From e5e9887e38da3a34519930a21fa6d2ae97ebc407 Mon Sep 17 00:00:00 2001
From: Janne Heß <janne@hess.ooo>
Date: Mon, 2 Nov 2020 22:42:55 +0100
Subject: nixos/dbus: Add AppArmor support

---
 nixos/modules/services/system/dbus.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'nixos/modules/services/system/dbus.nix')

diff --git a/nixos/modules/services/system/dbus.nix b/nixos/modules/services/system/dbus.nix
index f8d909a4a3c..d4cacb85694 100644
--- a/nixos/modules/services/system/dbus.nix
+++ b/nixos/modules/services/system/dbus.nix
@@ -11,6 +11,7 @@ let
   homeDir = "/run/dbus";
 
   configDir = pkgs.makeDBusConf {
+    inherit (cfg) apparmor;
     suidHelper = "${config.security.wrapperDir}/dbus-daemon-launch-helper";
     serviceDirectories = cfg.packages;
   };
@@ -51,6 +52,20 @@ in
         '';
       };
 
+      apparmor = mkOption {
+        type = types.enum [ "enabled" "disabled" "required" ];
+        description = ''
+          AppArmor mode for dbus.
+
+          <literal>enabled</literal> enables mediation when it's
+          supported in the kernel, <literal>disabled</literal>
+          always disables AppArmor even with kernel support, and
+          <literal>required</literal> fails when AppArmor was not found
+          in the kernel.
+        '';
+        default = "disabled";
+      };
+
       socketActivated = mkOption {
         type = types.nullOr types.bool;
         default = null;
-- 
cgit 1.4.1