From 45e5d726b22db783731f0460870e9ab4f06bc5c4 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 27 Feb 2021 21:26:47 +0100 Subject: nixos/apparmor: improve code readability --- nixos/modules/security/apparmor.nix | 62 ++++++++++++++++++++----------------- 1 file changed, 33 insertions(+), 29 deletions(-) (limited to 'nixos/modules/security/apparmor.nix') diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index dfa695b81bb..68bc3f126cb 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,29 +1,31 @@ { config, lib, pkgs, ... }: +with lib; + let inherit (builtins) attrNames head map match readFile; inherit (lib) types; inherit (config.environment) etc; cfg = config.security.apparmor; - mkDisableOption = name: lib.mkEnableOption name // { + mkDisableOption = name: mkEnableOption name // { default = true; example = false; }; - enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies; + enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies; in { imports = [ - (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - (lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies..enable'.") - (lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") + (mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies..enable'.") + (mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") apparmor/includes.nix apparmor/profiles.nix ]; options = { security.apparmor = { - enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system. + enable = mkEnableOption '' + the AppArmor Mandatory Access Control system. If you're enabling this module on a running system, note that a reboot will be required to activate AppArmor in the kernel. @@ -38,7 +40,7 @@ in but leaves already running processes unconfined. Set killUnconfinedConfinables to false if you prefer to leave those processes running''; - policies = lib.mkOption { + policies = mkOption { description = '' AppArmor policies. ''; @@ -46,7 +48,7 @@ in options = { enable = mkDisableOption "loading of the profile into the kernel"; enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; - profile = lib.mkOption { + profile = mkOption { description = "The policy of the profile."; type = types.lines; apply = pkgs.writeText name; @@ -55,28 +57,29 @@ in })); default = {}; }; - includes = lib.mkOption { + includes = mkOption { type = types.attrsOf types.lines; default = {}; description = '' List of paths to be added to AppArmor's searched paths when resolving include directives. ''; - apply = lib.mapAttrs pkgs.writeText; + apply = mapAttrs pkgs.writeText; }; - packages = lib.mkOption { + packages = mkOption { type = types.listOf types.package; default = []; description = "List of packages to be added to AppArmor's include path"; }; - enableCache = lib.mkEnableOption ''caching of AppArmor policies + enableCache = mkEnableOption '' + caching of AppArmor policies in /var/cache/apparmor/. Beware that AppArmor policies almost always contain Nix store paths, and thus produce at each change of these paths a new cached version accumulating in the cache''; - killUnconfinedConfinables = mkDisableOption ''killing of processes - which have an AppArmor profile enabled + killUnconfinedConfinables = mkDisableOption '' + killing of processes which have an AppArmor profile enabled (in policies) but are not confined (because AppArmor can only confine new processes). Beware that due to a current limitation of AppArmor, @@ -84,7 +87,7 @@ in }; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { assertions = map (policy: { assertion = match ".*/.*" policy == null; message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; @@ -100,15 +103,15 @@ in environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( # It's important to put only enabledPolicies here and not all cfg.policies # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* - lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++ - lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes + mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++ + mapAttrsToList (name: path: { inherit name path; }) cfg.includes ); environment.etc."apparmor/parser.conf".text = '' - ${if cfg.enableCache then "write-cache" else "skip-cache"} - cache-loc /var/cache/apparmor - Include /etc/apparmor.d - '' + - lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; + ${if cfg.enableCache then "write-cache" else "skip-cache"} + cache-loc /var/cache/apparmor + Include /etc/apparmor.d + '' + + concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; # For aa-logprof environment.etc."apparmor/apparmor.conf".text = '' ''; @@ -134,12 +137,13 @@ in # 3 - force all perms on the rule to be user default_owner_prompt = 1 - custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} + custom_includes = /etc/apparmor.d ${concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} [qualifiers] ${pkgs.runtimeShell} = icnu ${pkgs.bashInteractive}/bin/sh = icnu ${pkgs.bashInteractive}/bin/bash = icnu + ${config.users.defaultUserShell} = icnu ''; footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"; passAsFile = [ "header" ]; @@ -177,17 +181,17 @@ in xargs --verbose --no-run-if-empty --delimiter='\n' \ kill ''; - commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}"; + commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}"; in { Type = "oneshot"; RemainAfterExit = "yes"; ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; - ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; - ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + ExecStart = mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; + ExecStartPost = optional cfg.killUnconfinedConfinables killUnconfinedConfinables; ExecReload = # Add or replace into the kernel profiles in enabledPolicies # (because AppArmor can do that without stopping the processes already confined). - lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ + mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ # Remove from the kernel any profile whose name is not # one of the names within the content of the profiles in enabledPolicies # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). @@ -195,7 +199,7 @@ in [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ # Optionaly kill the processes which are unconfined but now have a profile loaded # (because AppArmor can only start to confine new processes). - lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + optional cfg.killUnconfinedConfinables killUnconfinedConfinables; ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; CacheDirectory = [ "apparmor" "apparmor/logprof" ]; CacheDirectoryMode = "0700"; @@ -203,5 +207,5 @@ in }; }; - meta.maintainers = with lib.maintainers; [ julm ]; + meta.maintainers = with maintainers; [ julm ]; } -- cgit 1.4.1