nixos: add AppArmor PAM support
Enables attaching AppArmor profiles at the user/group level. This is not intended to be used directly, but as part of a role-based access control scheme. For now, profile attachment is 'session optional', but should be changed to 'required' once a more comprehensive solution is in place.
This commit is contained in:
parent
6ad8fab785
commit
2e0933787b
@ -37,13 +37,5 @@ in
|
||||
) cfg.profiles;
|
||||
};
|
||||
};
|
||||
|
||||
security.pam.services.apparmor.text = ''
|
||||
## AppArmor changes hats according to `order`: first try user, then
|
||||
## group, and finally fall back to a hat called "DEFAULT"
|
||||
##
|
||||
## For now, enable debugging as this is an experimental feature.
|
||||
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
|
||||
'';
|
||||
};
|
||||
}
|
||||
|
@ -192,6 +192,16 @@ let
|
||||
description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>.";
|
||||
};
|
||||
|
||||
enableAppArmor = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Enable support for attaching AppArmor profiles at the
|
||||
user/group level, e.g., as part of a role based access
|
||||
control scheme.
|
||||
'';
|
||||
};
|
||||
|
||||
text = mkOption {
|
||||
type = types.nullOr types.lines;
|
||||
description = "Contents of the PAM service file.";
|
||||
@ -294,6 +304,8 @@ let
|
||||
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
|
||||
${optionalString cfg.pamMount
|
||||
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
||||
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
|
||||
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
|
||||
'';
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user