diff options
| author | Tony Olagbaiye <me@fron.io> | 2020-12-03 13:45:43 +0000 |
|---|---|---|
| committer | Julien Moutinho <julm+nixpkgs@sourcephile.fr> | 2021-04-23 07:17:55 +0200 |
| commit | fca06b142a92ce9aaca6f0a1759de719cfa42d68 (patch) | |
| tree | 01114465e42fdf9843ca0b47fd67a51641839cef /nixos/modules/security/apparmor.nix | |
| parent | 05d334cfe265f021b16c41375e3e5a4c4a07fc74 (diff) | |
| download | nixpkgs-fca06b142a92ce9aaca6f0a1759de719cfa42d68.tar nixpkgs-fca06b142a92ce9aaca6f0a1759de719cfa42d68.tar.gz nixpkgs-fca06b142a92ce9aaca6f0a1759de719cfa42d68.tar.bz2 nixpkgs-fca06b142a92ce9aaca6f0a1759de719cfa42d68.tar.lz nixpkgs-fca06b142a92ce9aaca6f0a1759de719cfa42d68.tar.xz nixpkgs-fca06b142a92ce9aaca6f0a1759de719cfa42d68.tar.zst nixpkgs-fca06b142a92ce9aaca6f0a1759de719cfa42d68.zip | |
nixos/apparmor: remove an IFD
First because IFD (import-from-derivation) is not allowed on hydra.nixos.org, and second because without https://github.com/NixOS/hydra/pull/825 hydra-eval-jobs crashes instead of skipping aggregated jobs which fail (here because they required an IFD).
Diffstat (limited to 'nixos/modules/security/apparmor.nix')
| -rw-r--r-- | nixos/modules/security/apparmor.nix | 52 |
1 files changed, 29 insertions, 23 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 3bf1e0fefc3..f5d5e4a9fd1 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -111,33 +111,39 @@ in ''; # For aa-logprof environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; - environment.etc."apparmor/logprof.conf".text = '' - [settings] - # /etc/apparmor.d/ is read-only on NixOS - profiledir = /var/cache/apparmor/logprof - inactive_profiledir = /etc/apparmor.d/disable - # Use: journalctl -b --since today --grep audit: | aa-logprof - logfiles = /dev/stdin + environment.etc."apparmor/logprof.conf".source = pkgs.runCommand "logprof.conf" { + header = '' + [settings] + # /etc/apparmor.d/ is read-only on NixOS + profiledir = /var/cache/apparmor/logprof + inactive_profiledir = /etc/apparmor.d/disable + # Use: journalctl -b --since today --grep audit: | aa-logprof + logfiles = /dev/stdin - parser = ${pkgs.apparmor-parser}/bin/apparmor_parser - ldd = ${pkgs.glibc.bin}/bin/ldd - logger = ${pkgs.utillinux}/bin/logger + parser = ${pkgs.apparmor-parser}/bin/apparmor_parser + ldd = ${pkgs.glibc.bin}/bin/ldd + logger = ${pkgs.utillinux}/bin/logger - # customize how file ownership permissions are presented - # 0 - off - # 1 - default of what ever mode the log reported - # 2 - force the new permissions to be user - # 3 - force all perms on the rule to be user - default_owner_prompt = 1 + # customize how file ownership permissions are presented + # 0 - off + # 1 - default of what ever mode the log reported + # 2 - force the new permissions to be user + # 3 - force all perms on the rule to be user + default_owner_prompt = 1 - custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} + custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} - [qualifiers] - ${pkgs.runtimeShell} = icnu - ${pkgs.bashInteractive}/bin/sh = icnu - ${pkgs.bashInteractive}/bin/bash = icnu - '' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section. - (readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf")); + [qualifiers] + ${pkgs.runtimeShell} = icnu + ${pkgs.bashInteractive}/bin/sh = icnu + ${pkgs.bashInteractive}/bin/bash = icnu + ''; + footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"; + passAsFile = [ "header" ]; + } '' + cp $headerPath $out + sed -n '/\\[qualifiers\\]/,''${n;p}' $footer > $out + ''; boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; |