2e0933787b
Enables attaching AppArmor profiles at the user/group level. This is not intended to be used directly, but as part of a role-based access control scheme. For now, profile attachment is 'session optional', but should be changed to 'required' once a more comprehensive solution is in place.
42 lines
1.1 KiB
Nix
42 lines
1.1 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
let
|
|
inherit (lib) mkIf mkOption types concatMapStrings;
|
|
cfg = config.security.apparmor;
|
|
in
|
|
|
|
{
|
|
options = {
|
|
security.apparmor = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Enable the AppArmor Mandatory Access Control system.";
|
|
};
|
|
profiles = mkOption {
|
|
type = types.listOf types.path;
|
|
default = [];
|
|
description = "List of files containing AppArmor profiles.";
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
environment.systemPackages = [ pkgs.apparmor-utils ];
|
|
|
|
systemd.services.apparmor = {
|
|
wantedBy = [ "local-fs.target" ];
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = "yes";
|
|
ExecStart = concatMapStrings (p:
|
|
''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; ''
|
|
) cfg.profiles;
|
|
ExecStop = concatMapStrings (p:
|
|
''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; ''
|
|
) cfg.profiles;
|
|
};
|
|
};
|
|
};
|
|
}
|