···
-
{ config, lib, pkgs, ... }:
-
inherit (builtins) attrNames head map match readFile;
inherit (config.environment) etc;
cfg = config.security.apparmor;
-
mkDisableOption = name: lib.mkEnableOption name // {
enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies;
-
(lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")
-
(lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")
···
-
type = types.attrsOf (types.submodule ({ name, config, ... }: {
-
enable = mkDisableOption "loading of the profile into the kernel";
-
enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
-
profile = lib.mkOption {
-
description = "The policy of the profile.";
-
apply = pkgs.writeText name;
includes = lib.mkOption {
type = types.attrsOf types.lines;
List of paths to be added to AppArmor's searched paths
when resolving `include` directives.
···
packages = lib.mkOption {
type = types.listOf types.package;
description = "List of packages to be added to AppArmor's include path";
enableCache = lib.mkEnableOption ''
···
config = lib.mkIf cfg.enable {
-
assertions = map (policy:
-
{ assertion = match ".*/.*" policy == null;
-
message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";
-
# Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions
-
# which does not recurse into sub-directories.
-
) (attrNames cfg.policies);
environment.systemPackages = [
···
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
# It's important to put only enabledPolicies here and not all cfg.policies
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
-
lib.mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++
-
lib.mapAttrsToList (name: path: { inherit name path; }) cfg.includes
-
environment.etc."apparmor/parser.conf".text = ''
${if cfg.enableCache then "write-cache" else "skip-cache"}
cache-loc /var/cache/apparmor
-
lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;
-
environment.etc."apparmor/apparmor.conf".text = ''
environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db";
-
environment.etc."apparmor/logprof.conf".source = pkgs.runCommand "logprof.conf" {
-
# /etc/apparmor.d/ is read-only on NixOS
-
profiledir = /var/cache/apparmor/logprof
-
inactive_profiledir = /etc/apparmor.d/disable
-
# Use: journalctl -b --since today --grep audit: | aa-logprof
-
parser = ${pkgs.apparmor-parser}/bin/apparmor_parser
-
ldd = ${pkgs.glibc.bin}/bin/ldd
-
logger = ${pkgs.util-linux}/bin/logger
-
# customize how file ownership permissions are presented
-
# 1 - default of what ever mode the log reported
-
# 2 - force the new permissions to be user
-
# 3 - force all perms on the rule to be user
-
default_owner_prompt = 1
-
custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}
-
${pkgs.runtimeShell} = icnu
-
${pkgs.bashInteractive}/bin/sh = icnu
-
${pkgs.bashInteractive}/bin/bash = icnu
-
${config.users.defaultUserShell} = icnu
-
footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf";
-
passAsFile = [ "header" ];
-
sed '1,/\[qualifiers\]/d' $footer >> $out
-
boot.kernelParams = [ "apparmor=1" "security=apparmor" ];
systemd.services.apparmor = {
"systemd-journald-audit.socket"
-
before = [ "sysinit.target" "shutdown.target" ];
conflicts = [ "shutdown.target" ];
wantedBy = [ "multi-user.target" ];
-
Description="Load AppArmor policies";
DefaultDependencies = "no";
ConditionSecurity = "apparmor";
···
etc."apparmor/parser.conf".source
-
killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" ''
-
${pkgs.apparmor-bin-utils}/bin/aa-status --json |
-
${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' |
-
xargs --verbose --no-run-if-empty --delimiter='\n' \
-
commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}";
-
RemainAfterExit = "yes";
-
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
-
ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;
-
ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
-
# Add or replace into the kernel profiles in enabledPolicies
-
# (because AppArmor can do that without stopping the processes already confined).
-
lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++
-
# Remove from the kernel any profile whose name is not
-
# one of the names within the content of the profiles in enabledPolicies
-
# (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).
-
# Note that this does not remove profiles dynamically generated by libvirt.
-
[ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++
-
# Optionally kill the processes which are unconfined but now have a profile loaded
-
# (because AppArmor can only start to confine new processes).
-
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
-
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
-
CacheDirectory = [ "apparmor" "apparmor/logprof" ];
-
CacheDirectoryMode = "0700";
pyrox.dev