diff options
| author | Vladimír Čunát <v@cunat.cz> | 2020-10-07 11:15:18 +0200 |
|---|---|---|
| committer | Vladimír Čunát <v@cunat.cz> | 2020-10-07 12:22:18 +0200 |
| commit | 420f89ceb267b461eed5d025b6c3c0e57703cc5c (patch) | |
| tree | 373179c02e9fd698fdb9c2b6fa1f4fd9b9a2dc87 /nixos/modules/services/torrent/transmission.nix | |
| parent | 3b0886c9af7fadcb46fc04c28cf5b79280d38371 (diff) | |
| download | nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar.gz nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar.bz2 nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar.lz nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar.xz nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar.zst nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.zip | |
Revert "apparmor: fix and improve the service"
This reverts commit fb6d63f3fdd95a5468d43a0693c8ca7c1894363f. I really hope this finally fixes #99236: evaluation on Hydra. This time I really did check basically the same commit on Hydra: https://hydra.nixos.org/eval/1618011 Right now I don't have energy to find what exactly is wrong in the commit, and it doesn't seem important in comparison to nixos-unstable channel being stuck on a commit over one week old.
Diffstat (limited to 'nixos/modules/services/torrent/transmission.nix')
| -rw-r--r-- | nixos/modules/services/torrent/transmission.nix | 63 |
1 files changed, 53 insertions, 10 deletions
diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 57982c20ccd..014a22bb5a8 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.transmission; inherit (config.environment) etc; - apparmor = config.security.apparmor; + apparmor = config.security.apparmor.enable; rootDir = "/run/transmission"; homeDir = "/var/lib/transmission"; settingsDir = ".config/transmission-daemon"; @@ -184,8 +184,8 @@ in systemd.services.transmission = { description = "Transmission BitTorrent Service"; - after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service"; - requires = optional apparmor.enable "apparmor.service"; + after = [ "network.target" ] ++ optional apparmor "apparmor.service"; + requires = optional apparmor "apparmor.service"; wantedBy = [ "multi-user.target" ]; environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; @@ -357,21 +357,61 @@ in }) ]; - security.apparmor.policies."bin.transmission-daemon".profile = '' + security.apparmor.profiles = mkIf apparmor [ + (pkgs.writeText "apparmor-transmission-daemon" '' include <tunables/global> + ${pkgs.transmission}/bin/transmission-daemon { include <abstractions/base> include <abstractions/nameservice> - include <abstractions/ssl_certs> - include "${pkgs.apparmorRulesFromClosure {} [pkgs.transmission]}" - include <local/bin.transmission-daemon> + + # NOTE: https://github.com/NixOS/nixpkgs/pull/93457 + # will remove the need for these by fixing <abstractions/base> + r ${etc."hosts".source}, + r /etc/ld-nix.so.preload, + ${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) '' + r ${etc."ld-nix.so.preload".source}, + ${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n")) + (splitString "\n" config.environment.etc."ld-nix.so.preload".text)} + ''} + r ${etc."ssl/certs/ca-certificates.crt".source}, + r ${pkgs.tzdata}/share/zoneinfo/**, + r ${pkgs.stdenv.cc.libc}/share/i18n/**, + r ${pkgs.stdenv.cc.libc}/share/locale/**, + + mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*, + mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*, + mr ${getLib pkgs.attr}/lib/libattr*.so*, + mr ${getLib pkgs.c-ares}/lib/libcares*.so*, + mr ${getLib pkgs.curl}/lib/libcurl*.so*, + mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*, + mr ${getLib pkgs.libcap}/lib/libcap*.so*, + mr ${getLib pkgs.libevent}/lib/libevent*.so*, + mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*, + mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*, + mr ${getLib pkgs.libkrb5}/lib/lib*.so*, + mr ${getLib pkgs.libssh2}/lib/libssh2*.so*, + mr ${getLib pkgs.lz4}/lib/liblz4*.so*, + mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*, + mr ${getLib pkgs.openssl}/lib/libcrypto*.so*, + mr ${getLib pkgs.openssl}/lib/libssl*.so*, + mr ${getLib pkgs.systemd}/lib/libsystemd*.so*, + mr ${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so*, + mr ${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so*, + mr ${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so*, + mr ${getLib pkgs.xz}/lib/liblzma*.so*, + mr ${getLib pkgs.zlib}/lib/libz*.so*, r @{PROC}/sys/kernel/random/uuid, r @{PROC}/sys/vm/overcommit_memory, - r @{PROC}/@{pid}/environ, + # @{pid} is not a kernel variable yet but a regexp + #r @{PROC}/@{pid}/environ, r @{PROC}/@{pid}/mounts, rwk /tmp/tr_session_id_*, + + r ${pkgs.openssl.out}/etc/**, r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, + r ${pkgs.transmission}/share/transmission/**, owner rw ${cfg.home}/${settingsDir}/**, rw ${cfg.settings.download-dir}/**, @@ -399,9 +439,12 @@ in # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, ''} + + # FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457 + # include <local/transmission-daemon> } - ''; - security.apparmor.includes."local/bin.transmission-daemon" = ""; + '') + ]; }; meta.maintainers = with lib.maintainers; [ julm ]; |