diff options
author | Julien Moutinho <julm+nixpkgs@sourcephile.fr> | 2020-12-03 18:03:32 +0100 |
---|---|---|
committer | Julien Moutinho <julm+nixpkgs@sourcephile.fr> | 2021-04-23 07:20:14 +0200 |
commit | b280e64078d69c59cf4fccfcaa9d56a59d789dc9 (patch) | |
tree | d4c1fc53968853585b28e4d95959f824926b045a /nixos/modules/services/torrent/transmission.nix | |
parent | 03b2156d269ed9d50b359b4362a094725b275f2d (diff) | |
download | nixpkgs-b280e64078d69c59cf4fccfcaa9d56a59d789dc9.tar nixpkgs-b280e64078d69c59cf4fccfcaa9d56a59d789dc9.tar.gz nixpkgs-b280e64078d69c59cf4fccfcaa9d56a59d789dc9.tar.bz2 nixpkgs-b280e64078d69c59cf4fccfcaa9d56a59d789dc9.tar.lz nixpkgs-b280e64078d69c59cf4fccfcaa9d56a59d789dc9.tar.xz nixpkgs-b280e64078d69c59cf4fccfcaa9d56a59d789dc9.tar.zst nixpkgs-b280e64078d69c59cf4fccfcaa9d56a59d789dc9.zip |
transmission: move apparmor profile to Nixpkgs
Diffstat (limited to 'nixos/modules/services/torrent/transmission.nix')
-rw-r--r-- | nixos/modules/services/torrent/transmission.nix | 77 |
1 files changed, 30 insertions, 47 deletions
diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index e9b5834dab4..34a5219c959 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -359,55 +359,38 @@ in ]; security.apparmor.policies."bin.transmission-daemon".profile = '' - include <tunables/global> - ${pkgs.transmission}/bin/transmission-daemon { - include <abstractions/base> - include <abstractions/nameservice> - include <abstractions/ssl_certs> - include "${pkgs.apparmorRulesFromClosure - { name = "transmission-daemon"; } - [ pkgs.transmission ]}" - include <local/bin.transmission-daemon> - - r @{PROC}/sys/kernel/random/uuid, - r @{PROC}/sys/vm/overcommit_memory, - r @{PROC}/@{pid}/environ, - r @{PROC}/@{pid}/mounts, - rwk /tmp/tr_session_id_*, - r /run/systemd/resolve/stub-resolv.conf, - - r ${pkgs.openssl.out}/etc/**, - r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, - - owner rw ${cfg.home}/${settingsDir}/**, - rw ${cfg.settings.download-dir}/**, - ${optionalString cfg.settings.incomplete-dir-enabled '' - rw ${cfg.settings.incomplete-dir}/**, - ''} - ${optionalString cfg.settings.watch-dir-enabled '' - rw ${cfg.settings.watch-dir}/**, - ''} - profile dirs { - rw ${cfg.settings.download-dir}/**, - ${optionalString cfg.settings.incomplete-dir-enabled '' - rw ${cfg.settings.incomplete-dir}/**, - ''} - ${optionalString cfg.settings.watch-dir-enabled '' - rw ${cfg.settings.watch-dir}/**, - ''} - } + include "${pkgs.transmission.apparmor}/bin.transmission-daemon" + ''; + security.apparmor.includes."local/bin.transmission-daemon" = '' + r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, + + owner rw ${cfg.home}/${settingsDir}/**, + rw ${cfg.settings.download-dir}/**, + ${optionalString cfg.settings.incomplete-dir-enabled '' + rw ${cfg.settings.incomplete-dir}/**, + ''} + ${optionalString cfg.settings.watch-dir-enabled '' + rw ${cfg.settings.watch-dir}/**, + ''} + profile dirs { + rw ${cfg.settings.download-dir}/**, + ${optionalString cfg.settings.incomplete-dir-enabled '' + rw ${cfg.settings.incomplete-dir}/**, + ''} + ${optionalString cfg.settings.watch-dir-enabled '' + rw ${cfg.settings.watch-dir}/**, + ''} + } - ${optionalString (cfg.settings.script-torrent-done-enabled && - cfg.settings.script-torrent-done-filename != "") '' - # Stack transmission_directories profile on top of - # any existing profile for script-torrent-done-filename - # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges= - # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs - px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, - ''} - } + ${optionalString (cfg.settings.script-torrent-done-enabled && + cfg.settings.script-torrent-done-filename != "") '' + # Stack transmission_directories profile on top of + # any existing profile for script-torrent-done-filename + # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges= + # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs + px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, + ''} ''; - security.apparmor.includes."local/bin.transmission-daemon" = ""; }; meta.maintainers = with lib.maintainers; [ julm ]; |