diff options
author | Philipp Bartsch <phil@grmr.de> | 2023-07-01 22:37:14 +0200 |
---|---|---|
committer | Philipp Bartsch <phil@grmr.de> | 2023-07-08 00:53:27 +0200 |
commit | 0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf (patch) | |
tree | 1c1fd1acdd00a52f83281c3b50df65f6d1455eb8 /nixos/modules/security/apparmor/includes.nix | |
parent | 4bc72cae107788bf3f24f30db2e2f685c9298dc9 (diff) | |
download | nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar.gz nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar.bz2 nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar.lz nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar.xz nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar.zst nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.zip |
nixos/apparmor: make abstractions/ssl_certs more go friendly
By default golang's crypto/x509 implementation wants to read /etc/pki/tls/certs/ when loading system certificates. This patch adds the path to reduce audit log noise. Relevant code: - https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_unix.go#L32-L82 - https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_linux.go#L17-L22
Diffstat (limited to 'nixos/modules/security/apparmor/includes.nix')
-rw-r--r-- | nixos/modules/security/apparmor/includes.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix index adfca04426c..7711f1fdb7e 100644 --- a/nixos/modules/security/apparmor/includes.nix +++ b/nixos/modules/security/apparmor/includes.nix @@ -279,6 +279,8 @@ config.security.apparmor.includes = { r /var/lib/acme/*/chain.pem, r /var/lib/acme/*/fullchain.pem, + r /etc/pki/tls/certs/, + '' + lib.concatMapStringsSep "\n" etcRule [ "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" |