commit b2f0ccb56b1dcec195d6c82f9d4f4d5644d1f96e · pyrox.dev/nixpkgs

nixos/modules/module-list.nix

···

       367
       367
        
         ./security/auditd.nix

     

       368
       368
        
         ./security/ca.nix

     

       369
       369
        
         ./security/chromium-suid-sandbox.nix

     

       370
       370
       +
         ./security/default.nix

     

       370
       371
        
         ./security/dhparams.nix

     

       371
       372
        
         ./security/doas.nix

     

       372
       373
        
         ./security/duosec.nix

+2 -4

nixos/modules/security/apparmor.nix

···

       200
       200
        
                 sed '1,/\[qualifiers\]/d' $footer >> $out

     

       201
       201
        
               '';

     

       202
       202
        
       

     

       203
       203
       -
           boot.kernelParams = [

     

       204
       204
       -
             "apparmor=1"

     

       205
       205
       -
             "security=apparmor"

     

       206
       206
       -
           ];

     

       203
       203
       +
           boot.kernelParams = [ "apparmor=1" ];

     

       204
       204
       +
           security.lsm = [ "apparmor" ];

     

       207
       205
        
       

     

       208
       206
        
           systemd.services.apparmor = {

     

       209
       207
        
             after = [

+28

nixos/modules/security/default.nix

···

       1
       1
       +
       { config, lib, ... }:

     

       2
       2
       +
       let

     

       3
       3
       +
         cfg = config.security;

     

       4
       4
       +
       in

     

       5
       5
       +
       {

     

       6
       6
       +
         options = {

     

       7
       7
       +
           security.lsm = lib.mkOption {

     

       8
       8
       +
             type = lib.types.uniq (lib.types.listOf lib.types.str);

     

       9
       9
       +
             default = [ ];

     

       10
       10
       +
             description = ''

     

       11
       11
       +
               A list of the LSMs to initialize in order.

     

       12
       12
       +
             '';

     

       13
       13
       +
           };

     

       14
       14
       +
         };

     

       15
       15
       +
       

     

       16
       16
       +
         config = lib.mkIf (lib.lists.length cfg.lsm > 0) {

     

       17
       17
       +
           assertions = [

     

       18
       18
       +
             {

     

       19
       19
       +
               assertion = builtins.length (lib.filter (lib.hasPrefix "security=") config.boot.kernelParams) == 0;

     

       20
       20
       +
               message = "security parameter in boot.kernelParams cannot be used when security.lsm is used";

     

       21
       21
       +
             }

     

       22
       22
       +
           ];

     

       23
       23
       +
       

     

       24
       24
       +
           boot.kernelParams = [

     

       25
       25
       +
             "lsm=${lib.concatStringsSep "," cfg.lsm}"

     

       26
       26
       +
           ];

     

       27
       27
       +
         };

     

       28
       28
       +
       }