diff options
| author | Majiir Paktu <majiir@nabaal.net> | 2023-09-20 23:44:56 -0400 |
|---|---|---|
| committer | Majiir Paktu <majiir@nabaal.net> | 2023-10-10 21:11:35 -0400 |
| commit | e712b6e81d2e07ca33dce83d6270b3ab3cba0f90 (patch) | |
| tree | d7a5107ce78947934b84606a9647499de8cfb5da /nixos/modules/security | |
| parent | 43f7cb4a95436d58a0fe40ff501d42085d676691 (diff) | |
| download | nixpkgs-e712b6e81d2e07ca33dce83d6270b3ab3cba0f90.tar nixpkgs-e712b6e81d2e07ca33dce83d6270b3ab3cba0f90.tar.gz nixpkgs-e712b6e81d2e07ca33dce83d6270b3ab3cba0f90.tar.bz2 nixpkgs-e712b6e81d2e07ca33dce83d6270b3ab3cba0f90.tar.lz nixpkgs-e712b6e81d2e07ca33dce83d6270b3ab3cba0f90.tar.xz nixpkgs-e712b6e81d2e07ca33dce83d6270b3ab3cba0f90.tar.zst nixpkgs-e712b6e81d2e07ca33dce83d6270b3ab3cba0f90.zip | |
nixos/pam: generate apparmor includes from rules
Removes redundant config from the module. Fixes a bug where some modules (e.g. ussh) were added to apparmor even though they had no rules enabled.
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/pam.nix | 98 |
1 files changed, 13 insertions, 85 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 242ce52bfb5..bd6ab5856fc 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -1508,9 +1508,7 @@ in fscrypt = {}; }; - security.apparmor.includes."abstractions/pam" = let - isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); - in + security.apparmor.includes."abstractions/pam" = lib.concatMapStrings (name: "r ${config.environment.etc."pam.d/${name}".source},\n") (attrNames config.security.pam.services) + @@ -1519,88 +1517,18 @@ in mr ${getLib pkgs.pam}/lib/security/pam_*.so, r ${getLib pkgs.pam}/lib/security/, '' + - optionalString use_ldap '' - mr ${pam_ldap}/lib/security/pam_ldap.so, - '' + - optionalString config.services.kanidm.enablePam '' - mr ${pkgs.kanidm}/lib/pam_kanidm.so, - '' + - optionalString config.services.sssd.enable '' - mr ${pkgs.sssd}/lib/security/pam_sss.so, - '' + - optionalString config.security.pam.krb5.enable '' - mr ${pam_krb5}/lib/security/pam_krb5.so, - mr ${pam_ccreds}/lib/security/pam_ccreds.so, - '' + - optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' - mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so, - mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so, - '' + - optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' - mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so, - '' + - optionalString (config.security.pam.enableSSHAgentAuth - && isEnabled (cfg: cfg.sshAgentAuth)) '' - mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so, - '' + - optionalString (isEnabled (cfg: cfg.fprintAuth)) '' - mr ${pkgs.fprintd}/lib/security/pam_fprintd.so, - '' + - optionalString (isEnabled (cfg: cfg.u2fAuth)) '' - mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so, - '' + - optionalString (isEnabled (cfg: cfg.usbAuth)) '' - mr ${pkgs.pam_usb}/lib/security/pam_usb.so, - '' + - optionalString (isEnabled (cfg: cfg.usshAuth)) '' - mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so, - '' + - optionalString (isEnabled (cfg: cfg.oathAuth)) '' - "mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so, - '' + - optionalString (isEnabled (cfg: cfg.mysqlAuth)) '' - mr ${pkgs.pam_mysql}/lib/security/pam_mysql.so, - '' + - optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' - mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, - '' + - optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) '' - mr ${pkgs.duo-unix}/lib/security/pam_duo.so, - '' + - optionalString (isEnabled (cfg: cfg.otpwAuth)) '' - mr ${pkgs.otpw}/lib/security/pam_otpw.so, - '' + - optionalString config.security.pam.enableEcryptfs '' - mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so, - '' + - optionalString config.security.pam.enableFscrypt '' - mr ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so, - '' + - optionalString (isEnabled (cfg: cfg.pamMount)) '' - mr ${pkgs.pam_mount}/lib/security/pam_mount.so, - '' + - optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) '' - mr ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so, - '' + - optionalString (isEnabled (cfg: cfg.startSession)) '' - mr ${config.systemd.package}/lib/security/pam_systemd.so, - '' + - optionalString (isEnabled (cfg: cfg.enableAppArmor) - && config.security.apparmor.enable) '' - mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so, - '' + - optionalString (isEnabled (cfg: cfg.enableKwallet)) '' - mr ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so, - '' + - optionalString config.virtualisation.lxc.lxcfs.enable '' - mr ${pkgs.lxc}/lib/security/pam_cgfs.so, - '' + - optionalString (isEnabled (cfg: cfg.zfs)) '' - mr ${config.boot.zfs.package}/lib/security/pam_zfs_key.so, - '' + - optionalString config.services.homed.enable '' - mr ${config.systemd.package}/lib/security/pam_systemd_home.so - ''; + (with lib; pipe config.security.pam.services [ + attrValues + (catAttrs "rules") + (concatMap attrValues) + (concatMap attrValues) + (filter (rule: rule.enable)) + (catAttrs "modulePath") + (filter (hasPrefix "/")) + unique + (map (module: "mr ${module},")) + concatLines + ]); }; } |