diff options
| author | Philipp Bartsch <phil@grmr.de> | 2023-07-08 02:18:34 +0200 |
|---|---|---|
| committer | Philipp Bartsch <phil@grmr.de> | 2023-07-13 11:10:39 +0200 |
| commit | ced170c030a409f8e21a7c1e20bced6a9397c1d2 (patch) | |
| tree | 98a0fbf0e24e20b801115a4d4a6869e7e84ca173 | |
| parent | 125617826334fbf6be4f4f0e312f40b137bcb932 (diff) | |
| download | nixpkgs-ced170c030a409f8e21a7c1e20bced6a9397c1d2.tar nixpkgs-ced170c030a409f8e21a7c1e20bced6a9397c1d2.tar.gz nixpkgs-ced170c030a409f8e21a7c1e20bced6a9397c1d2.tar.bz2 nixpkgs-ced170c030a409f8e21a7c1e20bced6a9397c1d2.tar.lz nixpkgs-ced170c030a409f8e21a7c1e20bced6a9397c1d2.tar.xz nixpkgs-ced170c030a409f8e21a7c1e20bced6a9397c1d2.tar.zst nixpkgs-ced170c030a409f8e21a7c1e20bced6a9397c1d2.zip | |
nixos/miniflux: add apparmor policy
This change also extends the test to ensure that normal operations aren't denied.
| -rw-r--r-- | nixos/modules/services/web-apps/miniflux.nix | 12 | ||||
| -rw-r--r-- | nixos/tests/miniflux.nix | 6 |
2 files changed, 18 insertions, 0 deletions
diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index 7cc8ce10ffe..3374c746ad3 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -130,5 +130,17 @@ in environment = cfg.config; }; environment.systemPackages = [ cfg.package ]; + + security.apparmor.policies."bin.miniflux".profile = '' + include <tunables/global> + ${cfg.package}/bin/miniflux { + include <abstractions/base> + include <abstractions/nameservice> + include <abstractions/ssl_certs> + include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}" + r ${cfg.package}/bin/miniflux, + r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size, + } + ''; }; } diff --git a/nixos/tests/miniflux.nix b/nixos/tests/miniflux.nix index be3e7abb6ab..a3af53db0e7 100644 --- a/nixos/tests/miniflux.nix +++ b/nixos/tests/miniflux.nix @@ -25,6 +25,7 @@ in default = { ... }: { + security.apparmor.enable = true; services.miniflux = { enable = true; inherit adminCredentialsFile; @@ -34,6 +35,7 @@ in withoutSudo = { ... }: { + security.apparmor.enable = true; services.miniflux = { enable = true; inherit adminCredentialsFile; @@ -44,6 +46,7 @@ in customized = { ... }: { + security.apparmor.enable = true; services.miniflux = { enable = true; config = { @@ -63,6 +66,7 @@ in default.succeed( "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) + default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') withoutSudo.wait_for_unit("miniflux.service") withoutSudo.wait_for_open_port(${toString defaultPort}) @@ -70,6 +74,7 @@ in withoutSudo.succeed( "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) + withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') customized.wait_for_unit("miniflux.service") customized.wait_for_open_port(${toString port}) @@ -77,5 +82,6 @@ in customized.succeed( "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) + customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') ''; }) |