summary refs log tree commit diff
path: root/nixos/modules/security/apparmor/includes.nix
diff options
context:
space:
mode:
authorPhilipp Bartsch <phil@grmr.de>2023-07-01 22:37:14 +0200
committerPhilipp Bartsch <phil@grmr.de>2023-07-08 00:53:27 +0200
commit0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf (patch)
tree1c1fd1acdd00a52f83281c3b50df65f6d1455eb8 /nixos/modules/security/apparmor/includes.nix
parent4bc72cae107788bf3f24f30db2e2f685c9298dc9 (diff)
downloadnixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar
nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar.gz
nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar.bz2
nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar.lz
nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar.xz
nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.tar.zst
nixpkgs-0eabede44b064fb3da5026d4dc5f01fa4c1fd3cf.zip
nixos/apparmor: make abstractions/ssl_certs more go friendly
By default golang's crypto/x509 implementation wants to read
/etc/pki/tls/certs/ when loading system certificates.

This patch adds the path to reduce audit log noise.

Relevant code:
- https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_unix.go#L32-L82
- https://github.com/golang/go/blob/go1.20.5/src/crypto/x509/root_linux.go#L17-L22
Diffstat (limited to 'nixos/modules/security/apparmor/includes.nix')
-rw-r--r--nixos/modules/security/apparmor/includes.nix2
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix
index adfca04426c..7711f1fdb7e 100644
--- a/nixos/modules/security/apparmor/includes.nix
+++ b/nixos/modules/security/apparmor/includes.nix
@@ -279,6 +279,8 @@ config.security.apparmor.includes = {
     r /var/lib/acme/*/chain.pem,
     r /var/lib/acme/*/fullchain.pem,
 
+    r /etc/pki/tls/certs/,
+
     '' + lib.concatMapStringsSep "\n" etcRule [
       "ssl/certs/ca-certificates.crt"
       "ssl/certs/ca-bundle.crt"
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-21 16:44:12 +0000