···

       
4943
       
4943
       
 
       
    name = "Julien Dehos";

     

       
4944
       
4944
       
 
       
  };

     

       
4945
       
4945
       
 
       
  julm = {

     

       
4946
       
4946
       
-
       
    email = "julm+nix@sourcephile.fr";

     

       
4946
       
4946
       
+
       
    email = "julm+nixpkgs@sourcephile.fr";

     

       
4947
       
4947
       
 
       
    github = "ju1m";

     

       
4948
       
4948
       
 
       
    githubId = 21160136;

     

       
4949
       
4949
       
 
       
    name = "Julien Moutinho";

     

···

       
869
       
869
       
 
       
    </para>

     

       
870
       
870
       
 
       
   </listitem>

     

       
871
       
871
       
 
       
   <listitem>

     

       
872
       
872
       
+
       
    <para>

     

       
873
       
873
       
+
       
     The <literal>security.apparmor</literal> module,

     

       
874
       
874
       
+
       
     for the <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link>

     

       
875
       
875
       
+
       
     Mandatory Access Control system,

     

       
876
       
876
       
+
       
     has been substantialy improved along with related tools,

     

       
877
       
877
       
+
       
     so that module maintainers can now more easily write AppArmor profiles for NixOS.

     

       
878
       
878
       
+
       
     The most notable change on the user-side is the new option <xref linkend="opt-security.apparmor.policies"/>,

     

       
879
       
879
       
+
       
     replacing the previous <literal>profiles</literal> option

     

       
880
       
880
       
+
       
     to provide a way to disable a profile

     

       
881
       
881
       
+
       
     and to select whether to confine in enforce mode (default)

     

       
882
       
882
       
+
       
     or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).

     

       
883
       
883
       
+
       
     Security-minded users may also want to enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>,

     

       
884
       
884
       
+
       
     at the cost of having some of their processes killed

     

       
885
       
885
       
+
       
     when updating to a NixOS version introducing new AppArmor profiles.

     

       
886
       
886
       
+
       
    </para>

     

       
887
       
887
       
+
       
   </listitem>

     

       
888
       
888
       
+
       
   <listitem>

     

       
872
       
889
       
 
       
     <para>

     

       
873
       
890
       
 
       
       The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default.

     

       
874
       
891
       
 
       
     </para>

     

···

       
448
       
448
       
 
       
    (mkIf cfg.enable {

     

       
449
       
449
       
 
       
      environment.systemPackages    = [ pkgs.fontconfig ];

     

       
450
       
450
       
 
       
      environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";

     

       
451
       
451
       
+
       
      security.apparmor.includes."abstractions/fonts" = ''

     

       
452
       
452
       
+
       
        # fonts.conf

     

       
453
       
453
       
+
       
        r ${pkg.out}/etc/fonts/fonts.conf,

     

       
454
       
454
       
+
       


     

       
455
       
455
       
+
       
        # fontconfig default config files

     

       
456
       
456
       
+
       
        r ${pkg.out}/etc/fonts/conf.d/*.conf,

     

       
457
       
457
       
+
       


     

       
458
       
458
       
+
       
        # 00-nixos-cache.conf

     

       
459
       
459
       
+
       
        r ${cacheConf},

     

       
460
       
460
       
+
       


     

       
461
       
461
       
+
       
        # 10-nixos-rendering.conf

     

       
462
       
462
       
+
       
        r ${renderConf},

     

       
463
       
463
       
+
       


     

       
464
       
464
       
+
       
        # 50-user.conf

     

       
465
       
465
       
+
       
        ${optionalString cfg.includeUserConf ''

     

       
466
       
466
       
+
       
        r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf,

     

       
467
       
467
       
+
       
        ''}

     

       
468
       
468
       
+
       


     

       
469
       
469
       
+
       
        # local.conf (indirect priority 51)

     

       
470
       
470
       
+
       
        ${optionalString (cfg.localConf != "") ''

     

       
471
       
471
       
+
       
        r ${localConf},

     

       
472
       
472
       
+
       
        ''}

     

       
473
       
473
       
+
       


     

       
474
       
474
       
+
       
        # 52-nixos-default-fonts.conf

     

       
475
       
475
       
+
       
        r ${defaultFontsConf},

     

       
476
       
476
       
+
       


     

       
477
       
477
       
+
       
        # 53-no-bitmaps.conf

     

       
478
       
478
       
+
       
        r ${rejectBitmaps},

     

       
479
       
479
       
+
       


     

       
480
       
480
       
+
       
        ${optionalString (!cfg.allowType1) ''

     

       
481
       
481
       
+
       
        # 53-nixos-reject-type1.conf

     

       
482
       
482
       
+
       
        r ${rejectType1},

     

       
483
       
483
       
+
       
        ''}

     

       
484
       
484
       
+
       
      '';

     

       
451
       
485
       
 
       
    })

     

       
452
       
486
       
 
       
    (mkIf cfg.enable {

     

       
453
       
487
       
 
       
      fonts.fontconfig.confPackages = [ confPkg ];

     

···

       
87
       
87
       
 
       
    environment.etc."ld-nix.so.preload".text = ''

     

       
88
       
88
       
 
       
      ${providerLibPath}

     

       
89
       
89
       
 
       
    '';

     

       
90
       
90
       
+
       
    security.apparmor.includes = {

     

       
91
       
91
       
+
       
      "abstractions/base" = ''

     

       
92
       
92
       
+
       
        r /etc/ld-nix.so.preload,

     

       
93
       
93
       
+
       
        r ${config.environment.etc."ld-nix.so.preload".source},

     

       
94
       
94
       
+
       
        mr ${providerLibPath},

     

       
95
       
95
       
+
       
      '';

     

       
96
       
96
       
+
       
    };

     

       
90
       
97
       
 
       
  };

     

       
91
       
98
       
 
       
}

     

···

       
205
       
205
       
 
       
  ./rename.nix

     

       
206
       
206
       
 
       
  ./security/acme.nix

     

       
207
       
207
       
 
       
  ./security/apparmor.nix

     

       
208
       
208
       
-
       
  ./security/apparmor-suid.nix

     

       
209
       
208
       
 
       
  ./security/audit.nix

     

       
210
       
209
       
 
       
  ./security/auditd.nix

     

       
211
       
210
       
 
       
  ./security/ca.nix

     

···

       
36
       
36
       
 
       
  security.virtualisation.flushL1DataCache = mkDefault "always";

     

       
37
       
37
       
 
       


     

       
38
       
38
       
 
       
  security.apparmor.enable = mkDefault true;

     

       
39
       
39
       
+
       
  security.apparmor.killUnconfinedConfinables = mkDefault true;

     

       
39
       
40
       
 
       


     

       
40
       
41
       
 
       
  boot.kernelParams = [

     

       
41
       
42
       
 
       
    # Slab/slub sanity checks, redzoning, and poisoning

     

···

       
1
       
1
       
-
       
{ config, lib, pkgs, ... }:

     

       
2
       
2
       
-
       
let

     

       
3
       
3
       
-
       
  cfg = config.security.apparmor;

     

       
4
       
4
       
-
       
in

     

       
5
       
5
       
-
       
with lib;

     

       
6
       
6
       
-
       
{

     

       
7
       
7
       
-
       
  imports = [

     

       
8
       
8
       
-
       
    (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])

     

       
9
       
9
       
-
       
  ];

     

       
10
       
10
       
-
       


     

       
11
       
11
       
-
       
  options.security.apparmor.confineSUIDApplications = mkOption {

     

       
12
       
12
       
-
       
    type = types.bool;

     

       
13
       
13
       
-
       
    default = true;

     

       
14
       
14
       
-
       
    description = ''

     

       
15
       
15
       
-
       
      Install AppArmor profiles for commonly-used SUID application

     

       
16
       
16
       
-
       
      to mitigate potential privilege escalation attacks due to bugs

     

       
17
       
17
       
-
       
      in such applications.

     

       
18
       
18
       
-
       


     

       
19
       
19
       
-
       
      Currently available profiles: ping

     

       
20
       
20
       
-
       
    '';

     

       
21
       
21
       
-
       
  };

     

       
22
       
22
       
-
       


     

       
23
       
23
       
-
       
  config = mkIf (cfg.confineSUIDApplications) {

     

       
24
       
24
       
-
       
    security.apparmor.profiles = [ (pkgs.writeText "ping" ''

     

       
25
       
25
       
-
       
      #include <tunables/global>

     

       
26
       
26
       
-
       
      /run/wrappers/bin/ping {

     

       
27
       
27
       
-
       
        #include <abstractions/base>

     

       
28
       
28
       
-
       
        #include <abstractions/consoles>

     

       
29
       
29
       
-
       
        #include <abstractions/nameservice>

     

       
30
       
30
       
-
       


     

       
31
       
31
       
-
       
        capability net_raw,

     

       
32
       
32
       
-
       
        capability setuid,

     

       
33
       
33
       
-
       
        network inet raw,

     

       
34
       
34
       
-
       


     

       
35
       
35
       
-
       
        ${pkgs.stdenv.cc.libc.out}/lib/*.so mr,

     

       
36
       
36
       
-
       
        ${pkgs.libcap.lib}/lib/libcap.so* mr,

     

       
37
       
37
       
-
       
        ${pkgs.attr.out}/lib/libattr.so* mr,

     

       
38
       
38
       
-
       


     

       
39
       
39
       
-
       
        ${pkgs.iputils}/bin/ping mixr,

     

       
40
       
40
       
-
       


     

       
41
       
41
       
-
       
        #/etc/modules.conf r,

     

       
42
       
42
       
-
       


     

       
43
       
43
       
-
       
        ## Site-specific additions and overrides. See local/README for details.

     

       
44
       
44
       
-
       
        ##include <local/bin.ping>

     

       
45
       
45
       
-
       
      }

     

       
46
       
46
       
-
       
    '') ];

     

       
47
       
47
       
-
       
  };

     

       
48
       
48
       
-
       


     

       
49
       
49
       
-
       
}

     

···

       
1
       
1
       
 
       
{ config, lib, pkgs, ... }:

     

       
2
       
2
       
 
       


     

       
3
       
3
       
+
       
with lib;

     

       
4
       
4
       
+
       


     

       
3
       
5
       
 
       
let

     

       
4
       
4
       
-
       
  inherit (lib) mkIf mkOption types concatMapStrings;

     

       
6
       
6
       
+
       
  inherit (builtins) attrNames head map match readFile;

     

       
7
       
7
       
+
       
  inherit (lib) types;

     

       
8
       
8
       
+
       
  inherit (config.environment) etc;

     

       
5
       
9
       
 
       
  cfg = config.security.apparmor;

     

       
10
       
10
       
+
       
  mkDisableOption = name: mkEnableOption name // {

     

       
11
       
11
       
+
       
    default = true;

     

       
12
       
12
       
+
       
    example = false;

     

       
13
       
13
       
+
       
  };

     

       
14
       
14
       
+
       
  enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies;

     

       
6
       
15
       
 
       
in

     

       
7
       
16
       
 
       


     

       
8
       
17
       
 
       
{

     

       
9
       
9
       
-
       
   options = {

     

       
10
       
10
       
-
       
     security.apparmor = {

     

       
11
       
11
       
-
       
       enable = mkOption {

     

       
12
       
12
       
-
       
         type = types.bool;

     

       
13
       
13
       
-
       
         default = false;

     

       
14
       
14
       
-
       
         description = "Enable the AppArmor Mandatory Access Control system.";

     

       
15
       
15
       
-
       
       };

     

       
16
       
16
       
-
       
       profiles = mkOption {

     

       
17
       
17
       
-
       
         type = types.listOf types.path;

     

       
18
       
18
       
-
       
         default = [];

     

       
19
       
19
       
-
       
         description = "List of files containing AppArmor profiles.";

     

       
20
       
20
       
-
       
       };

     

       
21
       
21
       
-
       
       packages = mkOption {

     

       
22
       
22
       
-
       
         type = types.listOf types.package;

     

       
23
       
23
       
-
       
         default = [];

     

       
24
       
24
       
-
       
         description = "List of packages to be added to apparmor's include path";

     

       
25
       
25
       
-
       
       };

     

       
26
       
26
       
-
       
     };

     

       
27
       
27
       
-
       
   };

     

       
18
       
18
       
+
       
  imports = [

     

       
19
       
19
       
+
       
    (mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")

     

       
20
       
20
       
+
       
    (mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")

     

       
21
       
21
       
+
       
    apparmor/includes.nix

     

       
22
       
22
       
+
       
    apparmor/profiles.nix

     

       
23
       
23
       
+
       
  ];

     

       
24
       
24
       
+
       


     

       
25
       
25
       
+
       
  options = {

     

       
26
       
26
       
+
       
    security.apparmor = {

     

       
27
       
27
       
+
       
      enable = mkEnableOption ''

     

       
28
       
28
       
+
       
        the AppArmor Mandatory Access Control system.

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
        If you're enabling this module on a running system,

     

       
31
       
31
       
+
       
        note that a reboot will be required to activate AppArmor in the kernel.

     

       
32
       
32
       
+
       


     

       
33
       
33
       
+
       
        Also, beware that enabling this module privileges stability over security

     

       
34
       
34
       
+
       
        by not trying to kill unconfined but newly confinable running processes by default,

     

       
35
       
35
       
+
       
        though it would be needed because AppArmor can only confine new

     

       
36
       
36
       
+
       
        or already confined processes of an executable.

     

       
37
       
37
       
+
       
        This killing would for instance be necessary when upgrading to a NixOS revision

     

       
38
       
38
       
+
       
        introducing for the first time an AppArmor profile for the executable

     

       
39
       
39
       
+
       
        of a running process.

     

       
40
       
40
       
+
       


     

       
41
       
41
       
+
       
        Enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>

     

       
42
       
42
       
+
       
        if you want this service to do such killing

     

       
43
       
43
       
+
       
        by sending a <literal>SIGTERM</literal> to those running processes'';

     

       
44
       
44
       
+
       
      policies = mkOption {

     

       
45
       
45
       
+
       
        description = ''

     

       
46
       
46
       
+
       
          AppArmor policies.

     

       
47
       
47
       
+
       
        '';

     

       
48
       
48
       
+
       
        type = types.attrsOf (types.submodule ({ name, config, ... }: {

     

       
49
       
49
       
+
       
          options = {

     

       
50
       
50
       
+
       
            enable = mkDisableOption "loading of the profile into the kernel";

     

       
51
       
51
       
+
       
            enforce = mkDisableOption "enforcing of the policy or only complain in the logs";

     

       
52
       
52
       
+
       
            profile = mkOption {

     

       
53
       
53
       
+
       
              description = "The policy of the profile.";

     

       
54
       
54
       
+
       
              type = types.lines;

     

       
55
       
55
       
+
       
              apply = pkgs.writeText name;

     

       
56
       
56
       
+
       
            };

     

       
57
       
57
       
+
       
          };

     

       
58
       
58
       
+
       
        }));

     

       
59
       
59
       
+
       
        default = {};

     

       
60
       
60
       
+
       
      };

     

       
61
       
61
       
+
       
      includes = mkOption {

     

       
62
       
62
       
+
       
        type = types.attrsOf types.lines;

     

       
63
       
63
       
+
       
        default = {};

     

       
64
       
64
       
+
       
        description = ''

     

       
65
       
65
       
+
       
          List of paths to be added to AppArmor's searched paths

     

       
66
       
66
       
+
       
          when resolving <literal>include</literal> directives.

     

       
67
       
67
       
+
       
        '';

     

       
68
       
68
       
+
       
        apply = mapAttrs pkgs.writeText;

     

       
69
       
69
       
+
       
      };

     

       
70
       
70
       
+
       
      packages = mkOption {

     

       
71
       
71
       
+
       
        type = types.listOf types.package;

     

       
72
       
72
       
+
       
        default = [];

     

       
73
       
73
       
+
       
        description = "List of packages to be added to AppArmor's include path";

     

       
74
       
74
       
+
       
      };

     

       
75
       
75
       
+
       
      enableCache = mkEnableOption ''

     

       
76
       
76
       
+
       
        caching of AppArmor policies

     

       
77
       
77
       
+
       
        in <literal>/var/cache/apparmor/</literal>.

     

       
78
       
78
       
+
       


     

       
79
       
79
       
+
       
        Beware that AppArmor policies almost always contain Nix store paths,

     

       
80
       
80
       
+
       
        and thus produce at each change of these paths

     

       
81
       
81
       
+
       
        a new cached version accumulating in the cache'';

     

       
82
       
82
       
+
       
      killUnconfinedConfinables = mkEnableOption ''

     

       
83
       
83
       
+
       
        killing of processes which have an AppArmor profile enabled

     

       
84
       
84
       
+
       
        (in <xref linkend="opt-security.apparmor.policies"/>)

     

       
85
       
85
       
+
       
        but are not confined (because AppArmor can only confine new processes).

     

       
86
       
86
       
+
       


     

       
87
       
87
       
+
       
        This is only sending a gracious <literal>SIGTERM</literal> signal to the processes,

     

       
88
       
88
       
+
       
        not a <literal>SIGKILL</literal>.

     

       
89
       
89
       
+
       


     

       
90
       
90
       
+
       
        Beware that due to a current limitation of AppArmor,

     

       
91
       
91
       
+
       
        only profiles with exact paths (and no name) can enable such kills'';

     

       
92
       
92
       
+
       
    };

     

       
93
       
93
       
+
       
  };

     

       
94
       
94
       
+
       


     

       
95
       
95
       
+
       
  config = mkIf cfg.enable {

     

       
96
       
96
       
+
       
    assertions = map (policy:

     

       
97
       
97
       
+
       
      { assertion = match ".*/.*" policy == null;

     

       
98
       
98
       
+
       
        message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";

     

       
99
       
99
       
+
       
        # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions

     

       
100
       
100
       
+
       
        # which does not recurse into sub-directories.

     

       
101
       
101
       
+
       
      }

     

       
102
       
102
       
+
       
    ) (attrNames cfg.policies);

     

       
103
       
103
       
+
       


     

       
104
       
104
       
+
       
    environment.systemPackages = [

     

       
105
       
105
       
+
       
      pkgs.apparmor-utils

     

       
106
       
106
       
+
       
      pkgs.apparmor-bin-utils

     

       
107
       
107
       
+
       
    ];

     

       
108
       
108
       
+
       
    environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (

     

       
109
       
109
       
+
       
      # It's important to put only enabledPolicies here and not all cfg.policies

     

       
110
       
110
       
+
       
      # because aa-remove-unknown reads profiles from all /etc/apparmor.d/*

     

       
111
       
111
       
+
       
      mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++

     

       
112
       
112
       
+
       
      mapAttrsToList (name: path: { inherit name path; }) cfg.includes

     

       
113
       
113
       
+
       
    );

     

       
114
       
114
       
+
       
    environment.etc."apparmor/parser.conf".text = ''

     

       
115
       
115
       
+
       
        ${if cfg.enableCache then "write-cache" else "skip-cache"}

     

       
116
       
116
       
+
       
        cache-loc /var/cache/apparmor

     

       
117
       
117
       
+
       
        Include /etc/apparmor.d

     

       
118
       
118
       
+
       
      '' +

     

       
119
       
119
       
+
       
      concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;

     

       
120
       
120
       
+
       
    # For aa-logprof

     

       
121
       
121
       
+
       
    environment.etc."apparmor/apparmor.conf".text = ''

     

       
122
       
122
       
+
       
    '';

     

       
123
       
123
       
+
       
    # For aa-logprof

     

       
124
       
124
       
+
       
    environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db";

     

       
125
       
125
       
+
       
    environment.etc."apparmor/logprof.conf".source = pkgs.runCommand "logprof.conf" {

     

       
126
       
126
       
+
       
      header = ''

     

       
127
       
127
       
+
       
        [settings]

     

       
128
       
128
       
+
       
          # /etc/apparmor.d/ is read-only on NixOS

     

       
129
       
129
       
+
       
          profiledir = /var/cache/apparmor/logprof

     

       
130
       
130
       
+
       
          inactive_profiledir = /etc/apparmor.d/disable

     

       
131
       
131
       
+
       
          # Use: journalctl -b --since today --grep audit: | aa-logprof

     

       
132
       
132
       
+
       
          logfiles = /dev/stdin

     

       
133
       
133
       
+
       


     

       
134
       
134
       
+
       
          parser = ${pkgs.apparmor-parser}/bin/apparmor_parser

     

       
135
       
135
       
+
       
          ldd = ${pkgs.glibc.bin}/bin/ldd

     

       
136
       
136
       
+
       
          logger = ${pkgs.utillinux}/bin/logger

     

       
28
       
137
       
 
       


     

       
29
       
29
       
-
       
   config = mkIf cfg.enable {

     

       
30
       
30
       
-
       
     environment.systemPackages = [ pkgs.apparmor-utils ];

     

       
138
       
138
       
+
       
          # customize how file ownership permissions are presented

     

       
139
       
139
       
+
       
          # 0 - off

     

       
140
       
140
       
+
       
          # 1 - default of what ever mode the log reported

     

       
141
       
141
       
+
       
          # 2 - force the new permissions to be user

     

       
142
       
142
       
+
       
          # 3 - force all perms on the rule to be user

     

       
143
       
143
       
+
       
          default_owner_prompt = 1

     

       
31
       
144
       
 
       


     

       
32
       
32
       
-
       
     boot.kernelParams = [ "apparmor=1" "security=apparmor" ];

     

       
145
       
145
       
+
       
          custom_includes = /etc/apparmor.d ${concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}

     

       
33
       
146
       
 
       


     

       
34
       
34
       
-
       
     systemd.services.apparmor = let

     

       
35
       
35
       
-
       
       paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d")

     

       
36
       
36
       
-
       
         ([ pkgs.apparmor-profiles ] ++ cfg.packages);

     

       
37
       
37
       
-
       
     in {

     

       
38
       
38
       
-
       
       after = [ "local-fs.target" ];

     

       
39
       
39
       
-
       
       before = [ "sysinit.target" ];

     

       
40
       
40
       
-
       
       wantedBy = [ "multi-user.target" ];

     

       
41
       
41
       
-
       
       unitConfig = {

     

       
42
       
42
       
-
       
         DefaultDependencies = "no";

     

       
43
       
43
       
-
       
       };

     

       
44
       
44
       
-
       
       serviceConfig = {

     

       
45
       
45
       
-
       
         Type = "oneshot";

     

       
46
       
46
       
-
       
         RemainAfterExit = "yes";

     

       
47
       
47
       
-
       
         ExecStart = map (p:

     

       
48
       
48
       
-
       
           ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"''

     

       
49
       
49
       
-
       
         ) cfg.profiles;

     

       
50
       
50
       
-
       
         ExecStop = map (p:

     

       
51
       
51
       
-
       
           ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"''

     

       
52
       
52
       
-
       
         ) cfg.profiles;

     

       
53
       
53
       
-
       
         ExecReload = map (p:

     

       
54
       
54
       
-
       
           ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"''

     

       
55
       
55
       
-
       
         ) cfg.profiles;

     

       
56
       
56
       
-
       
       };

     

       
57
       
57
       
-
       
     };

     

       
58
       
58
       
-
       
   };

     

       
147
       
147
       
+
       
        [qualifiers]

     

       
148
       
148
       
+
       
          ${pkgs.runtimeShell} = icnu

     

       
149
       
149
       
+
       
          ${pkgs.bashInteractive}/bin/sh = icnu

     

       
150
       
150
       
+
       
          ${pkgs.bashInteractive}/bin/bash = icnu

     

       
151
       
151
       
+
       
          ${config.users.defaultUserShell} = icnu

     

       
152
       
152
       
+
       
      '';

     

       
153
       
153
       
+
       
      footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf";

     

       
154
       
154
       
+
       
      passAsFile = [ "header" ];

     

       
155
       
155
       
+
       
    } ''

     

       
156
       
156
       
+
       
      cp $headerPath $out

     

       
157
       
157
       
+
       
      sed '1,/\[qualifiers\]/d' $footer >> $out

     

       
158
       
158
       
+
       
    '';

     

       
159
       
159
       
+
       


     

       
160
       
160
       
+
       
    boot.kernelParams = [ "apparmor=1" "security=apparmor" ];

     

       
161
       
161
       
+
       


     

       
162
       
162
       
+
       
    systemd.services.apparmor = {

     

       
163
       
163
       
+
       
      after = [

     

       
164
       
164
       
+
       
        "local-fs.target"

     

       
165
       
165
       
+
       
        "systemd-journald-audit.socket"

     

       
166
       
166
       
+
       
      ];

     

       
167
       
167
       
+
       
      before = [ "sysinit.target" ];

     

       
168
       
168
       
+
       
      wantedBy = [ "multi-user.target" ];

     

       
169
       
169
       
+
       
      unitConfig = {

     

       
170
       
170
       
+
       
        Description="Load AppArmor policies";

     

       
171
       
171
       
+
       
        DefaultDependencies = "no";

     

       
172
       
172
       
+
       
        ConditionSecurity = "apparmor";

     

       
173
       
173
       
+
       
      };

     

       
174
       
174
       
+
       
      # Reloading instead of restarting enables to load new AppArmor profiles

     

       
175
       
175
       
+
       
      # without necessarily restarting all services which have Requires=apparmor.service

     

       
176
       
176
       
+
       
      reloadIfChanged = true;

     

       
177
       
177
       
+
       
      restartTriggers = [

     

       
178
       
178
       
+
       
        etc."apparmor/parser.conf".source

     

       
179
       
179
       
+
       
        etc."apparmor.d".source

     

       
180
       
180
       
+
       
      ];

     

       
181
       
181
       
+
       
      serviceConfig = let

     

       
182
       
182
       
+
       
        killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" ''

     

       
183
       
183
       
+
       
          set -eu

     

       
184
       
184
       
+
       
          ${pkgs.apparmor-bin-utils}/bin/aa-status --json |

     

       
185
       
185
       
+
       
          ${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' |

     

       
186
       
186
       
+
       
          xargs --verbose --no-run-if-empty --delimiter='\n' \

     

       
187
       
187
       
+
       
          kill

     

       
188
       
188
       
+
       
        '';

     

       
189
       
189
       
+
       
        commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}";

     

       
190
       
190
       
+
       
        in {

     

       
191
       
191
       
+
       
        Type = "oneshot";

     

       
192
       
192
       
+
       
        RemainAfterExit = "yes";

     

       
193
       
193
       
+
       
        ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";

     

       
194
       
194
       
+
       
        ExecStart = mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;

     

       
195
       
195
       
+
       
        ExecStartPost = optional cfg.killUnconfinedConfinables killUnconfinedConfinables;

     

       
196
       
196
       
+
       
        ExecReload =

     

       
197
       
197
       
+
       
          # Add or replace into the kernel profiles in enabledPolicies

     

       
198
       
198
       
+
       
          # (because AppArmor can do that without stopping the processes already confined).

     

       
199
       
199
       
+
       
          mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++

     

       
200
       
200
       
+
       
          # Remove from the kernel any profile whose name is not

     

       
201
       
201
       
+
       
          # one of the names within the content of the profiles in enabledPolicies

     

       
202
       
202
       
+
       
          # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).

     

       
203
       
203
       
+
       
          # Note that this does not remove profiles dynamically generated by libvirt.

     

       
204
       
204
       
+
       
          [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++

     

       
205
       
205
       
+
       
          # Optionaly kill the processes which are unconfined but now have a profile loaded

     

       
206
       
206
       
+
       
          # (because AppArmor can only start to confine new processes).

     

       
207
       
207
       
+
       
          optional cfg.killUnconfinedConfinables killUnconfinedConfinables;

     

       
208
       
208
       
+
       
        ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";

     

       
209
       
209
       
+
       
        CacheDirectory = [ "apparmor" "apparmor/logprof" ];

     

       
210
       
210
       
+
       
        CacheDirectoryMode = "0700";

     

       
211
       
211
       
+
       
      };

     

       
212
       
212
       
+
       
    };

     

       
213
       
213
       
+
       
  };

     

       
214
       
214
       
+
       


     

       
215
       
215
       
+
       
  meta.maintainers = with maintainers; [ julm ];

     

       
59
       
216
       
 
       
}

     

···

       
1
       
1
       
+
       
{ config, lib, pkgs, ... }:

     

       
2
       
2
       
+
       
let

     

       
3
       
3
       
+
       
  inherit (builtins) attrNames hasAttr isAttrs;

     

       
4
       
4
       
+
       
  inherit (lib) getLib;

     

       
5
       
5
       
+
       
  inherit (config.environment) etc;

     

       
6
       
6
       
+
       
  # Utility to generate an AppArmor rule

     

       
7
       
7
       
+
       
  # only when the given path exists in config.environment.etc

     

       
8
       
8
       
+
       
  etcRule = arg:

     

       
9
       
9
       
+
       
    let go = { path ? null, mode ? "r", trail ? "" }:

     

       
10
       
10
       
+
       
      lib.optionalString (hasAttr path etc)

     

       
11
       
11
       
+
       
        "${mode} ${config.environment.etc.${path}.source}${trail},";

     

       
12
       
12
       
+
       
    in if isAttrs arg

     

       
13
       
13
       
+
       
    then go arg

     

       
14
       
14
       
+
       
    else go { path = arg; };

     

       
15
       
15
       
+
       
in

     

       
16
       
16
       
+
       
{

     

       
17
       
17
       
+
       
# FIXME: most of the etcRule calls below have been

     

       
18
       
18
       
+
       
# written systematically by converting from apparmor-profiles's profiles

     

       
19
       
19
       
+
       
# without testing nor deep understanding of their uses,

     

       
20
       
20
       
+
       
# and thus may need more rules or can have less rules;

     

       
21
       
21
       
+
       
# this remains to be determined case by case,

     

       
22
       
22
       
+
       
# some may even be completely useless.

     

       
23
       
23
       
+
       
config.security.apparmor.includes = {

     

       
24
       
24
       
+
       
  # This one is included by <tunables/global>

     

       
25
       
25
       
+
       
  # which is usualy included before any profile.

     

       
26
       
26
       
+
       
  "abstractions/tunables/alias" = ''

     

       
27
       
27
       
+
       
    alias /bin -> /run/current-system/sw/bin,

     

       
28
       
28
       
+
       
    alias /lib/modules -> /run/current-system/kernel/lib/modules,

     

       
29
       
29
       
+
       
    alias /sbin -> /run/current-system/sw/sbin,

     

       
30
       
30
       
+
       
    alias /usr -> /run/current-system/sw,

     

       
31
       
31
       
+
       
  '';

     

       
32
       
32
       
+
       
  "abstractions/audio" = ''

     

       
33
       
33
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio"

     

       
34
       
34
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
35
       
35
       
+
       
      "asound.conf"

     

       
36
       
36
       
+
       
      "esound/esd.conf"

     

       
37
       
37
       
+
       
      "libao.conf"

     

       
38
       
38
       
+
       
      { path = "pulse";  trail = "/"; }

     

       
39
       
39
       
+
       
      { path = "pulse";  trail = "/**"; }

     

       
40
       
40
       
+
       
      { path = "sound";  trail = "/"; }

     

       
41
       
41
       
+
       
      { path = "sound";  trail = "/**"; }

     

       
42
       
42
       
+
       
      { path = "alsa/conf.d";  trail = "/"; }

     

       
43
       
43
       
+
       
      { path = "alsa/conf.d";  trail = "/*"; }

     

       
44
       
44
       
+
       
      "openal/alsoft.conf"

     

       
45
       
45
       
+
       
      "wildmidi/wildmidi.conf"

     

       
46
       
46
       
+
       
    ];

     

       
47
       
47
       
+
       
  "abstractions/authentication" = ''

     

       
48
       
48
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication"

     

       
49
       
49
       
+
       
    # Defined in security.pam

     

       
50
       
50
       
+
       
    include <abstractions/pam>

     

       
51
       
51
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
52
       
52
       
+
       
      "nologin"

     

       
53
       
53
       
+
       
      "securetty"

     

       
54
       
54
       
+
       
      { path = "security";  trail = "/*"; }

     

       
55
       
55
       
+
       
      "shadow"

     

       
56
       
56
       
+
       
      "gshadow"

     

       
57
       
57
       
+
       
      "pwdb.conf"

     

       
58
       
58
       
+
       
      "default/passwd"

     

       
59
       
59
       
+
       
      "login.defs"

     

       
60
       
60
       
+
       
    ];

     

       
61
       
61
       
+
       
  "abstractions/base" = ''

     

       
62
       
62
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"

     

       
63
       
63
       
+
       
    r ${pkgs.stdenv.cc.libc}/share/locale/**,

     

       
64
       
64
       
+
       
    r ${pkgs.stdenv.cc.libc}/share/locale.alias,

     

       
65
       
65
       
+
       
    ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"}

     

       
66
       
66
       
+
       
    ${etcRule "localtime"}

     

       
67
       
67
       
+
       
    r ${pkgs.tzdata}/share/zoneinfo/**,

     

       
68
       
68
       
+
       
    r ${pkgs.stdenv.cc.libc}/share/i18n/**,

     

       
69
       
69
       
+
       
  '';

     

       
70
       
70
       
+
       
  "abstractions/bash" = ''

     

       
71
       
71
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash"

     

       
72
       
72
       
+
       


     

       
73
       
73
       
+
       
    # bash inspects filesystems at startup

     

       
74
       
74
       
+
       
    # and /etc/mtab is linked to /proc/mounts

     

       
75
       
75
       
+
       
    @{PROC}/mounts

     

       
76
       
76
       
+
       


     

       
77
       
77
       
+
       
    # system-wide bash configuration

     

       
78
       
78
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
79
       
79
       
+
       
      "profile.dos"

     

       
80
       
80
       
+
       
      "profile"

     

       
81
       
81
       
+
       
      "profile.d"

     

       
82
       
82
       
+
       
      { path = "profile.d";  trail = "/*"; }

     

       
83
       
83
       
+
       
      "bashrc"

     

       
84
       
84
       
+
       
      "bash.bashrc"

     

       
85
       
85
       
+
       
      "bash.bashrc.local"

     

       
86
       
86
       
+
       
      "bash_completion"

     

       
87
       
87
       
+
       
      "bash_completion.d"

     

       
88
       
88
       
+
       
      { path = "bash_completion.d";  trail = "/*"; }

     

       
89
       
89
       
+
       
      # bash relies on system-wide readline configuration

     

       
90
       
90
       
+
       
      "inputrc"

     

       
91
       
91
       
+
       
      # run out of /etc/bash.bashrc

     

       
92
       
92
       
+
       
      "DIR_COLORS"

     

       
93
       
93
       
+
       
    ];

     

       
94
       
94
       
+
       
  "abstractions/consoles" = ''

     

       
95
       
95
       
+
       
     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles"

     

       
96
       
96
       
+
       
  '';

     

       
97
       
97
       
+
       
  "abstractions/cups-client" = ''

     

       
98
       
98
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client"

     

       
99
       
99
       
+
       
    ${etcRule "cups/cups-client.conf"}

     

       
100
       
100
       
+
       
  '';

     

       
101
       
101
       
+
       
  "abstractions/dbus-session-strict" = ''

     

       
102
       
102
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict"

     

       
103
       
103
       
+
       
    ${etcRule "machine-id"}

     

       
104
       
104
       
+
       
  '';

     

       
105
       
105
       
+
       
  "abstractions/dconf" = ''

     

       
106
       
106
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf"

     

       
107
       
107
       
+
       
    ${etcRule { path = "dconf";  trail = "/**"; }}

     

       
108
       
108
       
+
       
  '';

     

       
109
       
109
       
+
       
  "abstractions/dri-common" = ''

     

       
110
       
110
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common"

     

       
111
       
111
       
+
       
    ${etcRule "drirc"}

     

       
112
       
112
       
+
       
  '';

     

       
113
       
113
       
+
       
  # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/

     

       
114
       
114
       
+
       
  # by symlinking them but without exporting them outside of its NixOS module,

     

       
115
       
115
       
+
       
  # those are therefore added there to this "abstractions/fonts".

     

       
116
       
116
       
+
       
  "abstractions/fonts" = ''

     

       
117
       
117
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts"

     

       
118
       
118
       
+
       
    ${etcRule { path = "fonts";  trail = "/**"; }}

     

       
119
       
119
       
+
       
  '';

     

       
120
       
120
       
+
       
  "abstractions/gnome" = ''

     

       
121
       
121
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome"

     

       
122
       
122
       
+
       
    include <abstractions/fonts>

     

       
123
       
123
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
124
       
124
       
+
       
      { path = "gnome";  trail = "/gtkrc*"; }

     

       
125
       
125
       
+
       
      { path = "gtk";  trail = "/*"; }

     

       
126
       
126
       
+
       
      { path = "gtk-2.0";  trail = "/*"; }

     

       
127
       
127
       
+
       
      { path = "gtk-3.0";  trail = "/*"; }

     

       
128
       
128
       
+
       
      "orbitrc"

     

       
129
       
129
       
+
       
      { path = "pango";  trail = "/*"; }

     

       
130
       
130
       
+
       
      { path = "/etc/gnome-vfs-2.0";  trail = "/modules/"; }

     

       
131
       
131
       
+
       
      { path = "/etc/gnome-vfs-2.0";  trail = "/modules/*"; }

     

       
132
       
132
       
+
       
      "papersize"

     

       
133
       
133
       
+
       
      { path = "cups";  trail = "/lpoptions"; }

     

       
134
       
134
       
+
       
      { path = "gnome";  trail = "/defaults.list"; }

     

       
135
       
135
       
+
       
      { path = "xdg";  trail = "/{,*-}mimeapps.list"; }

     

       
136
       
136
       
+
       
      "xdg/mimeapps.list"

     

       
137
       
137
       
+
       
    ];

     

       
138
       
138
       
+
       
  "abstractions/kde" = ''

     

       
139
       
139
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde"

     

       
140
       
140
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
141
       
141
       
+
       
      { path = "qt3";  trail = "/kstylerc"; }

     

       
142
       
142
       
+
       
      { path = "qt3";  trail = "/qt_plugins_3.3rc"; }

     

       
143
       
143
       
+
       
      { path = "qt3";  trail = "/qtrc"; }

     

       
144
       
144
       
+
       
      "kderc"

     

       
145
       
145
       
+
       
      { path = "kde3";  trail = "/*"; }

     

       
146
       
146
       
+
       
      "kde4rc"

     

       
147
       
147
       
+
       
      { path = "xdg";  trail = "/kdeglobals"; }

     

       
148
       
148
       
+
       
      { path = "xdg";  trail = "/Trolltech.conf"; }

     

       
149
       
149
       
+
       
    ];

     

       
150
       
150
       
+
       
  "abstractions/kerberosclient" = ''

     

       
151
       
151
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient"

     

       
152
       
152
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
153
       
153
       
+
       
    { path = "krb5.keytab"; mode="rk"; }

     

       
154
       
154
       
+
       
    "krb5.conf"

     

       
155
       
155
       
+
       
    "krb5.conf.d"

     

       
156
       
156
       
+
       
    { path = "krb5.conf.d";  trail = "/*"; }

     

       
157
       
157
       
+
       


     

       
158
       
158
       
+
       
    # config files found via strings on libs

     

       
159
       
159
       
+
       
    "krb.conf"

     

       
160
       
160
       
+
       
    "krb.realms"

     

       
161
       
161
       
+
       
    "srvtab"

     

       
162
       
162
       
+
       
    ];

     

       
163
       
163
       
+
       
  "abstractions/ldapclient" = ''

     

       
164
       
164
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient"

     

       
165
       
165
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
166
       
166
       
+
       
      "ldap.conf"

     

       
167
       
167
       
+
       
      "ldap.secret"

     

       
168
       
168
       
+
       
      { path = "openldap";  trail = "/*"; }

     

       
169
       
169
       
+
       
      { path = "openldap";  trail = "/cacerts/*"; }

     

       
170
       
170
       
+
       
      { path = "sasl2";  trail = "/*"; }

     

       
171
       
171
       
+
       
    ];

     

       
172
       
172
       
+
       
  "abstractions/likewise" = ''

     

       
173
       
173
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise"

     

       
174
       
174
       
+
       
  '';

     

       
175
       
175
       
+
       
  "abstractions/mdns" = ''

     

       
176
       
176
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns"

     

       
177
       
177
       
+
       
    ${etcRule "nss_mdns.conf"}

     

       
178
       
178
       
+
       
  '';

     

       
179
       
179
       
+
       
  "abstractions/nameservice" = ''

     

       
180
       
180
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice"

     

       
181
       
181
       
+
       


     

       
182
       
182
       
+
       
    # Many programs wish to perform nameservice-like operations, such as

     

       
183
       
183
       
+
       
    # looking up users by name or id, groups by name or id, hosts by name

     

       
184
       
184
       
+
       
    # or IP, etc. These operations may be performed through files, dns,

     

       
185
       
185
       
+
       
    # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.

     

       
186
       
186
       
+
       
    mr ${getLib pkgs.nss}/lib/libnss_*.so*,

     

       
187
       
187
       
+
       
    mr ${getLib pkgs.nss}/lib64/libnss_*.so*,

     

       
188
       
188
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
189
       
189
       
+
       
      "group"

     

       
190
       
190
       
+
       
      "host.conf"

     

       
191
       
191
       
+
       
      "hosts"

     

       
192
       
192
       
+
       
      "nsswitch.conf"

     

       
193
       
193
       
+
       
      "gai.conf"

     

       
194
       
194
       
+
       
      "passwd"

     

       
195
       
195
       
+
       
      "protocols"

     

       
196
       
196
       
+
       


     

       
197
       
197
       
+
       
      # libtirpc (used for NIS/YP login) needs this

     

       
198
       
198
       
+
       
      "netconfig"

     

       
199
       
199
       
+
       


     

       
200
       
200
       
+
       
      "resolv.conf"

     

       
201
       
201
       
+
       


     

       
202
       
202
       
+
       
      { path = "samba";  trail = "/lmhosts"; }

     

       
203
       
203
       
+
       
      "services"

     

       
204
       
204
       
+
       


     

       
205
       
205
       
+
       
      "default/nss"

     

       
206
       
206
       
+
       


     

       
207
       
207
       
+
       
      # libnl-3-200 via libnss-gw-name

     

       
208
       
208
       
+
       
      { path = "libnl";  trail = "/classid"; }

     

       
209
       
209
       
+
       
      { path = "libnl-3";  trail = "/classid"; }

     

       
210
       
210
       
+
       
    ];

     

       
211
       
211
       
+
       
  "abstractions/nis" = ''

     

       
212
       
212
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis"

     

       
213
       
213
       
+
       
  '';

     

       
214
       
214
       
+
       
  "abstractions/nvidia" = ''

     

       
215
       
215
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia"

     

       
216
       
216
       
+
       
    ${etcRule "vdpau_wrapper.cfg"}

     

       
217
       
217
       
+
       
  '';

     

       
218
       
218
       
+
       
  "abstractions/opencl-common" = ''

     

       
219
       
219
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common"

     

       
220
       
220
       
+
       
    ${etcRule { path = "OpenCL";  trail = "/**"; }}

     

       
221
       
221
       
+
       
  '';

     

       
222
       
222
       
+
       
  "abstractions/opencl-mesa" = ''

     

       
223
       
223
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa"

     

       
224
       
224
       
+
       
    ${etcRule "default/drirc"}

     

       
225
       
225
       
+
       
  '';

     

       
226
       
226
       
+
       
  "abstractions/openssl" = ''

     

       
227
       
227
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl"

     

       
228
       
228
       
+
       
    ${etcRule { path = "ssl";  trail = "/openssl.cnf"; }}

     

       
229
       
229
       
+
       
  '';

     

       
230
       
230
       
+
       
  "abstractions/p11-kit" = ''

     

       
231
       
231
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit"

     

       
232
       
232
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
233
       
233
       
+
       
      { path = "pkcs11";  trail = "/"; }

     

       
234
       
234
       
+
       
      { path = "pkcs11";  trail = "/pkcs11.conf"; }

     

       
235
       
235
       
+
       
      { path = "pkcs11";  trail = "/modules/"; }

     

       
236
       
236
       
+
       
      { path = "pkcs11";  trail = "/modules/*"; }

     

       
237
       
237
       
+
       
    ];

     

       
238
       
238
       
+
       
  "abstractions/perl" = ''

     

       
239
       
239
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl"

     

       
240
       
240
       
+
       
    ${etcRule { path = "perl";  trail = "/**"; }}

     

       
241
       
241
       
+
       
  '';

     

       
242
       
242
       
+
       
  "abstractions/php" = ''

     

       
243
       
243
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php"

     

       
244
       
244
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
245
       
245
       
+
       
      { path = "php";  trail = "/**/"; }

     

       
246
       
246
       
+
       
      { path = "php5";  trail = "/**/"; }

     

       
247
       
247
       
+
       
      { path = "php7";  trail = "/**/"; }

     

       
248
       
248
       
+
       
      { path = "php";  trail = "/**.ini"; }

     

       
249
       
249
       
+
       
      { path = "php5";  trail = "/**.ini"; }

     

       
250
       
250
       
+
       
      { path = "php7";  trail = "/**.ini"; }

     

       
251
       
251
       
+
       
    ];

     

       
252
       
252
       
+
       
  "abstractions/postfix-common" = ''

     

       
253
       
253
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common"

     

       
254
       
254
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
255
       
255
       
+
       
      "mailname"

     

       
256
       
256
       
+
       
      { path = "postfix";  trail = "/*.cf"; }

     

       
257
       
257
       
+
       
      "postfix/main.cf"

     

       
258
       
258
       
+
       
      "postfix/master.cf"

     

       
259
       
259
       
+
       
    ];

     

       
260
       
260
       
+
       
  "abstractions/python" = ''

     

       
261
       
261
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python"

     

       
262
       
262
       
+
       
  '';

     

       
263
       
263
       
+
       
  "abstractions/qt5" = ''

     

       
264
       
264
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5"

     

       
265
       
265
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
266
       
266
       
+
       
      { path = "xdg";  trail = "/QtProject/qtlogging.ini"; }

     

       
267
       
267
       
+
       
      { path = "xdg/QtProject";  trail = "/qtlogging.ini"; }

     

       
268
       
268
       
+
       
      "xdg/QtProject/qtlogging.ini"

     

       
269
       
269
       
+
       
    ];

     

       
270
       
270
       
+
       
  "abstractions/samba" = ''

     

       
271
       
271
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba"

     

       
272
       
272
       
+
       
    ${etcRule { path = "samba";  trail = "/*"; }}

     

       
273
       
273
       
+
       
  '';

     

       
274
       
274
       
+
       
  "abstractions/ssl_certs" = ''

     

       
275
       
275
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs"

     

       
276
       
276
       
+
       


     

       
277
       
277
       
+
       
    # For the NixOS module: security.acme

     

       
278
       
278
       
+
       
    r /var/lib/acme/*/cert.pem,

     

       
279
       
279
       
+
       
    r /var/lib/acme/*/chain.pem,

     

       
280
       
280
       
+
       
    r /var/lib/acme/*/fullchain.pem,

     

       
281
       
281
       
+
       


     

       
282
       
282
       
+
       
    '' + lib.concatMapStringsSep "\n" etcRule [

     

       
283
       
283
       
+
       
      "ssl/certs/ca-certificates.crt"

     

       
284
       
284
       
+
       
      "ssl/certs/ca-bundle.crt"

     

       
285
       
285
       
+
       
      "pki/tls/certs/ca-bundle.crt"

     

       
286
       
286
       
+
       


     

       
287
       
287
       
+
       
      { path = "ssl/trust";  trail = "/"; }

     

       
288
       
288
       
+
       
      { path = "ssl/trust";  trail = "/*"; }

     

       
289
       
289
       
+
       
      { path = "ssl/trust/anchors";  trail = "/"; }

     

       
290
       
290
       
+
       
      { path = "ssl/trust/anchors";  trail = "/**"; }

     

       
291
       
291
       
+
       
      { path = "pki/trust";  trail = "/"; }

     

       
292
       
292
       
+
       
      { path = "pki/trust";  trail = "/*"; }

     

       
293
       
293
       
+
       
      { path = "pki/trust/anchors";  trail = "/"; }

     

       
294
       
294
       
+
       
      { path = "pki/trust/anchors";  trail = "/**"; }

     

       
295
       
295
       
+
       
    ];

     

       
296
       
296
       
+
       
  "abstractions/ssl_keys" = ''

     

       
297
       
297
       
+
       
    # security.acme NixOS module

     

       
298
       
298
       
+
       
    r /var/lib/acme/*/full.pem,

     

       
299
       
299
       
+
       
    r /var/lib/acme/*/key.pem,

     

       
300
       
300
       
+
       
  '';

     

       
301
       
301
       
+
       
  "abstractions/vulkan" = ''

     

       
302
       
302
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan"

     

       
303
       
303
       
+
       
    ${etcRule { path = "vulkan/icd.d";  trail = "/"; }}

     

       
304
       
304
       
+
       
    ${etcRule { path = "vulkan/icd.d";  trail = "/*.json"; }}

     

       
305
       
305
       
+
       
  '';

     

       
306
       
306
       
+
       
  "abstractions/winbind" = ''

     

       
307
       
307
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind"

     

       
308
       
308
       
+
       
    ${etcRule { path = "samba";  trail = "/smb.conf"; }}

     

       
309
       
309
       
+
       
    ${etcRule { path = "samba";  trail = "/dhcp.conf"; }}

     

       
310
       
310
       
+
       
  '';

     

       
311
       
311
       
+
       
  "abstractions/X" = ''

     

       
312
       
312
       
+
       
    include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X"

     

       
313
       
313
       
+
       
    ${etcRule { path = "X11/cursors";  trail = "/"; }}

     

       
314
       
314
       
+
       
    ${etcRule { path = "X11/cursors";  trail = "/**"; }}

     

       
315
       
315
       
+
       
  '';

     

       
316
       
316
       
+
       
};

     

       
317
       
317
       
+
       
}

     

···

       
1
       
1
       
+
       
{ config, lib, pkgs, ... }:

     

       
2
       
2
       
+
       
let apparmor = config.security.apparmor; in

     

       
3
       
3
       
+
       
{

     

       
4
       
4
       
+
       
config.security.apparmor.packages = [ pkgs.apparmor-profiles ];

     

       
5
       
5
       
+
       
config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable ''

     

       
6
       
6
       
+
       
  include "${pkgs.iputils.apparmor}/bin.ping"

     

       
7
       
7
       
+
       
  include "${pkgs.inetutils.apparmor}/bin.ping"

     

       
8
       
8
       
+
       
  # Note that including those two profiles in the same profile

     

       
9
       
9
       
+
       
  # would not work if the second one were to re-include <tunables/global>.

     

       
10
       
10
       
+
       
'';

     

       
11
       
11
       
+
       
}

     

···

       
7
       
7
       
 
       
    maintainers = [ maintainers.joachifm ];

     

       
8
       
8
       
 
       
  };

     

       
9
       
9
       
 
       


     

       
10
       
10
       
+
       
  imports = [

     

       
11
       
11
       
+
       
    (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])

     

       
12
       
12
       
+
       
  ];

     

       
13
       
13
       
+
       


     

       
10
       
14
       
 
       
  options = {

     

       
11
       
15
       
 
       
    security.allowUserNamespaces = mkOption {

     

       
12
       
16
       
 
       
      type = types.bool;

     

···

       
895
       
895
       
 
       
        runuser-l = { rootOK = true; unixAuth = false; };

     

       
896
       
896
       
 
       
      };

     

       
897
       
897
       
 
       


     

       
898
       
898
       
+
       
    security.apparmor.includes."abstractions/pam" = let

     

       
899
       
899
       
+
       
      isEnabled = test: fold or false (map test (attrValues config.security.pam.services));

     

       
900
       
900
       
+
       
      in

     

       
901
       
901
       
+
       
      lib.concatMapStringsSep "\n"

     

       
902
       
902
       
+
       
        (name: "r ${config.environment.etc."pam.d/${name}".source},")

     

       
903
       
903
       
+
       
        (attrNames config.security.pam.services) +

     

       
904
       
904
       
+
       
      ''

     

       
905
       
905
       
+
       
      mr ${getLib pkgs.pam}/lib/security/pam_filter/*,

     

       
906
       
906
       
+
       
      mr ${getLib pkgs.pam}/lib/security/pam_*.so,

     

       
907
       
907
       
+
       
      r ${getLib pkgs.pam}/lib/security/,

     

       
908
       
908
       
+
       
      '' +

     

       
909
       
909
       
+
       
      optionalString use_ldap ''

     

       
910
       
910
       
+
       
         mr ${pam_ldap}/lib/security/pam_ldap.so,

     

       
911
       
911
       
+
       
      '' +

     

       
912
       
912
       
+
       
      optionalString config.services.sssd.enable ''

     

       
913
       
913
       
+
       
        mr ${pkgs.sssd}/lib/security/pam_sss.so,

     

       
914
       
914
       
+
       
      '' +

     

       
915
       
915
       
+
       
      optionalString config.krb5.enable ''

     

       
916
       
916
       
+
       
        mr ${pam_krb5}/lib/security/pam_krb5.so,

     

       
917
       
917
       
+
       
        mr ${pam_ccreds}/lib/security/pam_ccreds.so,

     

       
918
       
918
       
+
       
      '' +

     

       
919
       
919
       
+
       
      optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''

     

       
920
       
920
       
+
       
        mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,

     

       
921
       
921
       
+
       
        mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,

     

       
922
       
922
       
+
       
      '' +

     

       
923
       
923
       
+
       
      optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) ''

     

       
924
       
924
       
+
       
        mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,

     

       
925
       
925
       
+
       
      '' +

     

       
926
       
926
       
+
       
      optionalString (config.security.pam.enableSSHAgentAuth

     

       
927
       
927
       
+
       
                     && isEnabled (cfg: cfg.sshAgentAuth)) ''

     

       
928
       
928
       
+
       
        mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,

     

       
929
       
929
       
+
       
      '' +

     

       
930
       
930
       
+
       
      optionalString (isEnabled (cfg: cfg.fprintAuth)) ''

     

       
931
       
931
       
+
       
        mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,

     

       
932
       
932
       
+
       
      '' +

     

       
933
       
933
       
+
       
      optionalString (isEnabled (cfg: cfg.u2fAuth)) ''

     

       
934
       
934
       
+
       
        mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,

     

       
935
       
935
       
+
       
      '' +

     

       
936
       
936
       
+
       
      optionalString (isEnabled (cfg: cfg.usbAuth)) ''

     

       
937
       
937
       
+
       
        mr ${pkgs.pam_usb}/lib/security/pam_usb.so,

     

       
938
       
938
       
+
       
      '' +

     

       
939
       
939
       
+
       
      optionalString (isEnabled (cfg: cfg.oathAuth)) ''

     

       
940
       
940
       
+
       
        "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,

     

       
941
       
941
       
+
       
      '' +

     

       
942
       
942
       
+
       
      optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''

     

       
943
       
943
       
+
       
        mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,

     

       
944
       
944
       
+
       
      '' +

     

       
945
       
945
       
+
       
      optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) ''

     

       
946
       
946
       
+
       
        mr ${pkgs.duo-unix}/lib/security/pam_duo.so,

     

       
947
       
947
       
+
       
      '' +

     

       
948
       
948
       
+
       
      optionalString (isEnabled (cfg: cfg.otpwAuth)) ''

     

       
949
       
949
       
+
       
        mr ${pkgs.otpw}/lib/security/pam_otpw.so,

     

       
950
       
950
       
+
       
      '' +

     

       
951
       
951
       
+
       
      optionalString config.security.pam.enableEcryptfs ''

     

       
952
       
952
       
+
       
        mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,

     

       
953
       
953
       
+
       
      '' +

     

       
954
       
954
       
+
       
      optionalString (isEnabled (cfg: cfg.pamMount)) ''

     

       
955
       
955
       
+
       
        mr ${pkgs.pam_mount}/lib/security/pam_mount.so,

     

       
956
       
956
       
+
       
      '' +

     

       
957
       
957
       
+
       
      optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) ''

     

       
958
       
958
       
+
       
        mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,

     

       
959
       
959
       
+
       
      '' +

     

       
960
       
960
       
+
       
      optionalString (isEnabled (cfg: cfg.startSession)) ''

     

       
961
       
961
       
+
       
        mr ${pkgs.systemd}/lib/security/pam_systemd.so,

     

       
962
       
962
       
+
       
      '' +

     

       
963
       
963
       
+
       
      optionalString (isEnabled (cfg: cfg.enableAppArmor)

     

       
964
       
964
       
+
       
                     && config.security.apparmor.enable) ''

     

       
965
       
965
       
+
       
        mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,

     

       
966
       
966
       
+
       
      '' +

     

       
967
       
967
       
+
       
      optionalString (isEnabled (cfg: cfg.enableKwallet)) ''

     

       
968
       
968
       
+
       
        mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,

     

       
969
       
969
       
+
       
      '' +

     

       
970
       
970
       
+
       
      optionalString config.virtualisation.lxc.lxcfs.enable ''

     

       
971
       
971
       
+
       
        mr ${pkgs.lxc}/lib/security/pam_cgfs.so

     

       
972
       
972
       
+
       
      '';

     

       
898
       
973
       
 
       
  };

     

       
899
       
974
       
 
       


     

       
900
       
975
       
 
       
}

     

···

       
171
       
171
       
 
       
      export PATH="${wrapperDir}:$PATH"

     

       
172
       
172
       
 
       
    '';

     

       
173
       
173
       
 
       


     

       
174
       
174
       
+
       
    security.apparmor.includes."nixos/security.wrappers" = ''

     

       
175
       
175
       
+
       
      include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [

     

       
176
       
176
       
+
       
        securityWrapper

     

       
177
       
177
       
+
       
        pkgs.stdenv.cc.cc

     

       
178
       
178
       
+
       
        pkgs.stdenv.cc.libc

     

       
179
       
179
       
+
       
      ]}"

     

       
180
       
180
       
+
       
    '';

     

       
181
       
181
       
+
       


     

       
174
       
182
       
 
       
    ###### setcap activation script

     

       
175
       
183
       
 
       
    system.activationScripts.wrappers =

     

       
176
       
184
       
 
       
      lib.stringAfter [ "specialfs" "users" ]

     

···

       
5
       
5
       
 
       
let

     

       
6
       
6
       
 
       
  cfg = config.services.transmission;

     

       
7
       
7
       
 
       
  inherit (config.environment) etc;

     

       
8
       
8
       
-
       
  apparmor = config.security.apparmor.enable;

     

       
8
       
8
       
+
       
  apparmor = config.security.apparmor;

     

       
9
       
9
       
 
       
  rootDir = "/run/transmission";

     

       
10
       
10
       
 
       
  homeDir = "/var/lib/transmission";

     

       
11
       
11
       
 
       
  settingsDir = ".config/transmission-daemon";

     
···

       
184
       
184
       
 
       


     

       
185
       
185
       
 
       
    systemd.services.transmission = {

     

       
186
       
186
       
 
       
      description = "Transmission BitTorrent Service";

     

       
187
       
187
       
-
       
      after = [ "network.target" ] ++ optional apparmor "apparmor.service";

     

       
188
       
188
       
-
       
      requires = optional apparmor "apparmor.service";

     

       
187
       
187
       
+
       
      after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service";

     

       
188
       
188
       
+
       
      requires = optional apparmor.enable "apparmor.service";

     

       
189
       
189
       
 
       
      wantedBy = [ "multi-user.target" ];

     

       
190
       
190
       
 
       
      environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source;

     

       
191
       
191
       
 
       


     
···

       
358
       
358
       
 
       
      })

     

       
359
       
359
       
 
       
    ];

     

       
360
       
360
       
 
       


     

       
361
       
361
       
-
       
    security.apparmor.profiles = mkIf apparmor [

     

       
362
       
362
       
-
       
      (pkgs.writeText "apparmor-transmission-daemon" ''

     

       
363
       
363
       
-
       
        include <tunables/global>

     

       
364
       
364
       
-
       


     

       
365
       
365
       
-
       
        ${pkgs.transmission}/bin/transmission-daemon {

     

       
366
       
366
       
-
       
          include <abstractions/base>

     

       
367
       
367
       
-
       
          include <abstractions/nameservice>

     

       
368
       
368
       
-
       


     

       
369
       
369
       
-
       
          # NOTE: https://github.com/NixOS/nixpkgs/pull/93457

     

       
370
       
370
       
-
       
          # will remove the need for these by fixing <abstractions/base>

     

       
371
       
371
       
-
       
          r ${etc."hosts".source},

     

       
372
       
372
       
-
       
          r /etc/ld-nix.so.preload,

     

       
373
       
373
       
-
       
          ${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) ''

     

       
374
       
374
       
-
       
            r ${etc."ld-nix.so.preload".source},

     

       
375
       
375
       
-
       
            ${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n"))

     

       
376
       
376
       
-
       
              (splitString "\n" config.environment.etc."ld-nix.so.preload".text)}

     

       
377
       
377
       
-
       
          ''}

     

       
378
       
378
       
-
       
          r ${etc."ssl/certs/ca-certificates.crt".source},

     

       
379
       
379
       
-
       
          r ${pkgs.tzdata}/share/zoneinfo/**,

     

       
380
       
380
       
-
       
          r ${pkgs.stdenv.cc.libc}/share/i18n/**,

     

       
381
       
381
       
-
       
          r ${pkgs.stdenv.cc.libc}/share/locale/**,

     

       
382
       
382
       
-
       


     

       
383
       
383
       
-
       
          mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*,

     

       
384
       
384
       
-
       
          mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*,

     

       
385
       
385
       
-
       
          mr ${getLib pkgs.attr}/lib/libattr*.so*,

     

       
386
       
386
       
-
       
          mr ${getLib pkgs.c-ares}/lib/libcares*.so*,

     

       
387
       
387
       
-
       
          mr ${getLib pkgs.curl}/lib/libcurl*.so*,

     

       
388
       
388
       
-
       
          mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*,

     

       
389
       
389
       
-
       
          mr ${getLib pkgs.libcap}/lib/libcap*.so*,

     

       
390
       
390
       
-
       
          mr ${getLib pkgs.libevent}/lib/libevent*.so*,

     

       
391
       
391
       
-
       
          mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*,

     

       
392
       
392
       
-
       
          mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*,

     

       
393
       
393
       
-
       
          mr ${getLib pkgs.libkrb5}/lib/lib*.so*,

     

       
394
       
394
       
-
       
          mr ${getLib pkgs.libssh2}/lib/libssh2*.so*,

     

       
395
       
395
       
-
       
          mr ${getLib pkgs.lz4}/lib/liblz4*.so*,

     

       
396
       
396
       
-
       
          mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*,

     

       
397
       
397
       
-
       
          mr ${getLib pkgs.openssl}/lib/libcrypto*.so*,

     

       
398
       
398
       
-
       
          mr ${getLib pkgs.openssl}/lib/libssl*.so*,

     

       
399
       
399
       
-
       
          mr ${getLib pkgs.systemd}/lib/libsystemd*.so*,

     

       
400
       
400
       
-
       
          mr ${getLib pkgs.util-linuxMinimal.out}/lib/libblkid.so*,

     

       
401
       
401
       
-
       
          mr ${getLib pkgs.util-linuxMinimal.out}/lib/libmount.so*,

     

       
402
       
402
       
-
       
          mr ${getLib pkgs.util-linuxMinimal.out}/lib/libuuid.so*,

     

       
403
       
403
       
-
       
          mr ${getLib pkgs.xz}/lib/liblzma*.so*,

     

       
404
       
404
       
-
       
          mr ${getLib pkgs.zlib}/lib/libz*.so*,

     

       
405
       
405
       
-
       


     

       
406
       
406
       
-
       
          r @{PROC}/sys/kernel/random/uuid,

     

       
407
       
407
       
-
       
          r @{PROC}/sys/vm/overcommit_memory,

     

       
408
       
408
       
-
       
          # @{pid} is not a kernel variable yet but a regexp

     

       
409
       
409
       
-
       
          #r @{PROC}/@{pid}/environ,

     

       
410
       
410
       
-
       
          r @{PROC}/@{pid}/mounts,

     

       
411
       
411
       
-
       
          rwk /tmp/tr_session_id_*,

     

       
412
       
412
       
-
       
          r /run/systemd/resolve/stub-resolv.conf,

     

       
413
       
413
       
-
       


     

       
414
       
414
       
-
       
          r ${pkgs.openssl.out}/etc/**,

     

       
415
       
415
       
-
       
          r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},

     

       
416
       
416
       
-
       
          r ${pkgs.transmission}/share/transmission/**,

     

       
361
       
361
       
+
       
    security.apparmor.policies."bin.transmission-daemon".profile = ''

     

       
362
       
362
       
+
       
      include "${pkgs.transmission.apparmor}/bin.transmission-daemon"

     

       
363
       
363
       
+
       
    '';

     

       
364
       
364
       
+
       
    security.apparmor.includes."local/bin.transmission-daemon" = ''

     

       
365
       
365
       
+
       
      r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},

     

       
417
       
366
       
 
       


     

       
418
       
418
       
-
       
          owner rw ${cfg.home}/${settingsDir}/**,

     

       
419
       
419
       
-
       
          rw ${cfg.settings.download-dir}/**,

     

       
420
       
420
       
-
       
          ${optionalString cfg.settings.incomplete-dir-enabled ''

     

       
421
       
421
       
-
       
            rw ${cfg.settings.incomplete-dir}/**,

     

       
422
       
422
       
-
       
          ''}

     

       
423
       
423
       
-
       
          ${optionalString cfg.settings.watch-dir-enabled ''

     

       
424
       
424
       
-
       
            rw ${cfg.settings.watch-dir}/**,

     

       
425
       
425
       
-
       
          ''}

     

       
426
       
426
       
-
       
          profile dirs {

     

       
427
       
427
       
-
       
            rw ${cfg.settings.download-dir}/**,

     

       
428
       
428
       
-
       
            ${optionalString cfg.settings.incomplete-dir-enabled ''

     

       
429
       
429
       
-
       
              rw ${cfg.settings.incomplete-dir}/**,

     

       
430
       
430
       
-
       
            ''}

     

       
431
       
431
       
-
       
            ${optionalString cfg.settings.watch-dir-enabled ''

     

       
432
       
432
       
-
       
              rw ${cfg.settings.watch-dir}/**,

     

       
433
       
433
       
-
       
            ''}

     

       
434
       
434
       
-
       
          }

     

       
435
       
435
       
-
       


     

       
436
       
436
       
-
       
          ${optionalString (cfg.settings.script-torrent-done-enabled &&

     

       
437
       
437
       
-
       
                            cfg.settings.script-torrent-done-filename != "") ''

     

       
438
       
438
       
-
       
            # Stack transmission_directories profile on top of

     

       
439
       
439
       
-
       
            # any existing profile for script-torrent-done-filename

     

       
440
       
440
       
-
       
            # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=

     

       
441
       
441
       
-
       
            # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs

     

       
442
       
442
       
-
       
            px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},

     

       
443
       
443
       
-
       
          ''}

     

       
367
       
367
       
+
       
      owner rw ${cfg.home}/${settingsDir}/**,

     

       
368
       
368
       
+
       
      rw ${cfg.settings.download-dir}/**,

     

       
369
       
369
       
+
       
      ${optionalString cfg.settings.incomplete-dir-enabled ''

     

       
370
       
370
       
+
       
        rw ${cfg.settings.incomplete-dir}/**,

     

       
371
       
371
       
+
       
      ''}

     

       
372
       
372
       
+
       
      ${optionalString cfg.settings.watch-dir-enabled ''

     

       
373
       
373
       
+
       
        rw ${cfg.settings.watch-dir}/**,

     

       
374
       
374
       
+
       
      ''}

     

       
375
       
375
       
+
       
      profile dirs {

     

       
376
       
376
       
+
       
        rw ${cfg.settings.download-dir}/**,

     

       
377
       
377
       
+
       
        ${optionalString cfg.settings.incomplete-dir-enabled ''

     

       
378
       
378
       
+
       
          rw ${cfg.settings.incomplete-dir}/**,

     

       
379
       
379
       
+
       
        ''}

     

       
380
       
380
       
+
       
        ${optionalString cfg.settings.watch-dir-enabled ''

     

       
381
       
381
       
+
       
          rw ${cfg.settings.watch-dir}/**,

     

       
382
       
382
       
+
       
        ''}

     

       
383
       
383
       
+
       
      }

     

       
444
       
384
       
 
       


     

       
445
       
445
       
-
       
          # FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457

     

       
446
       
446
       
-
       
          # include <local/transmission-daemon>

     

       
447
       
447
       
-
       
        }

     

       
448
       
448
       
-
       
      '')

     

       
449
       
449
       
-
       
    ];

     

       
385
       
385
       
+
       
      ${optionalString (cfg.settings.script-torrent-done-enabled &&

     

       
386
       
386
       
+
       
                        cfg.settings.script-torrent-done-filename != "") ''

     

       
387
       
387
       
+
       
        # Stack transmission_directories profile on top of

     

       
388
       
388
       
+
       
        # any existing profile for script-torrent-done-filename

     

       
389
       
389
       
+
       
        # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=

     

       
390
       
390
       
+
       
        # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs

     

       
391
       
391
       
+
       
        px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},

     

       
392
       
392
       
+
       
      ''}

     

       
393
       
393
       
+
       
    '';

     

       
450
       
394
       
 
       
  };

     

       
451
       
395
       
 
       


     

       
452
       
396
       
 
       
  meta.maintainers = with lib.maintainers; [ julm ];

     

···

       
1111
       
1111
       
 
       
    } else {

     

       
1112
       
1112
       
 
       
      ping.source = "${pkgs.iputils.out}/bin/ping";

     

       
1113
       
1113
       
 
       
    };

     

       
1114
       
1114
       
+
       
    security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''

     

       
1115
       
1115
       
+
       
      /run/wrappers/bin/ping {

     

       
1116
       
1116
       
+
       
        include <abstractions/base>

     

       
1117
       
1117
       
+
       
        include <nixos/security.wrappers>

     

       
1118
       
1118
       
+
       
        rpx /run/wrappers/wrappers.*/ping,

     

       
1119
       
1119
       
+
       
      }

     

       
1120
       
1120
       
+
       
      /run/wrappers/wrappers.*/ping {

     

       
1121
       
1121
       
+
       
        include <abstractions/base>

     

       
1122
       
1122
       
+
       
        include <nixos/security.wrappers>

     

       
1123
       
1123
       
+
       
        r /run/wrappers/wrappers.*/ping.real,

     

       
1124
       
1124
       
+
       
        mrpx ${config.security.wrappers.ping.source},

     

       
1125
       
1125
       
+
       
        capability net_raw,

     

       
1126
       
1126
       
+
       
        capability setpcap,

     

       
1127
       
1127
       
+
       
      }

     

       
1128
       
1128
       
+
       
    '');

     

       
1114
       
1129
       
 
       


     

       
1115
       
1130
       
 
       
    # Set the host and domain names in the activation script.  Don't

     

       
1116
       
1131
       
 
       
    # clear it if it's not configured in the NixOS configuration,

     

···

       
74
       
74
       
 
       
    systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];

     

       
75
       
75
       
 
       


     

       
76
       
76
       
 
       
    security.apparmor.packages = [ pkgs.lxc ];

     

       
77
       
77
       
-
       
    security.apparmor.profiles = [

     

       
78
       
78
       
-
       
      "${pkgs.lxc}/etc/apparmor.d/lxc-containers"

     

       
79
       
79
       
-
       
      "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start"

     

       
80
       
80
       
-
       
    ];

     

       
77
       
77
       
+
       
    security.apparmor.policies = {

     

       
78
       
78
       
+
       
      "bin.lxc-start".profile = ''

     

       
79
       
79
       
+
       
        include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start

     

       
80
       
80
       
+
       
      '';

     

       
81
       
81
       
+
       
      "lxc-containers".profile = ''

     

       
82
       
82
       
+
       
        include ${pkgs.lxc}/etc/apparmor.d/lxc-containers

     

       
83
       
83
       
+
       
      '';

     

       
84
       
84
       
+
       
    };

     

       
81
       
85
       
 
       
  };

     

       
82
       
86
       
 
       
}

     

···

       
97
       
97
       
 
       
    # does a bunch of unrelated things.

     

       
98
       
98
       
 
       
    systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];

     

       
99
       
99
       
 
       


     

       
100
       
100
       
-
       
    security.apparmor.packages = [ cfg.lxcPackage ];

     

       
101
       
101
       
-
       
    security.apparmor.profiles = [

     

       
102
       
102
       
-
       
      "${cfg.lxcPackage}/etc/apparmor.d/lxc-containers"

     

       
103
       
103
       
-
       
      "${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start"

     

       
104
       
104
       
-
       
    ];

     

       
100
       
100
       
+
       
    security.apparmor = {

     

       
101
       
101
       
+
       
      packages = [ cfg.lxcPackage ];

     

       
102
       
102
       
+
       
      policies = {

     

       
103
       
103
       
+
       
        "bin.lxc-start".profile = ''

     

       
104
       
104
       
+
       
          include ${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start

     

       
105
       
105
       
+
       
        '';

     

       
106
       
106
       
+
       
        "lxc-containers".profile = ''

     

       
107
       
107
       
+
       
          include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers

     

       
108
       
108
       
+
       
        '';

     

       
109
       
109
       
+
       
      };

     

       
110
       
110
       
+
       
    };

     

       
105
       
111
       
 
       


     

       
106
       
112
       
 
       
    # TODO: remove once LXD gets proper support for cgroupsv2

     

       
107
       
113
       
 
       
    # (currently most of the e.g. CPU accounting stuff doesn't work)

     

···

       
25
       
25
       
 
       
  acme = handleTest ./acme.nix {};

     

       
26
       
26
       
 
       
  agda = handleTest ./agda.nix {};

     

       
27
       
27
       
 
       
  ammonite = handleTest ./ammonite.nix {};

     

       
28
       
28
       
+
       
  apparmor = handleTest ./apparmor.nix {};

     

       
28
       
29
       
 
       
  atd = handleTest ./atd.nix {};

     

       
29
       
30
       
 
       
  avahi = handleTest ./avahi.nix {};

     

       
30
       
31
       
 
       
  avahi-with-resolved = handleTest ./avahi.nix { networkd = true; };

     

···

       
1
       
1
       
+
       
import ./make-test-python.nix ({ pkgs, ... } : {

     

       
2
       
2
       
+
       
  name = "apparmor";

     

       
3
       
3
       
+
       
  meta = with pkgs.lib.maintainers; {

     

       
4
       
4
       
+
       
    maintainers = [ julm ];

     

       
5
       
5
       
+
       
  };

     

       
6
       
6
       
+
       


     

       
7
       
7
       
+
       
  machine =

     

       
8
       
8
       
+
       
    { lib, pkgs, config, ... }:

     

       
9
       
9
       
+
       
    with lib;

     

       
10
       
10
       
+
       
    {

     

       
11
       
11
       
+
       
      security.apparmor.enable = mkDefault true;

     

       
12
       
12
       
+
       
    };

     

       
13
       
13
       
+
       


     

       
14
       
14
       
+
       
  testScript =

     

       
15
       
15
       
+
       
    ''

     

       
16
       
16
       
+
       
      machine.wait_for_unit("multi-user.target")

     

       
17
       
17
       
+
       


     

       
18
       
18
       
+
       
      with subtest("AppArmor profiles are loaded"):

     

       
19
       
19
       
+
       
          machine.succeed("systemctl status apparmor.service")

     

       
20
       
20
       
+
       


     

       
21
       
21
       
+
       
      # AppArmor securityfs

     

       
22
       
22
       
+
       
      with subtest("AppArmor securityfs is mounted"):

     

       
23
       
23
       
+
       
          machine.succeed("mountpoint -q /sys/kernel/security")

     

       
24
       
24
       
+
       
          machine.succeed("cat /sys/kernel/security/apparmor/profiles")

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
      # Test apparmorRulesFromClosure by:

     

       
27
       
27
       
+
       
      # 1. Prepending a string of the relevant packages' name and version on each line.

     

       
28
       
28
       
+
       
      # 2. Sorting according to those strings.

     

       
29
       
29
       
+
       
      # 3. Removing those prepended strings.

     

       
30
       
30
       
+
       
      # 4. Using `diff` against the expected output.

     

       
31
       
31
       
+
       
      with subtest("apparmorRulesFromClosure"):

     

       
32
       
32
       
+
       
          machine.succeed(

     

       
33
       
33
       
+
       
              "${pkgs.diffutils}/bin/diff ${pkgs.writeText "expected.rules" ''

     

       
34
       
34
       
+
       
                  mr ${pkgs.bash}/lib/**.so*,

     

       
35
       
35
       
+
       
                  r ${pkgs.bash},

     

       
36
       
36
       
+
       
                  r ${pkgs.bash}/etc/**,

     

       
37
       
37
       
+
       
                  r ${pkgs.bash}/lib/**,

     

       
38
       
38
       
+
       
                  r ${pkgs.bash}/share/**,

     

       
39
       
39
       
+
       
                  x ${pkgs.bash}/foo/**,

     

       
40
       
40
       
+
       
                  mr ${pkgs.glibc}/lib/**.so*,

     

       
41
       
41
       
+
       
                  r ${pkgs.glibc},

     

       
42
       
42
       
+
       
                  r ${pkgs.glibc}/etc/**,

     

       
43
       
43
       
+
       
                  r ${pkgs.glibc}/lib/**,

     

       
44
       
44
       
+
       
                  r ${pkgs.glibc}/share/**,

     

       
45
       
45
       
+
       
                  x ${pkgs.glibc}/foo/**,

     

       
46
       
46
       
+
       
                  mr ${pkgs.libcap}/lib/**.so*,

     

       
47
       
47
       
+
       
                  r ${pkgs.libcap},

     

       
48
       
48
       
+
       
                  r ${pkgs.libcap}/etc/**,

     

       
49
       
49
       
+
       
                  r ${pkgs.libcap}/lib/**,

     

       
50
       
50
       
+
       
                  r ${pkgs.libcap}/share/**,

     

       
51
       
51
       
+
       
                  x ${pkgs.libcap}/foo/**,

     

       
52
       
52
       
+
       
                  mr ${pkgs.libcap.lib}/lib/**.so*,

     

       
53
       
53
       
+
       
                  r ${pkgs.libcap.lib},

     

       
54
       
54
       
+
       
                  r ${pkgs.libcap.lib}/etc/**,

     

       
55
       
55
       
+
       
                  r ${pkgs.libcap.lib}/lib/**,

     

       
56
       
56
       
+
       
                  r ${pkgs.libcap.lib}/share/**,

     

       
57
       
57
       
+
       
                  x ${pkgs.libcap.lib}/foo/**,

     

       
58
       
58
       
+
       
                  mr ${pkgs.libidn2.out}/lib/**.so*,

     

       
59
       
59
       
+
       
                  r ${pkgs.libidn2.out},

     

       
60
       
60
       
+
       
                  r ${pkgs.libidn2.out}/etc/**,

     

       
61
       
61
       
+
       
                  r ${pkgs.libidn2.out}/lib/**,

     

       
62
       
62
       
+
       
                  r ${pkgs.libidn2.out}/share/**,

     

       
63
       
63
       
+
       
                  x ${pkgs.libidn2.out}/foo/**,

     

       
64
       
64
       
+
       
                  mr ${pkgs.libunistring}/lib/**.so*,

     

       
65
       
65
       
+
       
                  r ${pkgs.libunistring},

     

       
66
       
66
       
+
       
                  r ${pkgs.libunistring}/etc/**,

     

       
67
       
67
       
+
       
                  r ${pkgs.libunistring}/lib/**,

     

       
68
       
68
       
+
       
                  r ${pkgs.libunistring}/share/**,

     

       
69
       
69
       
+
       
                  x ${pkgs.libunistring}/foo/**,

     

       
70
       
70
       
+
       
              ''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''

     

       
71
       
71
       
+
       
                  ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${

     

       
72
       
72
       
+
       
                      pkgs.apparmorRulesFromClosure {

     

       
73
       
73
       
+
       
                        name = "ping";

     

       
74
       
74
       
+
       
                        additionalRules = ["x $path/foo/**"];

     

       
75
       
75
       
+
       
                      } [ pkgs.libcap ]

     

       
76
       
76
       
+
       
                  } |

     

       
77
       
77
       
+
       
                  ${pkgs.coreutils}/bin/sort -n -k1 |

     

       
78
       
78
       
+
       
                  ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out

     

       
79
       
79
       
+
       
              ''}"

     

       
80
       
80
       
+
       
          )

     

       
81
       
81
       
+
       
    '';

     

       
82
       
82
       
+
       
})