apparmor: fix and improve the service

1 files changed, 22 insertions, 0 deletions

diff --git a/pkgs/os-specific/linux/iputils/default.nix b/pkgs/os-specific/linux/iputils/default.nix
index e12c44888a0..b005c65684d 100644
--- a/pkgs/os-specific/linux/iputils/default.nix
+++ b/pkgs/os-specific/linux/iputils/default.nix
@@ -1,6 +1,7 @@
 { stdenv, fetchFromGitHub
 , meson, ninja, pkgconfig, gettext, libxslt, docbook_xsl_ns
 , libcap, systemd, libidn2
+, apparmorRulesFromClosure
 }:
 
 with stdenv.lib;
@@ -22,6 +23,8 @@ in stdenv.mkDerivation rec {
     sha256 = "1jhbcz75a4ij1myyyi110ma1d8d5hpm3scz9pyw7js6qym50xvh4";
   };
 
+  outputs = ["out" "apparmor"];
+
   mesonFlags = [
     "-DBUILD_RARPD=true"
     "-DBUILD_TRACEROUTE6=true"
@@ -35,6 +38,25 @@ in stdenv.mkDerivation rec {
   nativeBuildInputs = [ meson ninja pkgconfig gettext libxslt.bin docbook_xsl_ns ];
   buildInputs = [ libcap systemd ]
     ++ optional (!stdenv.hostPlatform.isMusl) libidn2;
+  postInstall = ''
+    install -D /dev/stdin $apparmor/bin.ping <<EOF
+    include <tunables/global>
+    $out/bin/ping {
+      include <abstractions/base>
+      include <abstractions/consoles>
+      include <abstractions/nameservice>
+      include "${apparmorRulesFromClosure {}
+       ([libcap] ++ optional (!stdenv.hostPlatform.isMusl) libidn2)}"
+      include <local/bin.ping>
+      capability net_raw,
+      network inet raw,
+      network inet6 raw,
+      mr $out/bin/ping,
+      r $out/share/locale/**,
+      r @{PROC}/@{pid}/environ,
+    }
+    EOF
+  '';
 
   meta = {
     description = "A set of small useful utilities for Linux networking";