pyrox.dev / nixpkgs
lol
fork atom

transmission: move apparmor profile to Nixpkgs

Julien Moutinho b280e640 03b2156d

options
unified split
Changed files
+56 -46
nixos
modules
services
torrent
transmission.nix
pkgs
applications
networking
p2p
transmission
default.nix
+29 -46
nixos/modules/services/torrent/transmission.nix 
···

       
359

       
359

       
 

       
    ];


     

       
360

       
360

       
 

       



     

       
361

       
361

       
 

       
    security.apparmor.policies."bin.transmission-daemon".profile = ''


     

       
362

       

       
-

       
        include <tunables/global>


     

       
363

       

       
-

       
        ${pkgs.transmission}/bin/transmission-daemon {


     

       
364

       

       
-

       
          include <abstractions/base>


     

       
365

       

       
-

       
          include <abstractions/nameservice>


     

       
366

       

       
-

       
          include <abstractions/ssl_certs>


     

       
367

       

       
-

       
          include "${pkgs.apparmorRulesFromClosure


     

       
368

       

       
-

       
            { name = "transmission-daemon"; }


     

       
369

       

       
-

       
            [ pkgs.transmission ]}"


     

       
370

       

       
-

       
          include <local/bin.transmission-daemon>


     

       

       
362

       
+

       
      include "${pkgs.transmission.apparmor}/bin.transmission-daemon"


     

       

       
363

       
+

       
    '';


     

       

       
364

       
+

       
    security.apparmor.includes."local/bin.transmission-daemon" = ''


     

       

       
365

       
+

       
      r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},


     

       
371

       
366

       
 

       



     

       
372

       

       
-

       
          r @{PROC}/sys/kernel/random/uuid,


     

       
373

       

       
-

       
          r @{PROC}/sys/vm/overcommit_memory,


     

       
374

       

       
-

       
          r @{PROC}/@{pid}/environ,


     

       
375

       

       
-

       
          r @{PROC}/@{pid}/mounts,


     

       
376

       

       
-

       
          rwk /tmp/tr_session_id_*,


     

       
377

       

       
-

       
          r /run/systemd/resolve/stub-resolv.conf,


     

       

       
367

       
+

       
      owner rw ${cfg.home}/${settingsDir}/**,


     

       

       
368

       
+

       
      rw ${cfg.settings.download-dir}/**,


     

       

       
369

       
+

       
      ${optionalString cfg.settings.incomplete-dir-enabled ''


     

       

       
370

       
+

       
        rw ${cfg.settings.incomplete-dir}/**,


     

       

       
371

       
+

       
      ''}


     

       

       
372

       
+

       
      ${optionalString cfg.settings.watch-dir-enabled ''


     

       

       
373

       
+

       
        rw ${cfg.settings.watch-dir}/**,


     

       

       
374

       
+

       
      ''}


     

       

       
375

       
+

       
      profile dirs {


     

       

       
376

       
+

       
        rw ${cfg.settings.download-dir}/**,


     

       

       
377

       
+

       
        ${optionalString cfg.settings.incomplete-dir-enabled ''


     

       

       
378

       
+

       
          rw ${cfg.settings.incomplete-dir}/**,


     

       

       
379

       
+

       
        ''}


     

       

       
380

       
+

       
        ${optionalString cfg.settings.watch-dir-enabled ''


     

       

       
381

       
+

       
          rw ${cfg.settings.watch-dir}/**,


     

       

       
382

       
+

       
        ''}


     

       

       
383

       
+

       
      }


     

       
378

       
384

       
 

       



     

       
379

       

       
-

       
          r ${pkgs.openssl.out}/etc/**,


     

       
380

       

       
-

       
          r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},


     

       
381

       

       
-

       



     

       
382

       

       
-

       
          owner rw ${cfg.home}/${settingsDir}/**,


     

       
383

       

       
-

       
          rw ${cfg.settings.download-dir}/**,


     

       
384

       

       
-

       
          ${optionalString cfg.settings.incomplete-dir-enabled ''


     

       
385

       

       
-

       
            rw ${cfg.settings.incomplete-dir}/**,


     

       
386

       

       
-

       
          ''}


     

       
387

       

       
-

       
          ${optionalString cfg.settings.watch-dir-enabled ''


     

       
388

       

       
-

       
            rw ${cfg.settings.watch-dir}/**,


     

       
389

       

       
-

       
          ''}


     

       
390

       

       
-

       
          profile dirs {


     

       
391

       

       
-

       
            rw ${cfg.settings.download-dir}/**,


     

       
392

       

       
-

       
            ${optionalString cfg.settings.incomplete-dir-enabled ''


     

       
393

       

       
-

       
              rw ${cfg.settings.incomplete-dir}/**,


     

       
394

       

       
-

       
            ''}


     

       
395

       

       
-

       
            ${optionalString cfg.settings.watch-dir-enabled ''


     

       
396

       

       
-

       
              rw ${cfg.settings.watch-dir}/**,


     

       
397

       

       
-

       
            ''}


     

       
398

       

       
-

       
          }


     

       
399

       

       
-

       



     

       
400

       

       
-

       
          ${optionalString (cfg.settings.script-torrent-done-enabled &&


     

       
401

       

       
-

       
                            cfg.settings.script-torrent-done-filename != "") ''


     

       
402

       

       
-

       
            # Stack transmission_directories profile on top of


     

       
403

       

       
-

       
            # any existing profile for script-torrent-done-filename


     

       
404

       

       
-

       
            # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=


     

       
405

       

       
-

       
            # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs


     

       
406

       

       
-

       
            px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},


     

       
407

       

       
-

       
          ''}


     

       
408

       

       
-

       
        }


     

       

       
385

       
+

       
      ${optionalString (cfg.settings.script-torrent-done-enabled &&


     

       

       
386

       
+

       
                        cfg.settings.script-torrent-done-filename != "") ''


     

       

       
387

       
+

       
        # Stack transmission_directories profile on top of


     

       

       
388

       
+

       
        # any existing profile for script-torrent-done-filename


     

       

       
389

       
+

       
        # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=


     

       

       
390

       
+

       
        # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs


     

       

       
391

       
+

       
        px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},


     

       

       
392

       
+

       
      ''}


     

       
409

       
393

       
 

       
    '';


     

       
410

       

       
-

       
    security.apparmor.includes."local/bin.transmission-daemon" = "";


     

       
411

       
394

       
 

       
  };


     

       
412

       
395

       
 

       



     

       
413

       
396

       
 

       
  meta.maintainers = with lib.maintainers; [ julm ];
+27
pkgs/applications/networking/p2p/transmission/default.nix 
···

       
21

       
21

       
 

       
, enableDaemon ? true


     

       
22

       
22

       
 

       
, enableCli ? true


     

       
23

       
23

       
 

       
, installLib ? false


     

       

       
24

       
+

       
, apparmorRulesFromClosure


     

       
24

       
25

       
 

       
}:


     

       
25

       
26

       
 

       



     

       
26

       
27

       
 

       
let


     
···

       
37

       
38

       
 

       
    sha256 = "0ccg0km54f700x9p0jsnncnwvfnxfnxf7kcm7pcx1cj0vw78924z";


     

       
38

       
39

       
 

       
    fetchSubmodules = true;


     

       
39

       
40

       
 

       
  };


     

       

       
41

       
+

       



     

       

       
42

       
+

       
  outputs = [ "out" "apparmor" ];


     

       
40

       
43

       
 

       



     

       
41

       
44

       
 

       
  cmakeFlags =


     

       
42

       
45

       
 

       
    let


     
···

       
73

       
76

       
 

       
  ;


     

       
74

       
77

       
 

       



     

       
75

       
78

       
 

       
  NIX_LDFLAGS = lib.optionalString stdenv.isDarwin "-framework CoreFoundation";


     

       

       
79

       
+

       



     

       

       
80

       
+

       
  postInstall = ''


     

       

       
81

       
+

       
    install -D -m 644 /dev/stdin $apparmor/bin.transmission-daemon <<EOF


     

       

       
82

       
+

       
    include <tunables/global>


     

       

       
83

       
+

       
    $out/bin/transmission-daemon {


     

       

       
84

       
+

       
      include <abstractions/base>


     

       

       
85

       
+

       
      include <abstractions/nameservice>


     

       

       
86

       
+

       
      include <abstractions/ssl_certs>


     

       

       
87

       
+

       
      include "${apparmorRulesFromClosure { name = "transmission-daemon"; } ([


     

       

       
88

       
+

       
        curl libevent openssl pcre zlib


     

       

       
89

       
+

       
      ] ++ lib.optionals enableSystemd [ systemd ]


     

       

       
90

       
+

       
        ++ lib.optionals stdenv.isLinux [ inotify-tools ]


     

       

       
91

       
+

       
      )}"


     

       

       
92

       
+

       
      r @{PROC}/sys/kernel/random/uuid,


     

       

       
93

       
+

       
      r @{PROC}/sys/vm/overcommit_memory,


     

       

       
94

       
+

       
      r @{PROC}/@{pid}/environ,


     

       

       
95

       
+

       
      r @{PROC}/@{pid}/mounts,


     

       

       
96

       
+

       
      rwk /tmp/tr_session_id_*,


     

       

       
97

       
+

       
      r /run/systemd/resolve/stub-resolv.conf,


     

       

       
98

       
+

       



     

       

       
99

       
+

       
      include <local/bin.transmission-daemon>


     

       

       
100

       
+

       
    }


     

       

       
101

       
+

       
    EOF


     

       

       
102

       
+

       
  '';


     

       
76

       
103

       
 

       



     

       
77

       
104

       
 

       
  meta = {


     

       
78

       
105

       
 

       
    description = "A fast, easy and free BitTorrent client";