diff options
| author | Robert Obryk <robryk@gmail.com> | 2023-08-25 21:52:40 +0200 |
|---|---|---|
| committer | Robert Obryk <robryk@gmail.com> | 2023-08-27 14:10:07 +0200 |
| commit | 44fde723be696020dc4c78d5deae3501b6cb088f (patch) | |
| tree | 98ae6eb5bd9ed01b22890a3d635130357ee7c3e1 /nixos/modules/security | |
| parent | c0e607da612b0203a5357cadb9b345c7c321c163 (diff) | |
| download | nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar.gz nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar.bz2 nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar.lz nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar.xz nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar.zst nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.zip | |
nixos/security/wrappers: generate a separate and more complete apparmor policy fragment for each wrapper
This change includes some stuff (e.g. reading of the `.real` file, execution of the wrapper's target) that belongs to the apparmor policy of the wrapper. This necessitates making them distinct for each wrapper. The main reason for this change is as a preparation for making each wrapper be a distinct binary.
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/wrappers/default.nix | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 12255d8392f..2f886cef3a7 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -248,11 +248,14 @@ in export PATH="${wrapperDir}:$PATH" ''; - security.apparmor.includes."nixos/security.wrappers" = '' - include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [ + security.apparmor.includes = lib.mapAttrs' (wrapName: wrap: lib.nameValuePair + "nixos/security.wrappers/${wrapName}" '' + include "${pkgs.apparmorRulesFromClosure { name="security.wrappers.${wrapName}"; } [ securityWrapper ]}" - ''; + mrpx ${wrap.source}, + r /run/wrappers/wrappers.*/${wrapName}.real, + '') wrappers; ###### wrappers activation script system.activationScripts.wrappers = |