pyrox.dev / nixpkgs
lol
fork atom

nixos/miniflux: add apparmor policy

This change also extends the test to ensure that normal operations
aren't denied.

Philipp Bartsch ced170c0 12561782

options
unified split
Changed files
+18
nixos
modules
services
web-apps
miniflux.nix
tests
miniflux.nix
+12
nixos/modules/services/web-apps/miniflux.nix 
···

       
130

       
130

       
 

       
      environment = cfg.config;


     

       
131

       
131

       
 

       
    };


     

       
132

       
132

       
 

       
    environment.systemPackages = [ cfg.package ];


     

       

       
133

       
+

       



     

       

       
134

       
+

       
    security.apparmor.policies."bin.miniflux".profile = ''


     

       

       
135

       
+

       
      include <tunables/global>


     

       

       
136

       
+

       
      ${cfg.package}/bin/miniflux {


     

       

       
137

       
+

       
        include <abstractions/base>


     

       

       
138

       
+

       
        include <abstractions/nameservice>


     

       

       
139

       
+

       
        include <abstractions/ssl_certs>


     

       

       
140

       
+

       
        include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}"


     

       

       
141

       
+

       
        r ${cfg.package}/bin/miniflux,


     

       

       
142

       
+

       
        r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size,


     

       

       
143

       
+

       
      }


     

       

       
144

       
+

       
    '';


     

       
133

       
145

       
 

       
  };


     

       
134

       
146

       
 

       
}
+6
nixos/tests/miniflux.nix 
···

       
25

       
25

       
 

       
    default =


     

       
26

       
26

       
 

       
      { ... }:


     

       
27

       
27

       
 

       
      {


     

       

       
28

       
+

       
        security.apparmor.enable = true;


     

       
28

       
29

       
 

       
        services.miniflux = {


     

       
29

       
30

       
 

       
          enable = true;


     

       
30

       
31

       
 

       
          inherit adminCredentialsFile;


     
···

       
34

       
35

       
 

       
    withoutSudo =


     

       
35

       
36

       
 

       
      { ... }:


     

       
36

       
37

       
 

       
      {


     

       

       
38

       
+

       
        security.apparmor.enable = true;


     

       
37

       
39

       
 

       
        services.miniflux = {


     

       
38

       
40

       
 

       
          enable = true;


     

       
39

       
41

       
 

       
          inherit adminCredentialsFile;


     
···

       
44

       
46

       
 

       
    customized =


     

       
45

       
47

       
 

       
      { ... }:


     

       
46

       
48

       
 

       
      {


     

       

       
49

       
+

       
        security.apparmor.enable = true;


     

       
47

       
50

       
 

       
        services.miniflux = {


     

       
48

       
51

       
 

       
          enable = true;


     

       
49

       
52

       
 

       
          config = {


     
···

       
63

       
66

       
 

       
    default.succeed(


     

       
64

       
67

       
 

       
        "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"


     

       
65

       
68

       
 

       
    )


     

       

       
69

       
+

       
    default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')


     

       
66

       
70

       
 

       



     

       
67

       
71

       
 

       
    withoutSudo.wait_for_unit("miniflux.service")


     

       
68

       
72

       
 

       
    withoutSudo.wait_for_open_port(${toString defaultPort})


     
···

       
70

       
74

       
 

       
    withoutSudo.succeed(


     

       
71

       
75

       
 

       
        "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"


     

       
72

       
76

       
 

       
    )


     

       

       
77

       
+

       
    withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')


     

       
73

       
78

       
 

       



     

       
74

       
79

       
 

       
    customized.wait_for_unit("miniflux.service")


     

       
75

       
80

       
 

       
    customized.wait_for_open_port(${toString port})


     
···

       
77

       
82

       
 

       
    customized.succeed(


     

       
78

       
83

       
 

       
        "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'"


     

       
79

       
84

       
 

       
    )


     

       

       
85

       
+

       
    customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')


     

       
80

       
86

       
 

       
  '';


     

       
81

       
87

       
 

       
})