···
1
-
{ config, lib, pkgs, ... }:
3
-
inherit (builtins) attrNames head map match readFile;
inherit (config.environment) etc;
cfg = config.security.apparmor;
7
-
mkDisableOption = name: lib.mkEnableOption name // {
20
+
lib.mkEnableOption name
enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies;
16
-
(lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")
17
-
(lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")
30
+
(lib.mkRemovedOptionModule [
33
+
"confineSUIDApplications"
34
+
] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")
35
+
(lib.mkRemovedOptionModule [
39
+
] "Please use the new option: `security.apparmor.policies'.")
···
45
-
type = types.attrsOf (types.submodule ({ name, config, ... }: {
47
-
enable = mkDisableOption "loading of the profile into the kernel";
48
-
enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
49
-
profile = lib.mkOption {
50
-
description = "The policy of the profile.";
52
-
apply = pkgs.writeText name;
67
+
type = types.attrsOf (
69
+
{ name, config, ... }:
72
+
enable = mkDisableOption "loading of the profile into the kernel";
73
+
enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
74
+
profile = lib.mkOption {
75
+
description = "The policy of the profile.";
77
+
apply = pkgs.writeText name;
includes = lib.mkOption {
type = types.attrsOf types.lines;
List of paths to be added to AppArmor's searched paths
when resolving `include` directives.
···
packages = lib.mkOption {
type = types.listOf types.package;
description = "List of packages to be added to AppArmor's include path";
enableCache = lib.mkEnableOption ''
···
config = lib.mkIf cfg.enable {
93
-
assertions = map (policy:
94
-
{ assertion = match ".*/.*" policy == null;
95
-
message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";
96
-
# Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions
97
-
# which does not recurse into sub-directories.
99
-
) (attrNames cfg.policies);
120
+
assertions = map (policy: {
121
+
assertion = match ".*/.*" policy == null;
122
+
message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";
123
+
# Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions
124
+
# which does not recurse into sub-directories.
125
+
}) (attrNames cfg.policies);
environment.systemPackages = [
···
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
# It's important to put only enabledPolicies here and not all cfg.policies
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
108
-
lib.mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++
109
-
lib.mapAttrsToList (name: path: { inherit name path; }) cfg.includes
134
+
lib.mapAttrsToList (name: p: {
138
+
++ lib.mapAttrsToList (name: path: { inherit name path; }) cfg.includes
111
-
environment.etc."apparmor/parser.conf".text = ''
140
+
environment.etc."apparmor/parser.conf".text =
${if cfg.enableCache then "write-cache" else "skip-cache"}
cache-loc /var/cache/apparmor
116
-
lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;
146
+
+ lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;
118
-
environment.etc."apparmor/apparmor.conf".text = ''
148
+
environment.etc."apparmor/apparmor.conf".text = '''';
environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db";
122
-
environment.etc."apparmor/logprof.conf".source = pkgs.runCommand "logprof.conf" {
125
-
# /etc/apparmor.d/ is read-only on NixOS
126
-
profiledir = /var/cache/apparmor/logprof
127
-
inactive_profiledir = /etc/apparmor.d/disable
128
-
# Use: journalctl -b --since today --grep audit: | aa-logprof
129
-
logfiles = /dev/stdin
151
+
environment.etc."apparmor/logprof.conf".source =
152
+
pkgs.runCommand "logprof.conf"
156
+
# /etc/apparmor.d/ is read-only on NixOS
157
+
profiledir = /var/cache/apparmor/logprof
158
+
inactive_profiledir = /etc/apparmor.d/disable
159
+
# Use: journalctl -b --since today --grep audit: | aa-logprof
160
+
logfiles = /dev/stdin
131
-
parser = ${pkgs.apparmor-parser}/bin/apparmor_parser
132
-
ldd = ${pkgs.glibc.bin}/bin/ldd
133
-
logger = ${pkgs.util-linux}/bin/logger
162
+
parser = ${pkgs.apparmor-parser}/bin/apparmor_parser
163
+
ldd = ${pkgs.glibc.bin}/bin/ldd
164
+
logger = ${pkgs.util-linux}/bin/logger
135
-
# customize how file ownership permissions are presented
137
-
# 1 - default of what ever mode the log reported
138
-
# 2 - force the new permissions to be user
139
-
# 3 - force all perms on the rule to be user
140
-
default_owner_prompt = 1
166
+
# customize how file ownership permissions are presented
168
+
# 1 - default of what ever mode the log reported
169
+
# 2 - force the new permissions to be user
170
+
# 3 - force all perms on the rule to be user
171
+
default_owner_prompt = 1
142
-
custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}
173
+
custom_includes = /etc/apparmor.d ${
174
+
lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages
145
-
${pkgs.runtimeShell} = icnu
146
-
${pkgs.bashInteractive}/bin/sh = icnu
147
-
${pkgs.bashInteractive}/bin/bash = icnu
148
-
${config.users.defaultUserShell} = icnu
150
-
footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf";
151
-
passAsFile = [ "header" ];
153
-
cp $headerPath $out
154
-
sed '1,/\[qualifiers\]/d' $footer >> $out
178
+
${pkgs.runtimeShell} = icnu
179
+
${pkgs.bashInteractive}/bin/sh = icnu
180
+
${pkgs.bashInteractive}/bin/bash = icnu
181
+
${config.users.defaultUserShell} = icnu
183
+
footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf";
184
+
passAsFile = [ "header" ];
187
+
cp $headerPath $out
188
+
sed '1,/\[qualifiers\]/d' $footer >> $out
157
-
boot.kernelParams = [ "apparmor=1" "security=apparmor" ];
191
+
boot.kernelParams = [
193
+
"security=apparmor"
systemd.services.apparmor = {
"systemd-journald-audit.socket"
164
-
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
wantedBy = [ "multi-user.target" ];
168
-
Description="Load AppArmor policies";
208
+
Description = "Load AppArmor policies";
DefaultDependencies = "no";
ConditionSecurity = "apparmor";
···
etc."apparmor/parser.conf".source
179
-
serviceConfig = let
180
-
killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" ''
182
-
${pkgs.apparmor-bin-utils}/bin/aa-status --json |
183
-
${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' |
184
-
xargs --verbose --no-run-if-empty --delimiter='\n' \
187
-
commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}";
190
-
RemainAfterExit = "yes";
191
-
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
192
-
ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;
193
-
ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
195
-
# Add or replace into the kernel profiles in enabledPolicies
196
-
# (because AppArmor can do that without stopping the processes already confined).
197
-
lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++
198
-
# Remove from the kernel any profile whose name is not
199
-
# one of the names within the content of the profiles in enabledPolicies
200
-
# (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).
201
-
# Note that this does not remove profiles dynamically generated by libvirt.
202
-
[ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++
203
-
# Optionally kill the processes which are unconfined but now have a profile loaded
204
-
# (because AppArmor can only start to confine new processes).
205
-
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
206
-
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
207
-
CacheDirectory = [ "apparmor" "apparmor/logprof" ];
208
-
CacheDirectoryMode = "0700";
221
+
killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" ''
223
+
${pkgs.apparmor-bin-utils}/bin/aa-status --json |
224
+
${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' |
225
+
xargs --verbose --no-run-if-empty --delimiter='\n' \
229
+
p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}";
233
+
RemainAfterExit = "yes";
234
+
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
235
+
ExecStart = lib.mapAttrsToList (
236
+
n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}"
238
+
ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
240
+
# Add or replace into the kernel profiles in enabledPolicies
241
+
# (because AppArmor can do that without stopping the processes already confined).
242
+
lib.mapAttrsToList (
243
+
n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}"
246
+
# Remove from the kernel any profile whose name is not
247
+
# one of the names within the content of the profiles in enabledPolicies
248
+
# (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).
249
+
# Note that this does not remove profiles dynamically generated by libvirt.
250
+
[ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ]
252
+
# Optionally kill the processes which are unconfined but now have a profile loaded
253
+
# (because AppArmor can only start to confine new processes).
254
+
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
255
+
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
260
+
CacheDirectoryMode = "0700";
pyrox.dev