From b280e64078d69c59cf4fccfcaa9d56a59d789dc9 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+nixpkgs@sourcephile.fr>
Date: Thu, 3 Dec 2020 18:03:32 +0100
Subject: transmission: move apparmor profile to Nixpkgs

---
 nixos/modules/services/torrent/transmission.nix    | 77 +++++++++-------------
 .../networking/p2p/transmission/default.nix        | 27 ++++++++
 2 files changed, 57 insertions(+), 47 deletions(-)

diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix
index e9b5834dab4..34a5219c959 100644
--- a/nixos/modules/services/torrent/transmission.nix
+++ b/nixos/modules/services/torrent/transmission.nix
@@ -359,55 +359,38 @@ in
     ];
 
     security.apparmor.policies."bin.transmission-daemon".profile = ''
-        include <tunables/global>
-        ${pkgs.transmission}/bin/transmission-daemon {
-          include <abstractions/base>
-          include <abstractions/nameservice>
-          include <abstractions/ssl_certs>
-          include "${pkgs.apparmorRulesFromClosure
-            { name = "transmission-daemon"; }
-            [ pkgs.transmission ]}"
-          include <local/bin.transmission-daemon>
-
-          r @{PROC}/sys/kernel/random/uuid,
-          r @{PROC}/sys/vm/overcommit_memory,
-          r @{PROC}/@{pid}/environ,
-          r @{PROC}/@{pid}/mounts,
-          rwk /tmp/tr_session_id_*,
-          r /run/systemd/resolve/stub-resolv.conf,
-
-          r ${pkgs.openssl.out}/etc/**,
-          r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},
-
-          owner rw ${cfg.home}/${settingsDir}/**,
-          rw ${cfg.settings.download-dir}/**,
-          ${optionalString cfg.settings.incomplete-dir-enabled ''
-            rw ${cfg.settings.incomplete-dir}/**,
-          ''}
-          ${optionalString cfg.settings.watch-dir-enabled ''
-            rw ${cfg.settings.watch-dir}/**,
-          ''}
-          profile dirs {
-            rw ${cfg.settings.download-dir}/**,
-            ${optionalString cfg.settings.incomplete-dir-enabled ''
-              rw ${cfg.settings.incomplete-dir}/**,
-            ''}
-            ${optionalString cfg.settings.watch-dir-enabled ''
-              rw ${cfg.settings.watch-dir}/**,
-            ''}
-          }
+      include "${pkgs.transmission.apparmor}/bin.transmission-daemon"
+    '';
+    security.apparmor.includes."local/bin.transmission-daemon" = ''
+      r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},
+
+      owner rw ${cfg.home}/${settingsDir}/**,
+      rw ${cfg.settings.download-dir}/**,
+      ${optionalString cfg.settings.incomplete-dir-enabled ''
+        rw ${cfg.settings.incomplete-dir}/**,
+      ''}
+      ${optionalString cfg.settings.watch-dir-enabled ''
+        rw ${cfg.settings.watch-dir}/**,
+      ''}
+      profile dirs {
+        rw ${cfg.settings.download-dir}/**,
+        ${optionalString cfg.settings.incomplete-dir-enabled ''
+          rw ${cfg.settings.incomplete-dir}/**,
+        ''}
+        ${optionalString cfg.settings.watch-dir-enabled ''
+          rw ${cfg.settings.watch-dir}/**,
+        ''}
+      }
 
-          ${optionalString (cfg.settings.script-torrent-done-enabled &&
-                            cfg.settings.script-torrent-done-filename != "") ''
-            # Stack transmission_directories profile on top of
-            # any existing profile for script-torrent-done-filename
-            # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=
-            # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs
-            px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},
-          ''}
-        }
+      ${optionalString (cfg.settings.script-torrent-done-enabled &&
+                        cfg.settings.script-torrent-done-filename != "") ''
+        # Stack transmission_directories profile on top of
+        # any existing profile for script-torrent-done-filename
+        # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=
+        # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs
+        px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},
+      ''}
     '';
-    security.apparmor.includes."local/bin.transmission-daemon" = "";
   };
 
   meta.maintainers = with lib.maintainers; [ julm ];
diff --git a/pkgs/applications/networking/p2p/transmission/default.nix b/pkgs/applications/networking/p2p/transmission/default.nix
index 363e5f7cfbe..b3a2a3eb212 100644
--- a/pkgs/applications/networking/p2p/transmission/default.nix
+++ b/pkgs/applications/networking/p2p/transmission/default.nix
@@ -21,6 +21,7 @@
 , enableDaemon ? true
 , enableCli ? true
 , installLib ? false
+, apparmorRulesFromClosure
 }:
 
 let
@@ -38,6 +39,8 @@ in stdenv.mkDerivation {
     fetchSubmodules = true;
   };
 
+  outputs = [ "out" "apparmor" ];
+
   cmakeFlags =
     let
       mkFlag = opt: if opt then "ON" else "OFF";
@@ -74,6 +77,30 @@ in stdenv.mkDerivation {
 
   NIX_LDFLAGS = lib.optionalString stdenv.isDarwin "-framework CoreFoundation";
 
+  postInstall = ''
+    install -D -m 644 /dev/stdin $apparmor/bin.transmission-daemon <<EOF
+    include <tunables/global>
+    $out/bin/transmission-daemon {
+      include <abstractions/base>
+      include <abstractions/nameservice>
+      include <abstractions/ssl_certs>
+      include "${apparmorRulesFromClosure { name = "transmission-daemon"; } ([
+        curl libevent openssl pcre zlib
+      ] ++ lib.optionals enableSystemd [ systemd ]
+        ++ lib.optionals stdenv.isLinux [ inotify-tools ]
+      )}"
+      r @{PROC}/sys/kernel/random/uuid,
+      r @{PROC}/sys/vm/overcommit_memory,
+      r @{PROC}/@{pid}/environ,
+      r @{PROC}/@{pid}/mounts,
+      rwk /tmp/tr_session_id_*,
+      r /run/systemd/resolve/stub-resolv.conf,
+
+      include <local/bin.transmission-daemon>
+    }
+    EOF
+  '';
+
   meta = {
     description = "A fast, easy and free BitTorrent client";
     longDescription = ''
-- 
cgit 1.4.1