nixos/apparmor: allow reloading profiles without losing confinement

Define ExecReload, otherwise reload implies stop followed by start, which leaves existing processes in unconfined state [1]. [1]: https://gitlab.com/apparmor/apparmor/wikis/AppArmorInSystemd
2019-04-28 15:12:37 +02:00 · 2019-04-28 15:12:37 +02:00 · aa24c4e95b
commit aa24c4e95b
parent f824dad19a
1 changed files with 3 additions and 0 deletions
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@ -48,6 +48,9 @@ in
         ExecStop = map (p:
           ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"''
         ) cfg.profiles;
+         ExecReload = map (p:
+           ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"''
+         ) cfg.profiles;
       };
     };
   };