diff options
author | Julien Moutinho <julm+nixpkgs@sourcephile.fr> | 2020-08-08 02:01:35 +0200 |
---|---|---|
committer | Julien Moutinho <julm+nixpkgs@sourcephile.fr> | 2020-09-06 07:43:03 +0200 |
commit | fb6d63f3fdd95a5468d43a0693c8ca7c1894363f (patch) | |
tree | 44edb88b751700b3e611999eb2998b6b518adb71 /nixos/modules/services/torrent/transmission.nix | |
parent | 539ae5c93299cadc0664cfff2ffc69a9386caf6d (diff) | |
download | nixpkgs-fb6d63f3fdd95a5468d43a0693c8ca7c1894363f.tar nixpkgs-fb6d63f3fdd95a5468d43a0693c8ca7c1894363f.tar.gz nixpkgs-fb6d63f3fdd95a5468d43a0693c8ca7c1894363f.tar.bz2 nixpkgs-fb6d63f3fdd95a5468d43a0693c8ca7c1894363f.tar.lz nixpkgs-fb6d63f3fdd95a5468d43a0693c8ca7c1894363f.tar.xz nixpkgs-fb6d63f3fdd95a5468d43a0693c8ca7c1894363f.tar.zst nixpkgs-fb6d63f3fdd95a5468d43a0693c8ca7c1894363f.zip |
apparmor: fix and improve the service
Diffstat (limited to 'nixos/modules/services/torrent/transmission.nix')
-rw-r--r-- | nixos/modules/services/torrent/transmission.nix | 63 |
1 files changed, 10 insertions, 53 deletions
diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 014a22bb5a8..57982c20ccd 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.transmission; inherit (config.environment) etc; - apparmor = config.security.apparmor.enable; + apparmor = config.security.apparmor; rootDir = "/run/transmission"; homeDir = "/var/lib/transmission"; settingsDir = ".config/transmission-daemon"; @@ -184,8 +184,8 @@ in systemd.services.transmission = { description = "Transmission BitTorrent Service"; - after = [ "network.target" ] ++ optional apparmor "apparmor.service"; - requires = optional apparmor "apparmor.service"; + after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service"; + requires = optional apparmor.enable "apparmor.service"; wantedBy = [ "multi-user.target" ]; environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; @@ -357,61 +357,21 @@ in }) ]; - security.apparmor.profiles = mkIf apparmor [ - (pkgs.writeText "apparmor-transmission-daemon" '' + security.apparmor.policies."bin.transmission-daemon".profile = '' include <tunables/global> - ${pkgs.transmission}/bin/transmission-daemon { include <abstractions/base> include <abstractions/nameservice> - - # NOTE: https://github.com/NixOS/nixpkgs/pull/93457 - # will remove the need for these by fixing <abstractions/base> - r ${etc."hosts".source}, - r /etc/ld-nix.so.preload, - ${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) '' - r ${etc."ld-nix.so.preload".source}, - ${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n")) - (splitString "\n" config.environment.etc."ld-nix.so.preload".text)} - ''} - r ${etc."ssl/certs/ca-certificates.crt".source}, - r ${pkgs.tzdata}/share/zoneinfo/**, - r ${pkgs.stdenv.cc.libc}/share/i18n/**, - r ${pkgs.stdenv.cc.libc}/share/locale/**, - - mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*, - mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*, - mr ${getLib pkgs.attr}/lib/libattr*.so*, - mr ${getLib pkgs.c-ares}/lib/libcares*.so*, - mr ${getLib pkgs.curl}/lib/libcurl*.so*, - mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*, - mr ${getLib pkgs.libcap}/lib/libcap*.so*, - mr ${getLib pkgs.libevent}/lib/libevent*.so*, - mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*, - mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*, - mr ${getLib pkgs.libkrb5}/lib/lib*.so*, - mr ${getLib pkgs.libssh2}/lib/libssh2*.so*, - mr ${getLib pkgs.lz4}/lib/liblz4*.so*, - mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*, - mr ${getLib pkgs.openssl}/lib/libcrypto*.so*, - mr ${getLib pkgs.openssl}/lib/libssl*.so*, - mr ${getLib pkgs.systemd}/lib/libsystemd*.so*, - mr ${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so*, - mr ${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so*, - mr ${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so*, - mr ${getLib pkgs.xz}/lib/liblzma*.so*, - mr ${getLib pkgs.zlib}/lib/libz*.so*, + include <abstractions/ssl_certs> + include "${pkgs.apparmorRulesFromClosure {} [pkgs.transmission]}" + include <local/bin.transmission-daemon> r @{PROC}/sys/kernel/random/uuid, r @{PROC}/sys/vm/overcommit_memory, - # @{pid} is not a kernel variable yet but a regexp - #r @{PROC}/@{pid}/environ, + r @{PROC}/@{pid}/environ, r @{PROC}/@{pid}/mounts, rwk /tmp/tr_session_id_*, - - r ${pkgs.openssl.out}/etc/**, r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, - r ${pkgs.transmission}/share/transmission/**, owner rw ${cfg.home}/${settingsDir}/**, rw ${cfg.settings.download-dir}/**, @@ -439,12 +399,9 @@ in # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, ''} - - # FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457 - # include <local/transmission-daemon> } - '') - ]; + ''; + security.apparmor.includes."local/bin.transmission-daemon" = ""; }; meta.maintainers = with lib.maintainers; [ julm ]; |