diff options
author | Robert Obryk <robryk@gmail.com> | 2023-08-25 21:52:40 +0200 |
---|---|---|
committer | Robert Obryk <robryk@gmail.com> | 2023-08-27 14:10:07 +0200 |
commit | 44fde723be696020dc4c78d5deae3501b6cb088f (patch) | |
tree | 98ae6eb5bd9ed01b22890a3d635130357ee7c3e1 /nixos/modules/tasks | |
parent | c0e607da612b0203a5357cadb9b345c7c321c163 (diff) | |
download | nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar.gz nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar.bz2 nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar.lz nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar.xz nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.tar.zst nixpkgs-44fde723be696020dc4c78d5deae3501b6cb088f.zip |
nixos/security/wrappers: generate a separate and more complete apparmor policy fragment for each wrapper
This change includes some stuff (e.g. reading of the `.real` file, execution of the wrapper's target) that belongs to the apparmor policy of the wrapper. This necessitates making them distinct for each wrapper. The main reason for this change is as a preparation for making each wrapper be a distinct binary.
Diffstat (limited to 'nixos/modules/tasks')
-rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index eb1c7512d92..0d4033ca943 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1396,14 +1396,12 @@ in security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' /run/wrappers/bin/ping { include <abstractions/base> - include <nixos/security.wrappers> + include <nixos/security.wrappers/ping> rpx /run/wrappers/wrappers.*/ping, } /run/wrappers/wrappers.*/ping { include <abstractions/base> - include <nixos/security.wrappers> - r /run/wrappers/wrappers.*/ping.real, - mrpx ${config.security.wrappers.ping.source}, + include <nixos/security.wrappers/ping> capability net_raw, capability setpcap, } |