commit e87b9b1f3e4c5d4587fd05f5b1213be74d904a42 · pyrox.dev/nixpkgs

nixos/doc/manual/release-notes/rl-2505.section.md

···

       162
        
         | virtualBoxOVA            | virtualbox-vagrant.box                                     | nixos-image-vagrant-virtualbox-25.05pre-git-x86_64-linux.ova    |

     

       163
        
         | vmwareImage              | nixos-25.05pre-git-x86_64-linux.vmdk                       | nixos-image-vmware-25.05pre-git-x86_64-linux.vmdk               |

     

       164
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       165
        
       - the notmuch vim plugin now lives in a separate output of the `notmuch`

     

       166
        
         package. Installing `notmuch` will not bring the notmuch vim package anymore,

     

       167
        
         add `vimPlugins.notmuch-vim` to your (Neo)vim configuration if you want the

···

       162
        
         | virtualBoxOVA            | virtualbox-vagrant.box                                     | nixos-image-vagrant-virtualbox-25.05pre-git-x86_64-linux.ova    |

     

       163
        
         | vmwareImage              | nixos-25.05pre-git-x86_64-linux.vmdk                       | nixos-image-vmware-25.05pre-git-x86_64-linux.vmdk               |

     

       164
        
       

     

       165
       +
       - `security.apparmor.policies.<name>.enforce` and `security.apparmor.policies.<name>.enable` were removed.

     

       166
       +
         Configuring the state of apparmor policies must now be done using `security.apparmor.policies.<name>.state` tristate option.

     

       167
       +
       

     

       168
        
       - the notmuch vim plugin now lives in a separate output of the `notmuch`

     

       169
        
         package. Installing `notmuch` will not bring the notmuch vim package anymore,

     

       170
        
         add `vimPlugins.notmuch-vim` to your (Neo)vim configuration if you want the

+58 -40

nixos/modules/security/apparmor.nix

···

       5
        
         ...

     

       6
        
       }:

     

       7
        
       let

     

       8
       -
         inherit (builtins)

     

       9
       -
           attrNames

     

       10
       -
           head

     

       11
       -
           map

     

       12
       -
           match

     

       13
       -
           readFile

     

       14
       -
           ;

     

       15
        
         inherit (lib) types;

     

       16
        
         inherit (config.environment) etc;

     

       17
        
         cfg = config.security.apparmor;

     

       18
       -
         mkDisableOption =

     

       19
       -
           name:

     

       20
       -
           lib.mkEnableOption name

     

       21
       -
           // {

     

       22
       -
             default = true;

     

       23
       -
             example = false;

     

       24
       -
           };

     

       25
       -
         enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies;

     

       26
        
       in

     

       27
        
       

     

       28
        
       {

     
···

       31
        
             "security"

     

       32
        
             "apparmor"

     

       33
        
             "confineSUIDApplications"

     

       34
       -
           ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")

     

       35
        
           (lib.mkRemovedOptionModule [

     

       36
        
             "security"

     

       37
        
             "apparmor"

     
···

       65
        
                 AppArmor policies.

     

       66
        
               '';

     

       67
        
               type = types.attrsOf (

     

       68
       -
                 types.submodule (

     

       69
       -
                   { name, config, ... }:

     

       70
       -
                   {

     

       71
       -
                     options = {

     

       72
       -
                       enable = mkDisableOption "loading of the profile into the kernel";

     

       73
       -
                       enforce = mkDisableOption "enforcing of the policy or only complain in the logs";

     

       74
       -
                       profile = lib.mkOption {

     

       75
       -
                         description = "The policy of the profile.";

     

       76
       -
                         type = types.lines;

     

       77
       -
                         apply = pkgs.writeText name;

     

       78
       -
                       };

     

       0
        
       
     

       79
        
                     };

     

       80
       -
                   }

     

       81
       -
                 )

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       82
        
               );

     

       83
        
               default = { };

     

       84
        
             };

     
···

       117
        
         };

     

       118
        
       

     

       119
        
         config = lib.mkIf cfg.enable {

     

       120
       -
           assertions = map (policy: {

     

       121
       -
             assertion = match ".*/.*" policy == null;

     

       122
       -
             message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";

     

       123
       -
             # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions

     

       124
       -
             # which does not recurse into sub-directories.

     

       125
       -
           }) (attrNames cfg.policies);

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       126
        
       

     

       127
        
           environment.systemPackages = [

     

       128
        
             pkgs.apparmor-utils

     
···

       133
        
             # because aa-remove-unknown reads profiles from all /etc/apparmor.d/*

     

       134
        
             lib.mapAttrsToList (name: p: {

     

       135
        
               inherit name;

     

       136
       -
               path = p.profile;

     

       137
        
             }) enabledPolicies

     

       138
        
             ++ lib.mapAttrsToList (name: path: { inherit name path; }) cfg.includes

     

       139
        
           );

     
···

       226
        
                   kill

     

       227
        
                 '';

     

       228
        
                 commonOpts =

     

       229
       -
                   p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       230
        
               in

     

       231
        
               {

     

       232
        
                 Type = "oneshot";

     

       233
        
                 RemainAfterExit = "yes";

     

       234
        
                 ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";

     

       235
        
                 ExecStart = lib.mapAttrsToList (

     

       236
       -
                   n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}"

     

       237
        
                 ) enabledPolicies;

     

       238
        
                 ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;

     

       239
        
                 ExecReload =

     

       240
        
                   # Add or replace into the kernel profiles in enabledPolicies

     

       241
        
                   # (because AppArmor can do that without stopping the processes already confined).

     

       242
        
                   lib.mapAttrsToList (

     

       243
       -
                     n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}"

     

       244
        
                   ) enabledPolicies

     

       245
        
                   ++

     

       246
        
                     # Remove from the kernel any profile whose name is not

     
···

       262
        
           };

     

       263
        
         };

     

       264
        
       

     

       265
       -
         meta.maintainers = with lib.maintainers; [ julm grimmauld ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       266
        
       }

···

       5
        
         ...

     

       6
        
       }:

     

       7
        
       let

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       8
        
         inherit (lib) types;

     

       9
        
         inherit (config.environment) etc;

     

       10
        
         cfg = config.security.apparmor;

     

       11
       +
         enabledPolicies = lib.filterAttrs (n: p: p.state != "disable") cfg.policies;

     

       12
       +
         buildPolicyPath = n: p: lib.defaultTo (pkgs.writeText n p.profile) p.path;

     

       13
       +
       

     

       14
       +
         # Accessing submodule options when not defined results in an error thunk rather than a regular option object

     

       15
       +
         # We can emulate the behavior of `<option>.isDefined` by attempting to evaluate it instead

     

       16
       +
         # This is required because getting isDefined on a submodule is not possible in global module asserts.

     

       17
       +
         submoduleOptionIsDefined = value: (builtins.tryEval value).success;

     

       0
        
       
     

       18
        
       in

     

       19
        
       

     

       20
        
       {

     
···

       23
        
             "security"

     

       24
        
             "apparmor"

     

       25
        
             "confineSUIDApplications"

     

       26
       +
           ] "Please use the new options: `security.apparmor.policies.<policy>.state'.")

     

       27
        
           (lib.mkRemovedOptionModule [

     

       28
        
             "security"

     

       29
        
             "apparmor"

     
···

       57
        
                 AppArmor policies.

     

       58
        
               '';

     

       59
        
               type = types.attrsOf (

     

       60
       +
                 types.submodule {

     

       61
       +
                   options = {

     

       62
       +
                     state = lib.mkOption {

     

       63
       +
                       description = "How strictly this policy should be enforced";

     

       64
       +
                       type = types.enum [

     

       65
       +
                         "disable"

     

       66
       +
                         "complain"

     

       67
       +
                         "enforce"

     

       68
       +
                       ];

     

       69
       +
                       # should enforce really be the default?

     

       70
       +
                       # the docs state that this should only be used once one is REALLY sure nothing's gonna break

     

       71
       +
                       default = "enforce";

     

       72
        
                     };

     

       73
       +
       

     

       74
       +
                     profile = lib.mkOption {

     

       75
       +
                       description = "The profile file contents. Incompatible with path.";

     

       76
       +
                       type = types.lines;

     

       77
       +
                     };

     

       78
       +
       

     

       79
       +
                     path = lib.mkOption {

     

       80
       +
                       description = "A path of a profile file to include. Incompatible with profile.";

     

       81
       +
                       type = types.nullOr types.path;

     

       82
       +
                       default = null;

     

       83
       +
                     };

     

       84
       +
                   };

     

       85
       +
                 }

     

       86
        
               );

     

       87
        
               default = { };

     

       88
        
             };

     
···

       121
        
         };

     

       122
        
       

     

       123
        
         config = lib.mkIf cfg.enable {

     

       124
       +
           assertions = lib.concatLists (

     

       125
       +
             lib.mapAttrsToList (policyName: policyCfg: [

     

       126
       +
               {

     

       127
       +
                 assertion = builtins.match ".*/.*" policyName == null;

     

       128
       +
                 message = "`security.apparmor.policies.\"${policyName}\"' must not contain a slash.";

     

       129
       +
                 # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions

     

       130
       +
                 # which does not recurse into sub-directories.

     

       131
       +
               }

     

       132
       +
               {

     

       133
       +
                 assertion = lib.xor (policyCfg.path != null) (submoduleOptionIsDefined policyCfg.profile);

     

       134
       +
                 message = "`security.apparmor.policies.\"${policyName}\"` must define exactly one of either path or profile.";

     

       135
       +
               }

     

       136
       +
             ]) cfg.policies

     

       137
       +
           );

     

       138
        
       

     

       139
        
           environment.systemPackages = [

     

       140
        
             pkgs.apparmor-utils

     
···

       145
        
             # because aa-remove-unknown reads profiles from all /etc/apparmor.d/*

     

       146
        
             lib.mapAttrsToList (name: p: {

     

       147
        
               inherit name;

     

       148
       +
               path = buildPolicyPath name p;

     

       149
        
             }) enabledPolicies

     

       150
        
             ++ lib.mapAttrsToList (name: path: { inherit name path; }) cfg.includes

     

       151
        
           );

     
···

       238
        
                   kill

     

       239
        
                 '';

     

       240
        
                 commonOpts =

     

       241
       +
                   n: p:

     

       242
       +
                   "--verbose --show-cache ${

     

       243
       +
                     lib.optionalString (p.state == "complain") "--complain "

     

       244
       +
                   }${buildPolicyPath n p}";

     

       245
        
               in

     

       246
        
               {

     

       247
        
                 Type = "oneshot";

     

       248
        
                 RemainAfterExit = "yes";

     

       249
        
                 ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";

     

       250
        
                 ExecStart = lib.mapAttrsToList (

     

       251
       +
                   n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts n p}"

     

       252
        
                 ) enabledPolicies;

     

       253
        
                 ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;

     

       254
        
                 ExecReload =

     

       255
        
                   # Add or replace into the kernel profiles in enabledPolicies

     

       256
        
                   # (because AppArmor can do that without stopping the processes already confined).

     

       257
        
                   lib.mapAttrsToList (

     

       258
       +
                     n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts n p}"

     

       259
        
                   ) enabledPolicies

     

       260
        
                   ++

     

       261
        
                     # Remove from the kernel any profile whose name is not

     
···

       277
        
           };

     

       278
        
         };

     

       279
        
       

     

       280
       +
         meta.maintainers = with lib.maintainers; [

     

       281
       +
           julm

     

       282
       +
           grimmauld

     

       283
       +
         ];

     

       284
        
       }