summary refs log tree commit diff
path: root/nixos/modules/security/apparmor.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/security/apparmor.nix')
-rw-r--r--nixos/modules/security/apparmor.nix72
1 files changed, 39 insertions, 33 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index f29e7a5ad81..4fef62cbffd 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -1,43 +1,49 @@
 { config, lib, pkgs, ... }:
 
-with lib;
-
 let
+  inherit (lib) mkIf mkOption types concatMapStrings;
   cfg = config.security.apparmor;
 in
+
 {
-  options = {
-    security.apparmor = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = "Enable the AppArmor Mandatory Access Control system.";
-      };
+   options = {
+     security.apparmor = {
+       enable = mkOption {
+         type = types.bool;
+         default = false;
+         description = "Enable the AppArmor Mandatory Access Control system.";
+       };
+       profiles = mkOption {
+         type = types.listOf types.path;
+         default = [];
+         description = "List of files containing AppArmor profiles.";
+       };
+     };
+   };
 
-      profiles = mkOption {
-        type = types.listOf types.path;
-        default = [];
-        description = "List of files containing AppArmor profiles.";
-      };
-    };
-  };
+   config = mkIf cfg.enable {
+     environment.systemPackages = [ pkgs.apparmor-utils ];
 
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ pkgs.apparmor ];
-    systemd.services.apparmor = {
-      wantedBy = [ "local-fs.target" ];
-      path     = [ pkgs.apparmor ];
+     systemd.services.apparmor = {
+       wantedBy = [ "local-fs.target" ];
+       serviceConfig = {
+         Type = "oneshot";
+         RemainAfterExit = "yes";
+         ExecStart = concatMapStrings (p:
+           ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; ''
+         ) cfg.profiles;
+         ExecStop = concatMapStrings (p:
+           ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; ''
+         ) cfg.profiles;
+       };
+     };
 
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = "yes";
-        ExecStart = concatMapStrings (profile:
-          ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
-        ) cfg.profiles;
-        ExecStop = concatMapStrings (profile:
-          ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
-        ) cfg.profiles;
-      };
-    };
-  };
+     security.pam.services.apparmor.text = ''
+       ## AppArmor changes hats according to `order`: first try user, then
+       ## group, and finally fall back to a hat called "DEFAULT"
+       ##
+       ## For now, enable debugging as this is an experimental feature.
+       session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
+     '';
+   };
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-30 03:10:56 +0000