

     

       204
        
         };

     

       205
        
       

     

       206
       -
         meta.maintainers = with lib.maintainers; [ julm ];

     

       207
        
       }

···

       1
        
       { config, lib, pkgs, ... }:

     

       2
        
       

     

       3
       +
       with lib;

     

       4
       +
       

     

       5
        
       let

     

       6
        
         inherit (builtins) attrNames head map match readFile;

     

       7
        
         inherit (lib) types;

     

       8
        
         inherit (config.environment) etc;

     

       9
        
         cfg = config.security.apparmor;

     

       10
       +
         mkDisableOption = name: mkEnableOption name // {

     

       11
        
           default = true;

     

       12
        
           example = false;

     

       13
        
         };

     

       14
       +
         enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies;

     

       15
        
       in

     

       16
        
       

     

       17
        
       {

     

       18
        
         imports = [

     

       19
       +
           (mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")

     

       20
       +
           (mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")

     

       0
        
       
     

       21
        
           apparmor/includes.nix

     

       22
        
           apparmor/profiles.nix

     

       23
        
         ];

     

       24
        
       

     

       25
        
         options = {

     

       26
        
           security.apparmor = {

     

       27
       +
             enable = mkEnableOption ''

     

       28
       +
               the AppArmor Mandatory Access Control system.

     

       29
        
       

     

       30
        
               If you're enabling this module on a running system,

     

       31
        
               note that a reboot will be required to activate AppArmor in the kernel.

     
···

       40
        
               but leaves already running processes unconfined.

     

       41
        
               Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link>

     

       42
        
               to <literal>false</literal> if you prefer to leave those processes running'';

     

       43
       +
             policies = mkOption {

     

       44
        
               description = ''

     

       45
        
                 AppArmor policies.

     

       46
        
               '';

     
···

       48
        
                 options = {

     

       49
        
                   enable = mkDisableOption "loading of the profile into the kernel";

     

       50
        
                   enforce = mkDisableOption "enforcing of the policy or only complain in the logs";

     

       51
       +
                   profile = mkOption {

     

       52
        
                     description = "The policy of the profile.";

     

       53
        
                     type = types.lines;

     

       54
        
                     apply = pkgs.writeText name;

     
···

       57
        
               }));

     

       58
        
               default = {};

     

       59
        
             };

     

       60
       +
             includes = mkOption {

     

       61
        
               type = types.attrsOf types.lines;

     

       62
        
               default = {};

     

       63
        
               description = ''

     

       64
        
                 List of paths to be added to AppArmor's searched paths

     

       65
        
                 when resolving <literal>include</literal> directives.

     

       66
        
               '';

     

       67
       +
               apply = mapAttrs pkgs.writeText;

     

       68
        
             };

     

       69
       +
             packages = mkOption {

     

       70
        
               type = types.listOf types.package;

     

       71
        
               default = [];

     

       72
        
               description = "List of packages to be added to AppArmor's include path";

     

       73
        
             };

     

       74
       +
             enableCache = mkEnableOption ''

     

       75
       +
               caching of AppArmor policies

     

       76
        
               in <literal>/var/cache/apparmor/</literal>.

     

       77
        
       

     

       78
        
               Beware that AppArmor policies almost always contain Nix store paths,

     

       79
        
               and thus produce at each change of these paths

     

       80
        
               a new cached version accumulating in the cache'';

     

       81
       +
             killUnconfinedConfinables = mkDisableOption ''

     

       82
       +
               killing of processes which have an AppArmor profile enabled

     

       83
        
               (in <link linkend="opt-security.apparmor.policies">policies</link>)

     

       84
        
               but are not confined (because AppArmor can only confine new processes).

     

       85
        
               Beware that due to a current limitation of AppArmor,

     
···

       87
        
           };

     

       88
        
         };

     

       89
        
       

     

       90
       +
         config = mkIf cfg.enable {

     

       91
        
           assertions = map (policy:

     

       92
        
             { assertion = match ".*/.*" policy == null;

     

       93
        
               message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";

     
···

       103
        
           environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (

     

       104
        
             # It's important to put only enabledPolicies here and not all cfg.policies

     

       105
        
             # because aa-remove-unknown reads profiles from all /etc/apparmor.d/*

     

       106
       +
             mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++

     

       107
       +
             mapAttrsToList (name: path: { inherit name path; }) cfg.includes

     

       108
        
           );

     

       109
        
           environment.etc."apparmor/parser.conf".text = ''

     

       110
       +
               ${if cfg.enableCache then "write-cache" else "skip-cache"}

     

       111
       +
               cache-loc /var/cache/apparmor

     

       112
       +
               Include /etc/apparmor.d

     

       113
       +
             '' +

     

       114
       +
             concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;

     

       115
        
           # For aa-logprof

     

       116
        
           environment.etc."apparmor/apparmor.conf".text = ''

     

       117
        
           '';

     
···

       137
        
                 # 3 - force all perms on the rule to be user

     

       138
        
                 default_owner_prompt = 1

     

       139
        
       

     

       140
       +
                 custom_includes = /etc/apparmor.d ${concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}

     

       141
        
       

     

       142
        
               [qualifiers]

     

       143
        
                 ${pkgs.runtimeShell} = icnu

     

       144
        
                 ${pkgs.bashInteractive}/bin/sh = icnu

     

       145
        
                 ${pkgs.bashInteractive}/bin/bash = icnu

     

       146
       +
                 ${config.users.defaultUserShell} = icnu

     

       147
        
             '';

     

       148
        
             footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf";

     

       149
        
             passAsFile = [ "header" ];

     
···

       181
        
                 xargs --verbose --no-run-if-empty --delimiter='\n' \

     

       182
        
                 kill

     

       183
        
               '';

     

       184
       +
               commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}";

     

       185
        
               in {

     

       186
        
               Type = "oneshot";

     

       187
        
               RemainAfterExit = "yes";

     

       188
        
               ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";

     

       189
       +
               ExecStart = mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;

     

       190
       +
               ExecStartPost = optional cfg.killUnconfinedConfinables killUnconfinedConfinables;

     

       191
        
               ExecReload =

     

       192
        
                 # Add or replace into the kernel profiles in enabledPolicies

     

       193
        
                 # (because AppArmor can do that without stopping the processes already confined).

     

       194
       +
                 mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++

     

       195
        
                 # Remove from the kernel any profile whose name is not

     

       196
        
                 # one of the names within the content of the profiles in enabledPolicies

     

       197
        
                 # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).

     
···

       199
        
                 [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++

     

       200
        
                 # Optionaly kill the processes which are unconfined but now have a profile loaded

     

       201
        
                 # (because AppArmor can only start to confine new processes).

     

       202
       +
                 optional cfg.killUnconfinedConfinables killUnconfinedConfinables;

     

       203
        
               ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";

     

       204
        
               CacheDirectory = [ "apparmor" "apparmor/logprof" ];

     

       205
        
               CacheDirectoryMode = "0700";

     
···

       207
        
           };

     

       208
        
         };

     

       209
        
       

     

       210
       +
         meta.maintainers = with maintainers; [ julm ];

     

       211
        
       }

+169 -153

nixos/modules/security/apparmor/includes.nix

···

       3
        
         inherit (builtins) attrNames hasAttr isAttrs;

     

       4
        
         inherit (lib) getLib;

     

       5
        
         inherit (config.environment) etc;

     

       0
        
       
     

       0
        
       
     

       6
        
         etcRule = arg:

     

       7
       -
           let go = {path ? null, mode ? "r", trail ? ""}:

     

       8
        
             lib.optionalString (hasAttr path etc)

     

       9
        
               "${mode} ${config.environment.etc.${path}.source}${trail},";

     

       10
        
           in if isAttrs arg

     

       11
        
           then go arg

     

       12
       -
           else go {path=arg;};

     

       13
        
       in

     

       14
        
       {

     

       15
        
       # FIXME: most of the etcRule calls below have been

     
···

       29
        
         '';

     

       30
        
         "abstractions/audio" = ''

     

       31
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio"

     

       32
       -
           ${etcRule "asound.conf"}

     

       33
       -
           ${etcRule "esound/esd.conf"}

     

       34
       -
           ${etcRule "libao.conf"}

     

       35
       -
           ${etcRule {path="pulse"; trail="/";}}

     

       36
       -
           ${etcRule {path="pulse"; trail="/**";}}

     

       37
       -
           ${etcRule {path="sound"; trail="/";}}

     

       38
       -
           ${etcRule {path="sound"; trail="/**";}}

     

       39
       -
           ${etcRule {path="alsa/conf.d"; trail="/";}}

     

       40
       -
           ${etcRule {path="alsa/conf.d"; trail="/*";}}

     

       41
       -
           ${etcRule "openal/alsoft.conf"}

     

       42
       -
           ${etcRule "wildmidi/wildmidi.conf"}

     

       43
       -
         '';

     

       0
        
       
     

       44
        
         "abstractions/authentication" = ''

     

       45
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication"

     

       46
        
           # Defined in security.pam

     

       47
        
           include <abstractions/pam>

     

       48
       -
           ${etcRule "nologin"}

     

       49
       -
           ${etcRule "securetty"}

     

       50
       -
           ${etcRule {path="security"; trail="/*";}}

     

       51
       -
           ${etcRule "shadow"}

     

       52
       -
           ${etcRule "gshadow"}

     

       53
       -
           ${etcRule "pwdb.conf"}

     

       54
       -
           ${etcRule "default/passwd"}

     

       55
       -
           ${etcRule "login.defs"}

     

       56
       -
         '';

     

       0
        
       
     

       57
        
         "abstractions/base" = ''

     

       58
       -
            include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"

     

       59
       -
            r ${pkgs.stdenv.cc.libc}/share/locale/**,

     

       60
       -
            r ${pkgs.stdenv.cc.libc}/share/locale.alias,

     

       61
       -
            ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"}

     

       62
       -
            ${etcRule "localtime"}

     

       63
       -
            r ${pkgs.tzdata}/share/zoneinfo/**,

     

       64
       -
            r ${pkgs.stdenv.cc.libc}/share/i18n/**,

     

       65
        
         '';

     

       66
        
         "abstractions/bash" = ''

     

       67
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash"

     

       68
       -
           # system-wide bash configuration

     

       69
       -
           ${etcRule "profile.dos"}

     

       70
       -
           ${etcRule "profile"}

     

       71
       -
           ${etcRule "profile.d"}

     

       72
       -
           ${etcRule {path="profile.d"; trail="/*";}}

     

       73
       -
           ${etcRule "bashrc"}

     

       74
       -
           ${etcRule "bash.bashrc"}

     

       75
       -
           ${etcRule "bash.bashrc.local"}

     

       76
       -
           ${etcRule "bash_completion"}

     

       77
       -
           ${etcRule "bash_completion.d"}

     

       78
       -
           ${etcRule {path="bash_completion.d"; trail="/*";}}

     

       79
       -
           # bash relies on system-wide readline configuration

     

       80
       -
           ${etcRule "inputrc"}

     

       81
        
           # bash inspects filesystems at startup

     

       82
        
           # and /etc/mtab is linked to /proc/mounts

     

       83
        
           @{PROC}/mounts

     

       84
        
       

     

       85
       -
           # run out of /etc/bash.bashrc

     

       86
       -
           ${etcRule "DIR_COLORS"}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       87
        
         '';

     

       88
        
         "abstractions/cups-client" = ''

     

       89
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client"

     

       90
        
           ${etcRule "cups/cups-client.conf"}

     

       91
        
         '';

     

       92
       -
         "abstractions/consoles" = ''

     

       93
       -
            include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles"

     

       94
       -
         '';

     

       95
        
         "abstractions/dbus-session-strict" = ''

     

       96
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict"

     

       97
        
           ${etcRule "machine-id"}

     

       98
        
         '';

     

       99
        
         "abstractions/dconf" = ''

     

       100
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf"

     

       101
       -
           ${etcRule {path="dconf"; trail="/**";}}

     

       102
        
         '';

     

       103
        
         "abstractions/dri-common" = ''

     

       104
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common"

     
···

       109
        
         # those are therefore added there to this "abstractions/fonts".

     

       110
        
         "abstractions/fonts" = ''

     

       111
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts"

     

       112
       -
           ${etcRule {path="fonts"; trail="/**";}}

     

       113
        
         '';

     

       114
        
         "abstractions/gnome" = ''

     

       115
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome"

     

       116
       -
           ${etcRule {path="gnome"; trail="/gtkrc*";}}

     

       117
       -
           ${etcRule {path="gtk"; trail="/*";}}

     

       118
       -
           ${etcRule {path="gtk-2.0"; trail="/*";}}

     

       119
       -
           ${etcRule {path="gtk-3.0"; trail="/*";}}

     

       120
       -
           ${etcRule "orbitrc"}

     

       121
        
           include <abstractions/fonts>

     

       122
       -
           ${etcRule {path="pango"; trail="/*";}}

     

       123
       -
           ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}}

     

       124
       -
           ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}}

     

       125
       -
           ${etcRule "papersize"}

     

       126
       -
           ${etcRule {path="cups"; trail="/lpoptions";}}

     

       127
       -
           ${etcRule {path="gnome"; trail="/defaults.list";}}

     

       128
       -
           ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}}

     

       129
       -
           ${etcRule "xdg/mimeapps.list"}

     

       130
       -
         '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       131
        
         "abstractions/kde" = ''

     

       132
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde"

     

       133
       -
           ${etcRule {path="qt3"; trail="/kstylerc";}}

     

       134
       -
           ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}}

     

       135
       -
           ${etcRule {path="qt3"; trail="/qtrc";}}

     

       136
       -
           ${etcRule "kderc"}

     

       137
       -
           ${etcRule {path="kde3"; trail="/*";}}

     

       138
       -
           ${etcRule "kde4rc"}

     

       139
       -
           ${etcRule {path="xdg"; trail="/kdeglobals";}}

     

       140
       -
           ${etcRule {path="xdg"; trail="/Trolltech.conf";}}

     

       141
       -
         '';

     

       0
        
       
     

       142
        
         "abstractions/kerberosclient" = ''

     

       143
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient"

     

       144
       -
           ${etcRule {path="krb5.keytab"; mode="rk";}}

     

       145
       -
           ${etcRule "krb5.conf"}

     

       146
       -
           ${etcRule "krb5.conf.d"}

     

       147
       -
           ${etcRule {path="krb5.conf.d"; trail="/*";}}

     

       0
        
       
     

       148
        
       

     

       149
        
           # config files found via strings on libs

     

       150
       -
           ${etcRule "krb.conf"}

     

       151
       -
           ${etcRule "krb.realms"}

     

       152
       -
           ${etcRule "srvtab"}

     

       153
       -
         '';

     

       154
        
         "abstractions/ldapclient" = ''

     

       155
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient"

     

       156
       -
           ${etcRule "ldap.conf"}

     

       157
       -
           ${etcRule "ldap.secret"}

     

       158
       -
           ${etcRule {path="openldap"; trail="/*";}}

     

       159
       -
           ${etcRule {path="openldap"; trail="/cacerts/*";}}

     

       160
       -
           ${etcRule {path="sasl2"; trail="/*";}}

     

       161
       -
         '';

     

       0
        
       
     

       162
        
         "abstractions/likewise" = ''

     

       163
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise"

     

       164
        
         '';

     

       165
        
         "abstractions/mdns" = ''

     

       166
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns"

     

       167
       -
            ${etcRule "nss_mdns.conf"}

     

       168
        
         '';

     

       169
        
         "abstractions/nameservice" = ''

     

       170
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice"

     
···

       173
        
           # looking up users by name or id, groups by name or id, hosts by name

     

       174
        
           # or IP, etc. These operations may be performed through files, dns,

     

       175
        
           # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.

     

       176
       -
           ${etcRule "group"}

     

       177
       -
           ${etcRule "host.conf"}

     

       178
       -
           ${etcRule "hosts"}

     

       179
       -
           ${etcRule "nsswitch.conf"}

     

       180
       -
           ${etcRule "gai.conf"}

     

       181
       -
           ${etcRule "passwd"}

     

       182
       -
           ${etcRule "protocols"}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       183
        
       

     

       184
       -
           # libtirpc (used for NIS/YP login) needs this

     

       185
       -
           ${etcRule "netconfig"}

     

       186
       -
       

     

       187
       -
           ${etcRule "resolv.conf"}

     

       188
        
       

     

       189
       -
           ${etcRule {path="samba"; trail="/lmhosts";}}

     

       190
       -
           ${etcRule "services"}

     

       191
        
       

     

       192
       -
           ${etcRule "default/nss"}

     

       0
        
       
     

       193
        
       

     

       194
       -
           # libnl-3-200 via libnss-gw-name

     

       195
       -
           ${etcRule {path="libnl"; trail="/classid";}}

     

       196
       -
           ${etcRule {path="libnl-3"; trail="/classid";}}

     

       197
        
       

     

       198
       -
           mr ${getLib pkgs.nss}/lib/libnss_*.so*,

     

       199
       -
           mr ${getLib pkgs.nss}/lib64/libnss_*.so*,

     

       200
       -
         '';

     

       0
        
       
     

       201
        
         "abstractions/nis" = ''

     

       202
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis"

     

       203
        
         '';

     
···

       207
        
         '';

     

       208
        
         "abstractions/opencl-common" = ''

     

       209
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common"

     

       210
       -
           ${etcRule {path="OpenCL"; trail="/**";}}

     

       211
        
         '';

     

       212
        
         "abstractions/opencl-mesa" = ''

     

       213
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa"

     
···

       215
        
         '';

     

       216
        
         "abstractions/openssl" = ''

     

       217
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl"

     

       218
       -
           ${etcRule {path="ssl"; trail="/openssl.cnf";}}

     

       219
        
         '';

     

       220
        
         "abstractions/p11-kit" = ''

     

       221
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit"

     

       222
       -
           ${etcRule {path="pkcs11"; trail="/";}}

     

       223
       -
           ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}}

     

       224
       -
           ${etcRule {path="pkcs11"; trail="/modules/";}}

     

       225
       -
           ${etcRule {path="pkcs11"; trail="/modules/*";}}

     

       226
       -
         '';

     

       0
        
       
     

       227
        
         "abstractions/perl" = ''

     

       228
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl"

     

       229
       -
           ${etcRule {path="perl"; trail="/**";}}

     

       230
        
         '';

     

       231
        
         "abstractions/php" = ''

     

       232
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php"

     

       233
       -
           ${etcRule {path="php"; trail="/**/";}}

     

       234
       -
           ${etcRule {path="php5"; trail="/**/";}}

     

       235
       -
           ${etcRule {path="php7"; trail="/**/";}}

     

       236
       -
           ${etcRule {path="php"; trail="/**.ini";}}

     

       237
       -
           ${etcRule {path="php5"; trail="/**.ini";}}

     

       238
       -
           ${etcRule {path="php7"; trail="/**.ini";}}

     

       239
       -
         '';

     

       0
        
       
     

       240
        
         "abstractions/postfix-common" = ''

     

       241
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common"

     

       242
       -
           ${etcRule "mailname"}

     

       243
       -
           ${etcRule {path="postfix"; trail="/*.cf";}}

     

       244
       -
           ${etcRule "postfix/main.cf"}

     

       245
       -
           ${etcRule "postfix/master.cf"}

     

       246
       -
         '';

     

       0
        
       
     

       247
        
         "abstractions/python" = ''

     

       248
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python"

     

       249
        
         '';

     

       250
        
         "abstractions/qt5" = ''

     

       251
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5"

     

       252
       -
           ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}}

     

       253
       -
           ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}}

     

       254
       -
           ${etcRule "xdg/QtProject/qtlogging.ini"}

     

       255
       -
         '';

     

       0
        
       
     

       256
        
         "abstractions/samba" = ''

     

       257
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba"

     

       258
       -
           ${etcRule {path="samba"; trail="/*";}}

     

       259
        
         '';

     

       260
        
         "abstractions/ssl_certs" = ''

     

       261
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs"

     

       262
       -
           ${etcRule "ssl/certs/ca-certificates.crt"}

     

       263
       -
           ${etcRule "ssl/certs/ca-bundle.crt"}

     

       264
       -
           ${etcRule "pki/tls/certs/ca-bundle.crt"}

     

       265
       -
       

     

       266
       -
           ${etcRule {path="ssl/trust"; trail="/";}}

     

       267
       -
           ${etcRule {path="ssl/trust"; trail="/*";}}

     

       268
       -
           ${etcRule {path="ssl/trust/anchors"; trail="/";}}

     

       269
       -
           ${etcRule {path="ssl/trust/anchors"; trail="/**";}}

     

       270
       -
           ${etcRule {path="pki/trust"; trail="/";}}

     

       271
       -
           ${etcRule {path="pki/trust"; trail="/*";}}

     

       272
       -
           ${etcRule {path="pki/trust/anchors"; trail="/";}}

     

       273
       -
           ${etcRule {path="pki/trust/anchors"; trail="/**";}}

     

       274
        
       

     

       275
       -
           # security.acme NixOS module

     

       276
        
           r /var/lib/acme/*/cert.pem,

     

       277
        
           r /var/lib/acme/*/chain.pem,

     

       278
        
           r /var/lib/acme/*/fullchain.pem,

     

       279
       -
         '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       280
        
         "abstractions/ssl_keys" = ''

     

       281
        
           # security.acme NixOS module

     

       282
        
           r /var/lib/acme/*/full.pem,

     
···

       284
        
         '';

     

       285
        
         "abstractions/vulkan" = ''

     

       286
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan"

     

       287
       -
           ${etcRule {path="vulkan/icd.d"; trail="/";}}

     

       288
       -
           ${etcRule {path="vulkan/icd.d"; trail="/*.json";}}

     

       289
        
         '';

     

       290
        
         "abstractions/winbind" = ''

     

       291
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind"

     

       292
       -
           ${etcRule {path="samba"; trail="/smb.conf";}}

     

       293
       -
           ${etcRule {path="samba"; trail="/dhcp.conf";}}

     

       294
        
         '';

     

       295
        
         "abstractions/X" = ''

     

       296
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X"

     

       297
       -
           ${etcRule {path="X11/cursors"; trail="/";}}

     

       298
       -
           ${etcRule {path="X11/cursors"; trail="/**";}}

     

       299
        
         '';

     

       300
        
       };

     

       301
        
       }

···

       3
        
         inherit (builtins) attrNames hasAttr isAttrs;

     

       4
        
         inherit (lib) getLib;

     

       5
        
         inherit (config.environment) etc;

     

       6
       +
         # Utility to generate an AppArmor rule

     

       7
       +
         # only when the given path exists in config.environment.etc

     

       8
        
         etcRule = arg:

     

       9
       +
           let go = { path ? null, mode ? "r", trail ? "" }:

     

       10
        
             lib.optionalString (hasAttr path etc)

     

       11
        
               "${mode} ${config.environment.etc.${path}.source}${trail},";

     

       12
        
           in if isAttrs arg

     

       13
        
           then go arg

     

       14
       +
           else go { path = arg; };

     

       15
        
       in

     

       16
        
       {

     

       17
        
       # FIXME: most of the etcRule calls below have been

     
···

       31
        
         '';

     

       32
        
         "abstractions/audio" = ''

     

       33
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio"

     

       34
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       35
       +
             "asound.conf"

     

       36
       +
             "esound/esd.conf"

     

       37
       +
             "libao.conf"

     

       38
       +
             { path = "pulse";  trail = "/"; }

     

       39
       +
             { path = "pulse";  trail = "/**"; }

     

       40
       +
             { path = "sound";  trail = "/"; }

     

       41
       +
             { path = "sound";  trail = "/**"; }

     

       42
       +
             { path = "alsa/conf.d";  trail = "/"; }

     

       43
       +
             { path = "alsa/conf.d";  trail = "/*"; }

     

       44
       +
             "openal/alsoft.conf"

     

       45
       +
             "wildmidi/wildmidi.conf"

     

       46
       +
           ];

     

       47
        
         "abstractions/authentication" = ''

     

       48
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication"

     

       49
        
           # Defined in security.pam

     

       50
        
           include <abstractions/pam>

     

       51
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       52
       +
             "nologin"

     

       53
       +
             "securetty"

     

       54
       +
             { path = "security";  trail = "/*"; }

     

       55
       +
             "shadow"

     

       56
       +
             "gshadow"

     

       57
       +
             "pwdb.conf"

     

       58
       +
             "default/passwd"

     

       59
       +
             "login.defs"

     

       60
       +
           ];

     

       61
        
         "abstractions/base" = ''

     

       62
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"

     

       63
       +
           r ${pkgs.stdenv.cc.libc}/share/locale/**,

     

       64
       +
           r ${pkgs.stdenv.cc.libc}/share/locale.alias,

     

       65
       +
           ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"}

     

       66
       +
           ${etcRule "localtime"}

     

       67
       +
           r ${pkgs.tzdata}/share/zoneinfo/**,

     

       68
       +
           r ${pkgs.stdenv.cc.libc}/share/i18n/**,

     

       69
        
         '';

     

       70
        
         "abstractions/bash" = ''

     

       71
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash"

     

       72
       +
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       73
        
           # bash inspects filesystems at startup

     

       74
        
           # and /etc/mtab is linked to /proc/mounts

     

       75
        
           @{PROC}/mounts

     

       76
        
       

     

       77
       +
           # system-wide bash configuration

     

       78
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       79
       +
             "profile.dos"

     

       80
       +
             "profile"

     

       81
       +
             "profile.d"

     

       82
       +
             { path = "profile.d";  trail = "/*"; }

     

       83
       +
             "bashrc"

     

       84
       +
             "bash.bashrc"

     

       85
       +
             "bash.bashrc.local"

     

       86
       +
             "bash_completion"

     

       87
       +
             "bash_completion.d"

     

       88
       +
             { path = "bash_completion.d";  trail = "/*"; }

     

       89
       +
             # bash relies on system-wide readline configuration

     

       90
       +
             "inputrc"

     

       91
       +
             # run out of /etc/bash.bashrc

     

       92
       +
             "DIR_COLORS"

     

       93
       +
           ];

     

       94
       +
         "abstractions/consoles" = ''

     

       95
       +
            include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles"

     

       96
        
         '';

     

       97
        
         "abstractions/cups-client" = ''

     

       98
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client"

     

       99
        
           ${etcRule "cups/cups-client.conf"}

     

       100
        
         '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       101
        
         "abstractions/dbus-session-strict" = ''

     

       102
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict"

     

       103
        
           ${etcRule "machine-id"}

     

       104
        
         '';

     

       105
        
         "abstractions/dconf" = ''

     

       106
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf"

     

       107
       +
           ${etcRule { path = "dconf";  trail = "/**"; }}

     

       108
        
         '';

     

       109
        
         "abstractions/dri-common" = ''

     

       110
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common"

     
···

       115
        
         # those are therefore added there to this "abstractions/fonts".

     

       116
        
         "abstractions/fonts" = ''

     

       117
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts"

     

       118
       +
           ${etcRule { path = "fonts";  trail = "/**"; }}

     

       119
        
         '';

     

       120
        
         "abstractions/gnome" = ''

     

       121
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       122
        
           include <abstractions/fonts>

     

       123
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       124
       +
             { path = "gnome";  trail = "/gtkrc*"; }

     

       125
       +
             { path = "gtk";  trail = "/*"; }

     

       126
       +
             { path = "gtk-2.0";  trail = "/*"; }

     

       127
       +
             { path = "gtk-3.0";  trail = "/*"; }

     

       128
       +
             "orbitrc"

     

       129
       +
             { path = "pango";  trail = "/*"; }

     

       130
       +
             { path = "/etc/gnome-vfs-2.0";  trail = "/modules/"; }

     

       131
       +
             { path = "/etc/gnome-vfs-2.0";  trail = "/modules/*"; }

     

       132
       +
             "papersize"

     

       133
       +
             { path = "cups";  trail = "/lpoptions"; }

     

       134
       +
             { path = "gnome";  trail = "/defaults.list"; }

     

       135
       +
             { path = "xdg";  trail = "/{,*-}mimeapps.list"; }

     

       136
       +
             "xdg/mimeapps.list"

     

       137
       +
           ];

     

       138
        
         "abstractions/kde" = ''

     

       139
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde"

     

       140
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       141
       +
             { path = "qt3";  trail = "/kstylerc"; }

     

       142
       +
             { path = "qt3";  trail = "/qt_plugins_3.3rc"; }

     

       143
       +
             { path = "qt3";  trail = "/qtrc"; }

     

       144
       +
             "kderc"

     

       145
       +
             { path = "kde3";  trail = "/*"; }

     

       146
       +
             "kde4rc"

     

       147
       +
             { path = "xdg";  trail = "/kdeglobals"; }

     

       148
       +
             { path = "xdg";  trail = "/Trolltech.conf"; }

     

       149
       +
           ];

     

       150
        
         "abstractions/kerberosclient" = ''

     

       151
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient"

     

       152
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       153
       +
           { path = "krb5.keytab"; mode="rk"; }

     

       154
       +
           "krb5.conf"

     

       155
       +
           "krb5.conf.d"

     

       156
       +
           { path = "krb5.conf.d";  trail = "/*"; }

     

       157
        
       

     

       158
        
           # config files found via strings on libs

     

       159
       +
           "krb.conf"

     

       160
       +
           "krb.realms"

     

       161
       +
           "srvtab"

     

       162
       +
           ];

     

       163
        
         "abstractions/ldapclient" = ''

     

       164
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient"

     

       165
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       166
       +
             "ldap.conf"

     

       167
       +
             "ldap.secret"

     

       168
       +
             { path = "openldap";  trail = "/*"; }

     

       169
       +
             { path = "openldap";  trail = "/cacerts/*"; }

     

       170
       +
             { path = "sasl2";  trail = "/*"; }

     

       171
       +
           ];

     

       172
        
         "abstractions/likewise" = ''

     

       173
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise"

     

       174
        
         '';

     

       175
        
         "abstractions/mdns" = ''

     

       176
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns"

     

       177
       +
           ${etcRule "nss_mdns.conf"}

     

       178
        
         '';

     

       179
        
         "abstractions/nameservice" = ''

     

       180
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice"

     
···

       183
        
           # looking up users by name or id, groups by name or id, hosts by name

     

       184
        
           # or IP, etc. These operations may be performed through files, dns,

     

       185
        
           # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.

     

       186
       +
           mr ${getLib pkgs.nss}/lib/libnss_*.so*,

     

       187
       +
           mr ${getLib pkgs.nss}/lib64/libnss_*.so*,

     

       188
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       189
       +
             "group"

     

       190
       +
             "host.conf"

     

       191
       +
             "hosts"

     

       192
       +
             "nsswitch.conf"

     

       193
       +
             "gai.conf"

     

       194
       +
             "passwd"

     

       195
       +
             "protocols"

     

       196
        
       

     

       197
       +
             # libtirpc (used for NIS/YP login) needs this

     

       198
       +
             "netconfig"

     

       0
        
       
     

       0
        
       
     

       199
        
       

     

       200
       +
             "resolv.conf"

     

       0
        
       
     

       201
        
       

     

       202
       +
             { path = "samba";  trail = "/lmhosts"; }

     

       203
       +
             "services"

     

       204
        
       

     

       205
       +
             "default/nss"

     

       0
        
       
     

       0
        
       
     

       206
        
       

     

       207
       +
             # libnl-3-200 via libnss-gw-name

     

       208
       +
             { path = "libnl";  trail = "/classid"; }

     

       209
       +
             { path = "libnl-3";  trail = "/classid"; }

     

       210
       +
           ];

     

       211
        
         "abstractions/nis" = ''

     

       212
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis"

     

       213
        
         '';

     
···

       217
        
         '';

     

       218
        
         "abstractions/opencl-common" = ''

     

       219
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common"

     

       220
       +
           ${etcRule { path = "OpenCL";  trail = "/**"; }}

     

       221
        
         '';

     

       222
        
         "abstractions/opencl-mesa" = ''

     

       223
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa"

     
···

       225
        
         '';

     

       226
        
         "abstractions/openssl" = ''

     

       227
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl"

     

       228
       +
           ${etcRule { path = "ssl";  trail = "/openssl.cnf"; }}

     

       229
        
         '';

     

       230
        
         "abstractions/p11-kit" = ''

     

       231
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit"

     

       232
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       233
       +
             { path = "pkcs11";  trail = "/"; }

     

       234
       +
             { path = "pkcs11";  trail = "/pkcs11.conf"; }

     

       235
       +
             { path = "pkcs11";  trail = "/modules/"; }

     

       236
       +
             { path = "pkcs11";  trail = "/modules/*"; }

     

       237
       +
           ];

     

       238
        
         "abstractions/perl" = ''

     

       239
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl"

     

       240
       +
           ${etcRule { path = "perl";  trail = "/**"; }}

     

       241
        
         '';

     

       242
        
         "abstractions/php" = ''

     

       243
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php"

     

       244
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       245
       +
             { path = "php";  trail = "/**/"; }

     

       246
       +
             { path = "php5";  trail = "/**/"; }

     

       247
       +
             { path = "php7";  trail = "/**/"; }

     

       248
       +
             { path = "php";  trail = "/**.ini"; }

     

       249
       +
             { path = "php5";  trail = "/**.ini"; }

     

       250
       +
             { path = "php7";  trail = "/**.ini"; }

     

       251
       +
           ];

     

       252
        
         "abstractions/postfix-common" = ''

     

       253
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common"

     

       254
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       255
       +
             "mailname"

     

       256
       +
             { path = "postfix";  trail = "/*.cf"; }

     

       257
       +
             "postfix/main.cf"

     

       258
       +
             "postfix/master.cf"

     

       259
       +
           ];

     

       260
        
         "abstractions/python" = ''

     

       261
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python"

     

       262
        
         '';

     

       263
        
         "abstractions/qt5" = ''

     

       264
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5"

     

       265
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       266
       +
             { path = "xdg";  trail = "/QtProject/qtlogging.ini"; }

     

       267
       +
             { path = "xdg/QtProject";  trail = "/qtlogging.ini"; }

     

       268
       +
             "xdg/QtProject/qtlogging.ini"

     

       269
       +
           ];

     

       270
        
         "abstractions/samba" = ''

     

       271
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba"

     

       272
       +
           ${etcRule { path = "samba";  trail = "/*"; }}

     

       273
        
         '';

     

       274
        
         "abstractions/ssl_certs" = ''

     

       275
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       276
        
       

     

       277
       +
           # For the NixOS module: security.acme

     

       278
        
           r /var/lib/acme/*/cert.pem,

     

       279
        
           r /var/lib/acme/*/chain.pem,

     

       280
        
           r /var/lib/acme/*/fullchain.pem,

     

       281
       +
       

     

       282
       +
           '' + lib.concatMapStringsSep "\n" etcRule [

     

       283
       +
             "ssl/certs/ca-certificates.crt"

     

       284
       +
             "ssl/certs/ca-bundle.crt"

     

       285
       +
             "pki/tls/certs/ca-bundle.crt"

     

       286
       +
       

     

       287
       +
             { path = "ssl/trust";  trail = "/"; }

     

       288
       +
             { path = "ssl/trust";  trail = "/*"; }

     

       289
       +
             { path = "ssl/trust/anchors";  trail = "/"; }

     

       290
       +
             { path = "ssl/trust/anchors";  trail = "/**"; }

     

       291
       +
             { path = "pki/trust";  trail = "/"; }

     

       292
       +
             { path = "pki/trust";  trail = "/*"; }

     

       293
       +
             { path = "pki/trust/anchors";  trail = "/"; }

     

       294
       +
             { path = "pki/trust/anchors";  trail = "/**"; }

     

       295
       +
           ];

     

       296
        
         "abstractions/ssl_keys" = ''

     

       297
        
           # security.acme NixOS module

     

       298
        
           r /var/lib/acme/*/full.pem,

     
···

       300
        
         '';

     

       301
        
         "abstractions/vulkan" = ''

     

       302
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan"

     

       303
       +
           ${etcRule { path = "vulkan/icd.d";  trail = "/"; }}

     

       304
       +
           ${etcRule { path = "vulkan/icd.d";  trail = "/*.json"; }}

     

       305
        
         '';

     

       306
        
         "abstractions/winbind" = ''

     

       307
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind"

     

       308
       +
           ${etcRule { path = "samba";  trail = "/smb.conf"; }}

     

       309
       +
           ${etcRule { path = "samba";  trail = "/dhcp.conf"; }}

     

       310
        
         '';

     

       311
        
         "abstractions/X" = ''

     

       312
        
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X"

     

       313
       +
           ${etcRule { path = "X11/cursors";  trail = "/"; }}

     

       314
       +
           ${etcRule { path = "X11/cursors";  trail = "/**"; }}

     

       315
        
         '';

     

       316
        
       };

     

       317
        
       }

nixos/modules/security/misc.nix

···

       7
        
           maintainers = [ maintainers.joachifm ];

     

       8
        
         };

     

       9
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       10
        
         options = {

     

       11
        
           security.allowUserNamespaces = mkOption {

     

       12
        
             type = types.bool;

···

       7
        
           maintainers = [ maintainers.joachifm ];

     

       8
        
         };

     

       9
        
       

     

       10
       +
         imports = [

     

       11
       +
           (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])

     

       12
       +
         ];

     

       13
       +
       

     

       14
        
         options = {

     

       15
        
           security.allowUserNamespaces = mkOption {

     

       16
        
             type = types.bool;

+66 -46

nixos/modules/security/pam.nix

···

       897
        
       

     

       898
        
           security.apparmor.includes."abstractions/pam" = let

     

       899
        
             isEnabled = test: fold or false (map test (attrValues config.security.pam.services));

     

       900
       -
             in ''

     

       901
       -
             ${lib.concatMapStringsSep "\n"

     

       902
       -
                (name: "r ${config.environment.etc."pam.d/${name}".source},")

     

       903
       -
                (attrNames config.security.pam.services)}

     

       0
        
       
     

       904
        
             mr ${getLib pkgs.pam}/lib/security/pam_filter/*,

     

       905
        
             mr ${getLib pkgs.pam}/lib/security/pam_*.so,

     

       906
        
             r ${getLib pkgs.pam}/lib/security/,

     

       907
       -
             ${optionalString use_ldap

     

       908
       -
               "mr ${pam_ldap}/lib/security/pam_ldap.so,"}

     

       909
       -
             ${optionalString config.services.sssd.enable

     

       910
       -
               "mr ${pkgs.sssd}/lib/security/pam_sss.so,"}

     

       911
       -
             ${optionalString config.krb5.enable ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       912
        
               mr ${pam_krb5}/lib/security/pam_krb5.so,

     

       913
        
               mr ${pam_ccreds}/lib/security/pam_ccreds.so,

     

       914
       -
             ''}

     

       915
       -
             ${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''

     

       916
        
               mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,

     

       917
        
               mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,

     

       918
       -
             ''}

     

       919
       -
             ${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication))

     

       920
       -
               "mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"}

     

       921
       -
             ${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth))

     

       922
       -
               "mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"}

     

       923
       -
             ${optionalString (isEnabled (cfg: cfg.fprintAuth))

     

       924
       -
               "mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"}

     

       925
       -
             ${optionalString (isEnabled (cfg: cfg.u2fAuth))

     

       926
       -
               "mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"}

     

       927
       -
             ${optionalString (isEnabled (cfg: cfg.usbAuth))

     

       928
       -
               "mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"}

     

       929
       -
             ${optionalString (isEnabled (cfg: cfg.oathAuth))

     

       930
       -
               "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"}

     

       931
       -
             ${optionalString (isEnabled (cfg: cfg.yubicoAuth))

     

       932
       -
               "mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"}

     

       933
       -
             ${optionalString (isEnabled (cfg: cfg.duoSecurity.enable))

     

       934
       -
               "mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"}

     

       935
       -
             ${optionalString (isEnabled (cfg: cfg.otpwAuth))

     

       936
       -
               "mr ${pkgs.otpw}/lib/security/pam_otpw.so,"}

     

       937
       -
             ${optionalString config.security.pam.enableEcryptfs

     

       938
       -
               "mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"}

     

       939
       -
             ${optionalString (isEnabled (cfg: cfg.pamMount))

     

       940
       -
               "mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"}

     

       941
       -
             ${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring))

     

       942
       -
               "mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"}

     

       943
       -
             ${optionalString (isEnabled (cfg: cfg.startSession))

     

       944
       -
               "mr ${pkgs.systemd}/lib/security/pam_systemd.so,"}

     

       945
       -
             ${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable)

     

       946
       -
               "mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"}

     

       947
       -
             ${optionalString (isEnabled (cfg: cfg.enableKwallet))

     

       948
       -
               "mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"}

     

       949
       -
             ${optionalString config.virtualisation.lxc.lxcfs.enable

     

       950
       -
               "mr ${pkgs.lxc}/lib/security/pam_cgfs.so"}

     

       951
       -
           '';

     

       952
       -
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       953
        
         };

     

       954
        
       

     

       955
        
       }

···

       897
        
       

     

       898
        
           security.apparmor.includes."abstractions/pam" = let

     

       899
        
             isEnabled = test: fold or false (map test (attrValues config.security.pam.services));

     

       900
       +
             in

     

       901
       +
             lib.concatMapStringsSep "\n"

     

       902
       +
               (name: "r ${config.environment.etc."pam.d/${name}".source},")

     

       903
       +
               (attrNames config.security.pam.services) +

     

       904
       +
             ''

     

       905
        
             mr ${getLib pkgs.pam}/lib/security/pam_filter/*,

     

       906
        
             mr ${getLib pkgs.pam}/lib/security/pam_*.so,

     

       907
        
             r ${getLib pkgs.pam}/lib/security/,

     

       908
       +
             '' +

     

       909
       +
             optionalString use_ldap ''

     

       910
       +
                mr ${pam_ldap}/lib/security/pam_ldap.so,

     

       911
       +
             '' +

     

       912
       +
             optionalString config.services.sssd.enable ''

     

       913
       +
               mr ${pkgs.sssd}/lib/security/pam_sss.so,

     

       914
       +
             '' +

     

       915
       +
             optionalString config.krb5.enable ''

     

       916
        
               mr ${pam_krb5}/lib/security/pam_krb5.so,

     

       917
        
               mr ${pam_ccreds}/lib/security/pam_ccreds.so,

     

       918
       +
             '' +

     

       919
       +
             optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''

     

       920
        
               mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,

     

       921
        
               mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,

     

       922
       +
             '' +

     

       923
       +
             optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) ''

     

       924
       +
               mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,

     

       925
       +
             '' +

     

       926
       +
             optionalString (config.security.pam.enableSSHAgentAuth

     

       927
       +
                            && isEnabled (cfg: cfg.sshAgentAuth)) ''

     

       928
       +
               mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,

     

       929
       +
             '' +

     

       930
       +
             optionalString (isEnabled (cfg: cfg.fprintAuth)) ''

     

       931
       +
               mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,

     

       932
       +
             '' +

     

       933
       +
             optionalString (isEnabled (cfg: cfg.u2fAuth)) ''

     

       934
       +
               mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,

     

       935
       +
             '' +

     

       936
       +
             optionalString (isEnabled (cfg: cfg.usbAuth)) ''

     

       937
       +
               mr ${pkgs.pam_usb}/lib/security/pam_usb.so,

     

       938
       +
             '' +

     

       939
       +
             optionalString (isEnabled (cfg: cfg.oathAuth)) ''

     

       940
       +
               "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,

     

       941
       +
             '' +

     

       942
       +
             optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''

     

       943
       +
               mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,

     

       944
       +
             '' +

     

       945
       +
             optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) ''

     

       946
       +
               mr ${pkgs.duo-unix}/lib/security/pam_duo.so,

     

       947
       +
             '' +

     

       948
       +
             optionalString (isEnabled (cfg: cfg.otpwAuth)) ''

     

       949
       +
               mr ${pkgs.otpw}/lib/security/pam_otpw.so,

     

       950
       +
             '' +

     

       951
       +
             optionalString config.security.pam.enableEcryptfs ''

     

       952
       +
               mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,

     

       953
       +
             '' +

     

       954
       +
             optionalString (isEnabled (cfg: cfg.pamMount)) ''

     

       955
       +
               mr ${pkgs.pam_mount}/lib/security/pam_mount.so,

     

       956
       +
             '' +

     

       957
       +
             optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) ''

     

       958
       +
               mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,

     

       959
       +
             '' +

     

       960
       +
             optionalString (isEnabled (cfg: cfg.startSession)) ''

     

       961
       +
               mr ${pkgs.systemd}/lib/security/pam_systemd.so,

     

       962
       +
             '' +

     

       963
       +
             optionalString (isEnabled (cfg: cfg.enableAppArmor)

     

       964
       +
                            && config.security.apparmor.enable) ''

     

       965
       +
               mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,

     

       966
       +
             '' +

     

       967
       +
             optionalString (isEnabled (cfg: cfg.enableKwallet)) ''

     

       968
       +
               mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,

     

       969
       +
             '' +

     

       970
       +
             optionalString config.virtualisation.lxc.lxcfs.enable ''

     

       971
       +
               mr ${pkgs.lxc}/lib/security/pam_cgfs.so

     

       972
       +
             '';

     

       973
        
         };

     

       974
        
       

     

       975
        
       }

+1 -1

pkgs/os-specific/linux/apparmor/default.nix

···

       290
        
           , name ? ""

     

       291
        
           }: rootPaths: runCommand

     

       292
        
             ( "apparmor-closure-rules"

     

       293
       -
             + lib.optionalString (name != "") "-${name}") {} ''

     

       294
        
           touch $out

     

       295
        
           while read -r path

     

       296
        
           do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}

···

       290
        
           , name ? ""

     

       291
        
           }: rootPaths: runCommand

     

       292
        
             ( "apparmor-closure-rules"

     

       293
       +
             + lib.optionalString (name != "") "-${name}" ) {} ''

     

       294
        
           touch $out

     

       295
        
           while read -r path

     

       296
        
           do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}