From 05d334cfe265f021b16c41375e3e5a4c4a07fc74 Mon Sep 17 00:00:00 2001
From: Julien Moutinho <julm+nixpkgs@sourcephile.fr>
Date: Sun, 18 Oct 2020 15:36:24 +0200
Subject: Revert "Revert "apparmor: fix and improve the service""

This reverts commit 420f89ceb267b461eed5d025b6c3c0e57703cc5c.
---
 nixos/modules/tasks/network-interfaces.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'nixos/modules/tasks/network-interfaces.nix')

diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index f501f85b2a9..448ff842f18 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -1111,6 +1111,21 @@ in
     } else {
       ping.source = "${pkgs.iputils.out}/bin/ping";
     };
+    security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
+      /run/wrappers/bin/ping {
+        include <abstractions/base>
+        include <nixos/security.wrappers>
+        rpx /run/wrappers/wrappers.*/ping,
+      }
+      /run/wrappers/wrappers.*/ping {
+        include <abstractions/base>
+        include <nixos/security.wrappers>
+        r /run/wrappers/wrappers.*/ping.real,
+        mrpx ${config.security.wrappers.ping.source},
+        capability net_raw,
+        capability setpcap,
+      }
+    '');
 
     # Set the host and domain names in the activation script.  Don't
     # clear it if it's not configured in the NixOS configuration,
-- 
cgit 1.4.1