summary refs log tree commit diff
path: root/nixos/modules/security/apparmor-suid.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/security/apparmor-suid.nix')
-rw-r--r--nixos/modules/security/apparmor-suid.nix49
1 files changed, 0 insertions, 49 deletions
diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix
deleted file mode 100644
index 6c479e070e2..00000000000
--- a/nixos/modules/security/apparmor-suid.nix
+++ /dev/null
@@ -1,49 +0,0 @@
-{ config, lib, pkgs, ... }:
-let
-  cfg = config.security.apparmor;
-in
-with lib;
-{
-  imports = [
-    (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
-  ];
-
-  options.security.apparmor.confineSUIDApplications = mkOption {
-    type = types.bool;
-    default = true;
-    description = ''
-      Install AppArmor profiles for commonly-used SUID application
-      to mitigate potential privilege escalation attacks due to bugs
-      in such applications.
-
-      Currently available profiles: ping
-    '';
-  };
-
-  config = mkIf (cfg.confineSUIDApplications) {
-    security.apparmor.profiles = [ (pkgs.writeText "ping" ''
-      #include <tunables/global>
-      /run/wrappers/bin/ping {
-        #include <abstractions/base>
-        #include <abstractions/consoles>
-        #include <abstractions/nameservice>
-
-        capability net_raw,
-        capability setuid,
-        network inet raw,
-
-        ${pkgs.stdenv.cc.libc.out}/lib/*.so mr,
-        ${pkgs.libcap.lib}/lib/libcap.so* mr,
-        ${pkgs.attr.out}/lib/libattr.so* mr,
-
-        ${pkgs.iputils}/bin/ping mixr,
-
-        #/etc/modules.conf r,
-
-        ## Site-specific additions and overrides. See local/README for details.
-        ##include <local/bin.ping>
-      }
-    '') ];
-  };
-
-}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-04-25 08:28:14 +0000