From 45e5d726b22db783731f0460870e9ab4f06bc5c4 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 27 Feb 2021 21:26:47 +0100 Subject: [PATCH] nixos/apparmor: improve code readability --- nixos/modules/security/apparmor.nix | 62 ++-- nixos/modules/security/apparmor/includes.nix | 328 ++++++++++--------- nixos/modules/security/misc.nix | 4 + nixos/modules/security/pam.nix | 112 ++++--- pkgs/os-specific/linux/apparmor/default.nix | 2 +- 5 files changed, 276 insertions(+), 232 deletions(-) diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index dfa695b81bb5..68bc3f126cb9 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,29 +1,31 @@ { config, lib, pkgs, ... }: +with lib; + let inherit (builtins) attrNames head map match readFile; inherit (lib) types; inherit (config.environment) etc; cfg = config.security.apparmor; - mkDisableOption = name: lib.mkEnableOption name // { + mkDisableOption = name: mkEnableOption name // { default = true; example = false; }; - enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies; + enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies; in { imports = [ - (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - (lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies..enable'.") - (lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") + (mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies..enable'.") + (mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") apparmor/includes.nix apparmor/profiles.nix ]; options = { security.apparmor = { - enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system. + enable = mkEnableOption '' + the AppArmor Mandatory Access Control system. If you're enabling this module on a running system, note that a reboot will be required to activate AppArmor in the kernel. @@ -38,7 +40,7 @@ in but leaves already running processes unconfined. Set killUnconfinedConfinables to false if you prefer to leave those processes running''; - policies = lib.mkOption { + policies = mkOption { description = '' AppArmor policies. ''; @@ -46,7 +48,7 @@ in options = { enable = mkDisableOption "loading of the profile into the kernel"; enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; - profile = lib.mkOption { + profile = mkOption { description = "The policy of the profile."; type = types.lines; apply = pkgs.writeText name; @@ -55,28 +57,29 @@ in })); default = {}; }; - includes = lib.mkOption { + includes = mkOption { type = types.attrsOf types.lines; default = {}; description = '' List of paths to be added to AppArmor's searched paths when resolving include directives. ''; - apply = lib.mapAttrs pkgs.writeText; + apply = mapAttrs pkgs.writeText; }; - packages = lib.mkOption { + packages = mkOption { type = types.listOf types.package; default = []; description = "List of packages to be added to AppArmor's include path"; }; - enableCache = lib.mkEnableOption ''caching of AppArmor policies + enableCache = mkEnableOption '' + caching of AppArmor policies in /var/cache/apparmor/. Beware that AppArmor policies almost always contain Nix store paths, and thus produce at each change of these paths a new cached version accumulating in the cache''; - killUnconfinedConfinables = mkDisableOption ''killing of processes - which have an AppArmor profile enabled + killUnconfinedConfinables = mkDisableOption '' + killing of processes which have an AppArmor profile enabled (in policies) but are not confined (because AppArmor can only confine new processes). Beware that due to a current limitation of AppArmor, @@ -84,7 +87,7 @@ in }; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { assertions = map (policy: { assertion = match ".*/.*" policy == null; message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; @@ -100,15 +103,15 @@ in environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( # It's important to put only enabledPolicies here and not all cfg.policies # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* - lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++ - lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes + mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++ + mapAttrsToList (name: path: { inherit name path; }) cfg.includes ); environment.etc."apparmor/parser.conf".text = '' - ${if cfg.enableCache then "write-cache" else "skip-cache"} - cache-loc /var/cache/apparmor - Include /etc/apparmor.d - '' + - lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; + ${if cfg.enableCache then "write-cache" else "skip-cache"} + cache-loc /var/cache/apparmor + Include /etc/apparmor.d + '' + + concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; # For aa-logprof environment.etc."apparmor/apparmor.conf".text = '' ''; @@ -134,12 +137,13 @@ in # 3 - force all perms on the rule to be user default_owner_prompt = 1 - custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} + custom_includes = /etc/apparmor.d ${concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} [qualifiers] ${pkgs.runtimeShell} = icnu ${pkgs.bashInteractive}/bin/sh = icnu ${pkgs.bashInteractive}/bin/bash = icnu + ${config.users.defaultUserShell} = icnu ''; footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"; passAsFile = [ "header" ]; @@ -177,17 +181,17 @@ in xargs --verbose --no-run-if-empty --delimiter='\n' \ kill ''; - commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}"; + commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}"; in { Type = "oneshot"; RemainAfterExit = "yes"; ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; - ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; - ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + ExecStart = mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; + ExecStartPost = optional cfg.killUnconfinedConfinables killUnconfinedConfinables; ExecReload = # Add or replace into the kernel profiles in enabledPolicies # (because AppArmor can do that without stopping the processes already confined). - lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ + mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ # Remove from the kernel any profile whose name is not # one of the names within the content of the profiles in enabledPolicies # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). @@ -195,7 +199,7 @@ in [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ # Optionaly kill the processes which are unconfined but now have a profile loaded # (because AppArmor can only start to confine new processes). - lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + optional cfg.killUnconfinedConfinables killUnconfinedConfinables; ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; CacheDirectory = [ "apparmor" "apparmor/logprof" ]; CacheDirectoryMode = "0700"; @@ -203,5 +207,5 @@ in }; }; - meta.maintainers = with lib.maintainers; [ julm ]; + meta.maintainers = with maintainers; [ julm ]; } diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix index 498d7e77650a..e3dd410b3bb5 100644 --- a/nixos/modules/security/apparmor/includes.nix +++ b/nixos/modules/security/apparmor/includes.nix @@ -3,13 +3,15 @@ let inherit (builtins) attrNames hasAttr isAttrs; inherit (lib) getLib; inherit (config.environment) etc; + # Utility to generate an AppArmor rule + # only when the given path exists in config.environment.etc etcRule = arg: - let go = {path ? null, mode ? "r", trail ? ""}: + let go = { path ? null, mode ? "r", trail ? "" }: lib.optionalString (hasAttr path etc) "${mode} ${config.environment.etc.${path}.source}${trail},"; in if isAttrs arg then go arg - else go {path=arg;}; + else go { path = arg; }; in { # FIXME: most of the etcRule calls below have been @@ -29,76 +31,80 @@ config.security.apparmor.includes = { ''; "abstractions/audio" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" - ${etcRule "asound.conf"} - ${etcRule "esound/esd.conf"} - ${etcRule "libao.conf"} - ${etcRule {path="pulse"; trail="/";}} - ${etcRule {path="pulse"; trail="/**";}} - ${etcRule {path="sound"; trail="/";}} - ${etcRule {path="sound"; trail="/**";}} - ${etcRule {path="alsa/conf.d"; trail="/";}} - ${etcRule {path="alsa/conf.d"; trail="/*";}} - ${etcRule "openal/alsoft.conf"} - ${etcRule "wildmidi/wildmidi.conf"} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + "asound.conf" + "esound/esd.conf" + "libao.conf" + { path = "pulse"; trail = "/"; } + { path = "pulse"; trail = "/**"; } + { path = "sound"; trail = "/"; } + { path = "sound"; trail = "/**"; } + { path = "alsa/conf.d"; trail = "/"; } + { path = "alsa/conf.d"; trail = "/*"; } + "openal/alsoft.conf" + "wildmidi/wildmidi.conf" + ]; "abstractions/authentication" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" # Defined in security.pam include - ${etcRule "nologin"} - ${etcRule "securetty"} - ${etcRule {path="security"; trail="/*";}} - ${etcRule "shadow"} - ${etcRule "gshadow"} - ${etcRule "pwdb.conf"} - ${etcRule "default/passwd"} - ${etcRule "login.defs"} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + "nologin" + "securetty" + { path = "security"; trail = "/*"; } + "shadow" + "gshadow" + "pwdb.conf" + "default/passwd" + "login.defs" + ]; "abstractions/base" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" - r ${pkgs.stdenv.cc.libc}/share/locale/**, - r ${pkgs.stdenv.cc.libc}/share/locale.alias, - ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} - ${etcRule "localtime"} - r ${pkgs.tzdata}/share/zoneinfo/**, - r ${pkgs.stdenv.cc.libc}/share/i18n/**, + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" + r ${pkgs.stdenv.cc.libc}/share/locale/**, + r ${pkgs.stdenv.cc.libc}/share/locale.alias, + ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} + ${etcRule "localtime"} + r ${pkgs.tzdata}/share/zoneinfo/**, + r ${pkgs.stdenv.cc.libc}/share/i18n/**, ''; "abstractions/bash" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" - # system-wide bash configuration - ${etcRule "profile.dos"} - ${etcRule "profile"} - ${etcRule "profile.d"} - ${etcRule {path="profile.d"; trail="/*";}} - ${etcRule "bashrc"} - ${etcRule "bash.bashrc"} - ${etcRule "bash.bashrc.local"} - ${etcRule "bash_completion"} - ${etcRule "bash_completion.d"} - ${etcRule {path="bash_completion.d"; trail="/*";}} - # bash relies on system-wide readline configuration - ${etcRule "inputrc"} + # bash inspects filesystems at startup # and /etc/mtab is linked to /proc/mounts @{PROC}/mounts - # run out of /etc/bash.bashrc - ${etcRule "DIR_COLORS"} + # system-wide bash configuration + '' + lib.concatMapStringsSep "\n" etcRule [ + "profile.dos" + "profile" + "profile.d" + { path = "profile.d"; trail = "/*"; } + "bashrc" + "bash.bashrc" + "bash.bashrc.local" + "bash_completion" + "bash_completion.d" + { path = "bash_completion.d"; trail = "/*"; } + # bash relies on system-wide readline configuration + "inputrc" + # run out of /etc/bash.bashrc + "DIR_COLORS" + ]; + "abstractions/consoles" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" ''; "abstractions/cups-client" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client" ${etcRule "cups/cups-client.conf"} ''; - "abstractions/consoles" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" - ''; "abstractions/dbus-session-strict" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" ${etcRule "machine-id"} ''; "abstractions/dconf" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" - ${etcRule {path="dconf"; trail="/**";}} + ${etcRule { path = "dconf"; trail = "/**"; }} ''; "abstractions/dri-common" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" @@ -109,62 +115,66 @@ config.security.apparmor.includes = { # those are therefore added there to this "abstractions/fonts". "abstractions/fonts" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" - ${etcRule {path="fonts"; trail="/**";}} + ${etcRule { path = "fonts"; trail = "/**"; }} ''; "abstractions/gnome" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" - ${etcRule {path="gnome"; trail="/gtkrc*";}} - ${etcRule {path="gtk"; trail="/*";}} - ${etcRule {path="gtk-2.0"; trail="/*";}} - ${etcRule {path="gtk-3.0"; trail="/*";}} - ${etcRule "orbitrc"} include - ${etcRule {path="pango"; trail="/*";}} - ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}} - ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}} - ${etcRule "papersize"} - ${etcRule {path="cups"; trail="/lpoptions";}} - ${etcRule {path="gnome"; trail="/defaults.list";}} - ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}} - ${etcRule "xdg/mimeapps.list"} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "gnome"; trail = "/gtkrc*"; } + { path = "gtk"; trail = "/*"; } + { path = "gtk-2.0"; trail = "/*"; } + { path = "gtk-3.0"; trail = "/*"; } + "orbitrc" + { path = "pango"; trail = "/*"; } + { path = "/etc/gnome-vfs-2.0"; trail = "/modules/"; } + { path = "/etc/gnome-vfs-2.0"; trail = "/modules/*"; } + "papersize" + { path = "cups"; trail = "/lpoptions"; } + { path = "gnome"; trail = "/defaults.list"; } + { path = "xdg"; trail = "/{,*-}mimeapps.list"; } + "xdg/mimeapps.list" + ]; "abstractions/kde" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" - ${etcRule {path="qt3"; trail="/kstylerc";}} - ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}} - ${etcRule {path="qt3"; trail="/qtrc";}} - ${etcRule "kderc"} - ${etcRule {path="kde3"; trail="/*";}} - ${etcRule "kde4rc"} - ${etcRule {path="xdg"; trail="/kdeglobals";}} - ${etcRule {path="xdg"; trail="/Trolltech.conf";}} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "qt3"; trail = "/kstylerc"; } + { path = "qt3"; trail = "/qt_plugins_3.3rc"; } + { path = "qt3"; trail = "/qtrc"; } + "kderc" + { path = "kde3"; trail = "/*"; } + "kde4rc" + { path = "xdg"; trail = "/kdeglobals"; } + { path = "xdg"; trail = "/Trolltech.conf"; } + ]; "abstractions/kerberosclient" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" - ${etcRule {path="krb5.keytab"; mode="rk";}} - ${etcRule "krb5.conf"} - ${etcRule "krb5.conf.d"} - ${etcRule {path="krb5.conf.d"; trail="/*";}} + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "krb5.keytab"; mode="rk"; } + "krb5.conf" + "krb5.conf.d" + { path = "krb5.conf.d"; trail = "/*"; } # config files found via strings on libs - ${etcRule "krb.conf"} - ${etcRule "krb.realms"} - ${etcRule "srvtab"} - ''; + "krb.conf" + "krb.realms" + "srvtab" + ]; "abstractions/ldapclient" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" - ${etcRule "ldap.conf"} - ${etcRule "ldap.secret"} - ${etcRule {path="openldap"; trail="/*";}} - ${etcRule {path="openldap"; trail="/cacerts/*";}} - ${etcRule {path="sasl2"; trail="/*";}} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + "ldap.conf" + "ldap.secret" + { path = "openldap"; trail = "/*"; } + { path = "openldap"; trail = "/cacerts/*"; } + { path = "sasl2"; trail = "/*"; } + ]; "abstractions/likewise" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" ''; "abstractions/mdns" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" - ${etcRule "nss_mdns.conf"} + ${etcRule "nss_mdns.conf"} ''; "abstractions/nameservice" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" @@ -173,31 +183,31 @@ config.security.apparmor.includes = { # looking up users by name or id, groups by name or id, hosts by name # or IP, etc. These operations may be performed through files, dns, # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. - ${etcRule "group"} - ${etcRule "host.conf"} - ${etcRule "hosts"} - ${etcRule "nsswitch.conf"} - ${etcRule "gai.conf"} - ${etcRule "passwd"} - ${etcRule "protocols"} - - # libtirpc (used for NIS/YP login) needs this - ${etcRule "netconfig"} - - ${etcRule "resolv.conf"} - - ${etcRule {path="samba"; trail="/lmhosts";}} - ${etcRule "services"} - - ${etcRule "default/nss"} - - # libnl-3-200 via libnss-gw-name - ${etcRule {path="libnl"; trail="/classid";}} - ${etcRule {path="libnl-3"; trail="/classid";}} - mr ${getLib pkgs.nss}/lib/libnss_*.so*, mr ${getLib pkgs.nss}/lib64/libnss_*.so*, - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + "group" + "host.conf" + "hosts" + "nsswitch.conf" + "gai.conf" + "passwd" + "protocols" + + # libtirpc (used for NIS/YP login) needs this + "netconfig" + + "resolv.conf" + + { path = "samba"; trail = "/lmhosts"; } + "services" + + "default/nss" + + # libnl-3-200 via libnss-gw-name + { path = "libnl"; trail = "/classid"; } + { path = "libnl-3"; trail = "/classid"; } + ]; "abstractions/nis" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" ''; @@ -207,7 +217,7 @@ config.security.apparmor.includes = { ''; "abstractions/opencl-common" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" - ${etcRule {path="OpenCL"; trail="/**";}} + ${etcRule { path = "OpenCL"; trail = "/**"; }} ''; "abstractions/opencl-mesa" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" @@ -215,68 +225,74 @@ config.security.apparmor.includes = { ''; "abstractions/openssl" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" - ${etcRule {path="ssl"; trail="/openssl.cnf";}} + ${etcRule { path = "ssl"; trail = "/openssl.cnf"; }} ''; "abstractions/p11-kit" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" - ${etcRule {path="pkcs11"; trail="/";}} - ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}} - ${etcRule {path="pkcs11"; trail="/modules/";}} - ${etcRule {path="pkcs11"; trail="/modules/*";}} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "pkcs11"; trail = "/"; } + { path = "pkcs11"; trail = "/pkcs11.conf"; } + { path = "pkcs11"; trail = "/modules/"; } + { path = "pkcs11"; trail = "/modules/*"; } + ]; "abstractions/perl" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" - ${etcRule {path="perl"; trail="/**";}} + ${etcRule { path = "perl"; trail = "/**"; }} ''; "abstractions/php" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" - ${etcRule {path="php"; trail="/**/";}} - ${etcRule {path="php5"; trail="/**/";}} - ${etcRule {path="php7"; trail="/**/";}} - ${etcRule {path="php"; trail="/**.ini";}} - ${etcRule {path="php5"; trail="/**.ini";}} - ${etcRule {path="php7"; trail="/**.ini";}} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "php"; trail = "/**/"; } + { path = "php5"; trail = "/**/"; } + { path = "php7"; trail = "/**/"; } + { path = "php"; trail = "/**.ini"; } + { path = "php5"; trail = "/**.ini"; } + { path = "php7"; trail = "/**.ini"; } + ]; "abstractions/postfix-common" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" - ${etcRule "mailname"} - ${etcRule {path="postfix"; trail="/*.cf";}} - ${etcRule "postfix/main.cf"} - ${etcRule "postfix/master.cf"} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + "mailname" + { path = "postfix"; trail = "/*.cf"; } + "postfix/main.cf" + "postfix/master.cf" + ]; "abstractions/python" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" ''; "abstractions/qt5" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" - ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}} - ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}} - ${etcRule "xdg/QtProject/qtlogging.ini"} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "xdg"; trail = "/QtProject/qtlogging.ini"; } + { path = "xdg/QtProject"; trail = "/qtlogging.ini"; } + "xdg/QtProject/qtlogging.ini" + ]; "abstractions/samba" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" - ${etcRule {path="samba"; trail="/*";}} + ${etcRule { path = "samba"; trail = "/*"; }} ''; "abstractions/ssl_certs" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" - ${etcRule "ssl/certs/ca-certificates.crt"} - ${etcRule "ssl/certs/ca-bundle.crt"} - ${etcRule "pki/tls/certs/ca-bundle.crt"} - ${etcRule {path="ssl/trust"; trail="/";}} - ${etcRule {path="ssl/trust"; trail="/*";}} - ${etcRule {path="ssl/trust/anchors"; trail="/";}} - ${etcRule {path="ssl/trust/anchors"; trail="/**";}} - ${etcRule {path="pki/trust"; trail="/";}} - ${etcRule {path="pki/trust"; trail="/*";}} - ${etcRule {path="pki/trust/anchors"; trail="/";}} - ${etcRule {path="pki/trust/anchors"; trail="/**";}} - - # security.acme NixOS module + # For the NixOS module: security.acme r /var/lib/acme/*/cert.pem, r /var/lib/acme/*/chain.pem, r /var/lib/acme/*/fullchain.pem, - ''; + + '' + lib.concatMapStringsSep "\n" etcRule [ + "ssl/certs/ca-certificates.crt" + "ssl/certs/ca-bundle.crt" + "pki/tls/certs/ca-bundle.crt" + + { path = "ssl/trust"; trail = "/"; } + { path = "ssl/trust"; trail = "/*"; } + { path = "ssl/trust/anchors"; trail = "/"; } + { path = "ssl/trust/anchors"; trail = "/**"; } + { path = "pki/trust"; trail = "/"; } + { path = "pki/trust"; trail = "/*"; } + { path = "pki/trust/anchors"; trail = "/"; } + { path = "pki/trust/anchors"; trail = "/**"; } + ]; "abstractions/ssl_keys" = '' # security.acme NixOS module r /var/lib/acme/*/full.pem, @@ -284,18 +300,18 @@ config.security.apparmor.includes = { ''; "abstractions/vulkan" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" - ${etcRule {path="vulkan/icd.d"; trail="/";}} - ${etcRule {path="vulkan/icd.d"; trail="/*.json";}} + ${etcRule { path = "vulkan/icd.d"; trail = "/"; }} + ${etcRule { path = "vulkan/icd.d"; trail = "/*.json"; }} ''; "abstractions/winbind" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" - ${etcRule {path="samba"; trail="/smb.conf";}} - ${etcRule {path="samba"; trail="/dhcp.conf";}} + ${etcRule { path = "samba"; trail = "/smb.conf"; }} + ${etcRule { path = "samba"; trail = "/dhcp.conf"; }} ''; "abstractions/X" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" - ${etcRule {path="X11/cursors"; trail="/";}} - ${etcRule {path="X11/cursors"; trail="/**";}} + ${etcRule { path = "X11/cursors"; trail = "/"; }} + ${etcRule { path = "X11/cursors"; trail = "/**"; }} ''; }; } diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index d51dbbb77f71..e7abc1e0d597 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -7,6 +7,10 @@ with lib; maintainers = [ maintainers.joachifm ]; }; + imports = [ + (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) + ]; + options = { security.allowUserNamespaces = mkOption { type = types.bool; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 8216c03795a5..1c49131d7895 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -897,59 +897,79 @@ in security.apparmor.includes."abstractions/pam" = let isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); - in '' - ${lib.concatMapStringsSep "\n" - (name: "r ${config.environment.etc."pam.d/${name}".source},") - (attrNames config.security.pam.services)} + in + lib.concatMapStringsSep "\n" + (name: "r ${config.environment.etc."pam.d/${name}".source},") + (attrNames config.security.pam.services) + + '' mr ${getLib pkgs.pam}/lib/security/pam_filter/*, mr ${getLib pkgs.pam}/lib/security/pam_*.so, r ${getLib pkgs.pam}/lib/security/, - ${optionalString use_ldap - "mr ${pam_ldap}/lib/security/pam_ldap.so,"} - ${optionalString config.services.sssd.enable - "mr ${pkgs.sssd}/lib/security/pam_sss.so,"} - ${optionalString config.krb5.enable '' + '' + + optionalString use_ldap '' + mr ${pam_ldap}/lib/security/pam_ldap.so, + '' + + optionalString config.services.sssd.enable '' + mr ${pkgs.sssd}/lib/security/pam_sss.so, + '' + + optionalString config.krb5.enable '' mr ${pam_krb5}/lib/security/pam_krb5.so, mr ${pam_ccreds}/lib/security/pam_ccreds.so, - ''} - ${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' + '' + + optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, - ''} - ${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) - "mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"} - ${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth)) - "mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"} - ${optionalString (isEnabled (cfg: cfg.fprintAuth)) - "mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"} - ${optionalString (isEnabled (cfg: cfg.u2fAuth)) - "mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"} - ${optionalString (isEnabled (cfg: cfg.usbAuth)) - "mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"} - ${optionalString (isEnabled (cfg: cfg.oathAuth)) - "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"} - ${optionalString (isEnabled (cfg: cfg.yubicoAuth)) - "mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"} - ${optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) - "mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"} - ${optionalString (isEnabled (cfg: cfg.otpwAuth)) - "mr ${pkgs.otpw}/lib/security/pam_otpw.so,"} - ${optionalString config.security.pam.enableEcryptfs - "mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"} - ${optionalString (isEnabled (cfg: cfg.pamMount)) - "mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"} - ${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) - "mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"} - ${optionalString (isEnabled (cfg: cfg.startSession)) - "mr ${pkgs.systemd}/lib/security/pam_systemd.so,"} - ${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable) - "mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"} - ${optionalString (isEnabled (cfg: cfg.enableKwallet)) - "mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"} - ${optionalString config.virtualisation.lxc.lxcfs.enable - "mr ${pkgs.lxc}/lib/security/pam_cgfs.so"} - ''; - + '' + + optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + '' + + optionalString (config.security.pam.enableSSHAgentAuth + && isEnabled (cfg: cfg.sshAgentAuth)) '' + mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so, + '' + + optionalString (isEnabled (cfg: cfg.fprintAuth)) '' + mr ${pkgs.fprintd}/lib/security/pam_fprintd.so, + '' + + optionalString (isEnabled (cfg: cfg.u2fAuth)) '' + mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so, + '' + + optionalString (isEnabled (cfg: cfg.usbAuth)) '' + mr ${pkgs.pam_usb}/lib/security/pam_usb.so, + '' + + optionalString (isEnabled (cfg: cfg.oathAuth)) '' + "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so, + '' + + optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' + mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, + '' + + optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) '' + mr ${pkgs.duo-unix}/lib/security/pam_duo.so, + '' + + optionalString (isEnabled (cfg: cfg.otpwAuth)) '' + mr ${pkgs.otpw}/lib/security/pam_otpw.so, + '' + + optionalString config.security.pam.enableEcryptfs '' + mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so, + '' + + optionalString (isEnabled (cfg: cfg.pamMount)) '' + mr ${pkgs.pam_mount}/lib/security/pam_mount.so, + '' + + optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) '' + mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so, + '' + + optionalString (isEnabled (cfg: cfg.startSession)) '' + mr ${pkgs.systemd}/lib/security/pam_systemd.so, + '' + + optionalString (isEnabled (cfg: cfg.enableAppArmor) + && config.security.apparmor.enable) '' + mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so, + '' + + optionalString (isEnabled (cfg: cfg.enableKwallet)) '' + mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so, + '' + + optionalString config.virtualisation.lxc.lxcfs.enable '' + mr ${pkgs.lxc}/lib/security/pam_cgfs.so + ''; }; } diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index 67d354b42bc3..5804a33c4853 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -290,7 +290,7 @@ let , name ? "" }: rootPaths: runCommand ( "apparmor-closure-rules" - + lib.optionalString (name != "") "-${name}") {} '' + + lib.optionalString (name != "") "-${name}" ) {} '' touch $out while read -r path do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}