alioth/nixpkgs
3
0
Fork 0
forked from mirrors/nixpkgs
Code Releases Activity

nixos/apparmor: improve code readability

Browse source
This commit is contained in:
Julien Moutinho 2021-02-27 21:26:47 +01:00
parent b280e64078
commit 45e5d726b2
5 changed files with 276 additions and 232 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

62
nixos/modules/security/apparmor.nix
View file

@ -1,29 +1,31 @@
{ config, lib, pkgs, ... }:
with lib;
let
inherit (builtins) attrNames head map match readFile;
inherit (lib) types;
inherit (config.environment) etc;
cfg = config.security.apparmor;
mkDisableOption = name: lib.mkEnableOption name // {
mkDisableOption = name: mkEnableOption name // {
default = true;
example = false;
};
enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies;
enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies;
in
{
imports = [
(lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
(lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")
(lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")
(mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")
(mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")
apparmor/includes.nix
apparmor/profiles.nix
];
options = {
security.apparmor = {
enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system.
enable = mkEnableOption ''
the AppArmor Mandatory Access Control system.
If you're enabling this module on a running system,
note that a reboot will be required to activate AppArmor in the kernel.
@ -38,7 +40,7 @@ in
but leaves already running processes unconfined.
Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link>
to <literal>false</literal> if you prefer to leave those processes running'';
policies = lib.mkOption {
policies = mkOption {
description = ''
AppArmor policies.
'';
@ -46,7 +48,7 @@ in
options = {
enable = mkDisableOption "loading of the profile into the kernel";
enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
profile = lib.mkOption {
profile = mkOption {
description = "The policy of the profile.";
type = types.lines;
apply = pkgs.writeText name;
@ -55,28 +57,29 @@ in
}));
default = {};
};
includes = lib.mkOption {
includes = mkOption {
type = types.attrsOf types.lines;
default = {};
description = ''
List of paths to be added to AppArmor's searched paths
when resolving <literal>include</literal> directives.
'';
apply = lib.mapAttrs pkgs.writeText;
apply = mapAttrs pkgs.writeText;
};
packages = lib.mkOption {
packages = mkOption {
type = types.listOf types.package;
default = [];
description = "List of packages to be added to AppArmor's include path";
};
enableCache = lib.mkEnableOption ''caching of AppArmor policies
enableCache = mkEnableOption ''
caching of AppArmor policies
in <literal>/var/cache/apparmor/</literal>.
Beware that AppArmor policies almost always contain Nix store paths,
and thus produce at each change of these paths
a new cached version accumulating in the cache'';
killUnconfinedConfinables = mkDisableOption ''killing of processes
which have an AppArmor profile enabled
killUnconfinedConfinables = mkDisableOption ''
killing of processes which have an AppArmor profile enabled
(in <link linkend="opt-security.apparmor.policies">policies</link>)
but are not confined (because AppArmor can only confine new processes).
Beware that due to a current limitation of AppArmor,
@ -84,7 +87,7 @@ in
};
};
config = lib.mkIf cfg.enable {
config = mkIf cfg.enable {
assertions = map (policy:
{ assertion = match ".*/.*" policy == null;
message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";
@ -100,15 +103,15 @@ in
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
# It's important to put only enabledPolicies here and not all cfg.policies
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++
lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes
mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++
mapAttrsToList (name: path: { inherit name path; }) cfg.includes
);
environment.etc."apparmor/parser.conf".text = ''
${if cfg.enableCache then "write-cache" else "skip-cache"}
cache-loc /var/cache/apparmor
Include /etc/apparmor.d
'' +
lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;
${if cfg.enableCache then "write-cache" else "skip-cache"}
cache-loc /var/cache/apparmor
Include /etc/apparmor.d
'' +
concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;
# For aa-logprof
environment.etc."apparmor/apparmor.conf".text = ''
'';
@ -134,12 +137,13 @@ in
# 3 - force all perms on the rule to be user
default_owner_prompt = 1
custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}
custom_includes = /etc/apparmor.d ${concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}
[qualifiers]
${pkgs.runtimeShell} = icnu
${pkgs.bashInteractive}/bin/sh = icnu
${pkgs.bashInteractive}/bin/bash = icnu
${config.users.defaultUserShell} = icnu
'';
footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf";
passAsFile = [ "header" ];
@ -177,17 +181,17 @@ in
xargs --verbose --no-run-if-empty --delimiter='\n' \
kill
'';
commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}";
commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}";
in {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;
ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
ExecStart = mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;
ExecStartPost = optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
ExecReload =
# Add or replace into the kernel profiles in enabledPolicies
# (because AppArmor can do that without stopping the processes already confined).
lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++
mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++
# Remove from the kernel any profile whose name is not
# one of the names within the content of the profiles in enabledPolicies
# (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).
@ -195,7 +199,7 @@ in
[ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++
# Optionaly kill the processes which are unconfined but now have a profile loaded
# (because AppArmor can only start to confine new processes).
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
CacheDirectory = [ "apparmor" "apparmor/logprof" ];
CacheDirectoryMode = "0700";
@ -203,5 +207,5 @@ in
};
};
meta.maintainers = with lib.maintainers; [ julm ];
meta.maintainers = with maintainers; [ julm ];
}

328
nixos/modules/security/apparmor/includes.nix
View file

@ -3,13 +3,15 @@ let
inherit (builtins) attrNames hasAttr isAttrs;
inherit (lib) getLib;
inherit (config.environment) etc;
# Utility to generate an AppArmor rule
# only when the given path exists in config.environment.etc
etcRule = arg:
let go = {path ? null, mode ? "r", trail ? ""}:
let go = { path ? null, mode ? "r", trail ? "" }:
lib.optionalString (hasAttr path etc)
"${mode} ${config.environment.etc.${path}.source}${trail},";
in if isAttrs arg
then go arg
else go {path=arg;};
else go { path = arg; };
in
{
# FIXME: most of the etcRule calls below have been
@ -29,76 +31,80 @@ config.security.apparmor.includes = {
'';
"abstractions/audio" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio"
${etcRule "asound.conf"}
${etcRule "esound/esd.conf"}
${etcRule "libao.conf"}
${etcRule {path="pulse"; trail="/";}}
${etcRule {path="pulse"; trail="/**";}}
${etcRule {path="sound"; trail="/";}}
${etcRule {path="sound"; trail="/**";}}
${etcRule {path="alsa/conf.d"; trail="/";}}
${etcRule {path="alsa/conf.d"; trail="/*";}}
${etcRule "openal/alsoft.conf"}
${etcRule "wildmidi/wildmidi.conf"}
'';
'' + lib.concatMapStringsSep "\n" etcRule [
"asound.conf"
"esound/esd.conf"
"libao.conf"
{ path = "pulse"; trail = "/"; }
{ path = "pulse"; trail = "/**"; }
{ path = "sound"; trail = "/"; }
{ path = "sound"; trail = "/**"; }
{ path = "alsa/conf.d"; trail = "/"; }
{ path = "alsa/conf.d"; trail = "/*"; }
"openal/alsoft.conf"
"wildmidi/wildmidi.conf"
];
"abstractions/authentication" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication"
# Defined in security.pam
include <abstractions/pam>
${etcRule "nologin"}
${etcRule "securetty"}
${etcRule {path="security"; trail="/*";}}
${etcRule "shadow"}
${etcRule "gshadow"}
${etcRule "pwdb.conf"}
${etcRule "default/passwd"}
${etcRule "login.defs"}
'';
'' + lib.concatMapStringsSep "\n" etcRule [
"nologin"
"securetty"
{ path = "security"; trail = "/*"; }
"shadow"
"gshadow"
"pwdb.conf"
"default/passwd"
"login.defs"
];
"abstractions/base" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"
r ${pkgs.stdenv.cc.libc}/share/locale/**,
r ${pkgs.stdenv.cc.libc}/share/locale.alias,
${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"}
${etcRule "localtime"}
r ${pkgs.tzdata}/share/zoneinfo/**,
r ${pkgs.stdenv.cc.libc}/share/i18n/**,
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"
r ${pkgs.stdenv.cc.libc}/share/locale/**,
r ${pkgs.stdenv.cc.libc}/share/locale.alias,
${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"}
${etcRule "localtime"}
r ${pkgs.tzdata}/share/zoneinfo/**,
r ${pkgs.stdenv.cc.libc}/share/i18n/**,
'';
"abstractions/bash" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash"
# system-wide bash configuration
${etcRule "profile.dos"}
${etcRule "profile"}
${etcRule "profile.d"}
${etcRule {path="profile.d"; trail="/*";}}
${etcRule "bashrc"}
${etcRule "bash.bashrc"}
${etcRule "bash.bashrc.local"}
${etcRule "bash_completion"}
${etcRule "bash_completion.d"}
${etcRule {path="bash_completion.d"; trail="/*";}}
# bash relies on system-wide readline configuration
${etcRule "inputrc"}
# bash inspects filesystems at startup
# and /etc/mtab is linked to /proc/mounts
@{PROC}/mounts
# run out of /etc/bash.bashrc
${etcRule "DIR_COLORS"}
# system-wide bash configuration
'' + lib.concatMapStringsSep "\n" etcRule [
"profile.dos"
"profile"
"profile.d"
{ path = "profile.d"; trail = "/*"; }
"bashrc"
"bash.bashrc"
"bash.bashrc.local"
"bash_completion"
"bash_completion.d"
{ path = "bash_completion.d"; trail = "/*"; }
# bash relies on system-wide readline configuration
"inputrc"
# run out of /etc/bash.bashrc
"DIR_COLORS"
];
"abstractions/consoles" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles"
'';
"abstractions/cups-client" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client"
${etcRule "cups/cups-client.conf"}
'';
"abstractions/consoles" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles"
'';
"abstractions/dbus-session-strict" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict"
${etcRule "machine-id"}
'';
"abstractions/dconf" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf"
${etcRule {path="dconf"; trail="/**";}}
${etcRule { path = "dconf"; trail = "/**"; }}
'';
"abstractions/dri-common" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common"
@ -109,62 +115,66 @@ config.security.apparmor.includes = {
# those are therefore added there to this "abstractions/fonts".
"abstractions/fonts" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts"
${etcRule {path="fonts"; trail="/**";}}
${etcRule { path = "fonts"; trail = "/**"; }}
'';
"abstractions/gnome" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome"
${etcRule {path="gnome"; trail="/gtkrc*";}}
${etcRule {path="gtk"; trail="/*";}}
${etcRule {path="gtk-2.0"; trail="/*";}}
${etcRule {path="gtk-3.0"; trail="/*";}}
${etcRule "orbitrc"}
include <abstractions/fonts>
${etcRule {path="pango"; trail="/*";}}
${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}}
${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}}
${etcRule "papersize"}
${etcRule {path="cups"; trail="/lpoptions";}}
${etcRule {path="gnome"; trail="/defaults.list";}}
${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}}
${etcRule "xdg/mimeapps.list"}
'';
'' + lib.concatMapStringsSep "\n" etcRule [
{ path = "gnome"; trail = "/gtkrc*"; }
{ path = "gtk"; trail = "/*"; }
{ path = "gtk-2.0"; trail = "/*"; }
{ path = "gtk-3.0"; trail = "/*"; }
"orbitrc"
{ path = "pango"; trail = "/*"; }
{ path = "/etc/gnome-vfs-2.0"; trail = "/modules/"; }
{ path = "/etc/gnome-vfs-2.0"; trail = "/modules/*"; }
"papersize"
{ path = "cups"; trail = "/lpoptions"; }
{ path = "gnome"; trail = "/defaults.list"; }
{ path = "xdg"; trail = "/{,*-}mimeapps.list"; }
"xdg/mimeapps.list"
];
"abstractions/kde" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde"
${etcRule {path="qt3"; trail="/kstylerc";}}
${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}}
${etcRule {path="qt3"; trail="/qtrc";}}
${etcRule "kderc"}
${etcRule {path="kde3"; trail="/*";}}
${etcRule "kde4rc"}
${etcRule {path="xdg"; trail="/kdeglobals";}}
${etcRule {path="xdg"; trail="/Trolltech.conf";}}
'';
'' + lib.concatMapStringsSep "\n" etcRule [
{ path = "qt3"; trail = "/kstylerc"; }
{ path = "qt3"; trail = "/qt_plugins_3.3rc"; }
{ path = "qt3"; trail = "/qtrc"; }
"kderc"
{ path = "kde3"; trail = "/*"; }
"kde4rc"
{ path = "xdg"; trail = "/kdeglobals"; }
{ path = "xdg"; trail = "/Trolltech.conf"; }
];
"abstractions/kerberosclient" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient"
${etcRule {path="krb5.keytab"; mode="rk";}}
${etcRule "krb5.conf"}
${etcRule "krb5.conf.d"}
${etcRule {path="krb5.conf.d"; trail="/*";}}
'' + lib.concatMapStringsSep "\n" etcRule [
{ path = "krb5.keytab"; mode="rk"; }
"krb5.conf"
"krb5.conf.d"
{ path = "krb5.conf.d"; trail = "/*"; }
# config files found via strings on libs
${etcRule "krb.conf"}
${etcRule "krb.realms"}
${etcRule "srvtab"}
'';
"krb.conf"
"krb.realms"
"srvtab"
];
"abstractions/ldapclient" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient"
${etcRule "ldap.conf"}
${etcRule "ldap.secret"}
${etcRule {path="openldap"; trail="/*";}}
${etcRule {path="openldap"; trail="/cacerts/*";}}
${etcRule {path="sasl2"; trail="/*";}}
'';
'' + lib.concatMapStringsSep "\n" etcRule [
"ldap.conf"
"ldap.secret"
{ path = "openldap"; trail = "/*"; }
{ path = "openldap"; trail = "/cacerts/*"; }
{ path = "sasl2"; trail = "/*"; }
];
"abstractions/likewise" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise"
'';
"abstractions/mdns" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns"
${etcRule "nss_mdns.conf"}
${etcRule "nss_mdns.conf"}
'';
"abstractions/nameservice" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice"
@ -173,31 +183,31 @@ config.security.apparmor.includes = {
# looking up users by name or id, groups by name or id, hosts by name
# or IP, etc. These operations may be performed through files, dns,
# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
${etcRule "group"}
${etcRule "host.conf"}
${etcRule "hosts"}
${etcRule "nsswitch.conf"}
${etcRule "gai.conf"}
${etcRule "passwd"}
${etcRule "protocols"}
# libtirpc (used for NIS/YP login) needs this
${etcRule "netconfig"}
${etcRule "resolv.conf"}
${etcRule {path="samba"; trail="/lmhosts";}}
${etcRule "services"}
${etcRule "default/nss"}
# libnl-3-200 via libnss-gw-name
${etcRule {path="libnl"; trail="/classid";}}
${etcRule {path="libnl-3"; trail="/classid";}}
mr ${getLib pkgs.nss}/lib/libnss_*.so*,
mr ${getLib pkgs.nss}/lib64/libnss_*.so*,
'';
'' + lib.concatMapStringsSep "\n" etcRule [
"group"
"host.conf"
"hosts"
"nsswitch.conf"
"gai.conf"
"passwd"
"protocols"
# libtirpc (used for NIS/YP login) needs this
"netconfig"
"resolv.conf"
{ path = "samba"; trail = "/lmhosts"; }
"services"
"default/nss"
# libnl-3-200 via libnss-gw-name
{ path = "libnl"; trail = "/classid"; }
{ path = "libnl-3"; trail = "/classid"; }
];
"abstractions/nis" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis"
'';
@ -207,7 +217,7 @@ config.security.apparmor.includes = {
'';
"abstractions/opencl-common" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common"
${etcRule {path="OpenCL"; trail="/**";}}
${etcRule { path = "OpenCL"; trail = "/**"; }}
'';
"abstractions/opencl-mesa" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa"
@ -215,68 +225,74 @@ config.security.apparmor.includes = {
'';
"abstractions/openssl" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl"
${etcRule {path="ssl"; trail="/openssl.cnf";}}
${etcRule { path = "ssl"; trail = "/openssl.cnf"; }}
'';
"abstractions/p11-kit" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit"
${etcRule {path="pkcs11"; trail="/";}}
${etcRule {path="pkcs11"; trail="/pkcs11.conf";}}
${etcRule {path="pkcs11"; trail="/modules/";}}
${etcRule {path="pkcs11"; trail="/modules/*";}}
'';
'' + lib.concatMapStringsSep "\n" etcRule [
{ path = "pkcs11"; trail = "/"; }
{ path = "pkcs11"; trail = "/pkcs11.conf"; }
{ path = "pkcs11"; trail = "/modules/"; }
{ path = "pkcs11"; trail = "/modules/*"; }
];
"abstractions/perl" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl"
${etcRule {path="perl"; trail="/**";}}
${etcRule { path = "perl"; trail = "/**"; }}
'';
"abstractions/php" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php"
${etcRule {path="php"; trail="/**/";}}
${etcRule {path="php5"; trail="/**/";}}
${etcRule {path="php7"; trail="/**/";}}
${etcRule {path="php"; trail="/**.ini";}}
${etcRule {path="php5"; trail="/**.ini";}}
${etcRule {path="php7"; trail="/**.ini";}}
'';
'' + lib.concatMapStringsSep "\n" etcRule [
{ path = "php"; trail = "/**/"; }
{ path = "php5"; trail = "/**/"; }
{ path = "php7"; trail = "/**/"; }
{ path = "php"; trail = "/**.ini"; }
{ path = "php5"; trail = "/**.ini"; }
{ path = "php7"; trail = "/**.ini"; }
];
"abstractions/postfix-common" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common"
${etcRule "mailname"}
${etcRule {path="postfix"; trail="/*.cf";}}
${etcRule "postfix/main.cf"}
${etcRule "postfix/master.cf"}
'';
'' + lib.concatMapStringsSep "\n" etcRule [
"mailname"
{ path = "postfix"; trail = "/*.cf"; }
"postfix/main.cf"
"postfix/master.cf"
];
"abstractions/python" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python"
'';
"abstractions/qt5" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5"
${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}}
${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}}
${etcRule "xdg/QtProject/qtlogging.ini"}
'';
'' + lib.concatMapStringsSep "\n" etcRule [
{ path = "xdg"; trail = "/QtProject/qtlogging.ini"; }
{ path = "xdg/QtProject"; trail = "/qtlogging.ini"; }
"xdg/QtProject/qtlogging.ini"
];
"abstractions/samba" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba"
${etcRule {path="samba"; trail="/*";}}
${etcRule { path = "samba"; trail = "/*"; }}
'';
"abstractions/ssl_certs" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs"
${etcRule "ssl/certs/ca-certificates.crt"}
${etcRule "ssl/certs/ca-bundle.crt"}
${etcRule "pki/tls/certs/ca-bundle.crt"}
${etcRule {path="ssl/trust"; trail="/";}}
${etcRule {path="ssl/trust"; trail="/*";}}
${etcRule {path="ssl/trust/anchors"; trail="/";}}
${etcRule {path="ssl/trust/anchors"; trail="/**";}}
${etcRule {path="pki/trust"; trail="/";}}
${etcRule {path="pki/trust"; trail="/*";}}
${etcRule {path="pki/trust/anchors"; trail="/";}}
${etcRule {path="pki/trust/anchors"; trail="/**";}}
# security.acme NixOS module
# For the NixOS module: security.acme
r /var/lib/acme/*/cert.pem,
r /var/lib/acme/*/chain.pem,
r /var/lib/acme/*/fullchain.pem,
'';
'' + lib.concatMapStringsSep "\n" etcRule [
"ssl/certs/ca-certificates.crt"
"ssl/certs/ca-bundle.crt"
"pki/tls/certs/ca-bundle.crt"
{ path = "ssl/trust"; trail = "/"; }
{ path = "ssl/trust"; trail = "/*"; }
{ path = "ssl/trust/anchors"; trail = "/"; }
{ path = "ssl/trust/anchors"; trail = "/**"; }
{ path = "pki/trust"; trail = "/"; }
{ path = "pki/trust"; trail = "/*"; }
{ path = "pki/trust/anchors"; trail = "/"; }
{ path = "pki/trust/anchors"; trail = "/**"; }
];
"abstractions/ssl_keys" = ''
# security.acme NixOS module
r /var/lib/acme/*/full.pem,
@ -284,18 +300,18 @@ config.security.apparmor.includes = {
'';
"abstractions/vulkan" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan"
${etcRule {path="vulkan/icd.d"; trail="/";}}
${etcRule {path="vulkan/icd.d"; trail="/*.json";}}
${etcRule { path = "vulkan/icd.d"; trail = "/"; }}
${etcRule { path = "vulkan/icd.d"; trail = "/*.json"; }}
'';
"abstractions/winbind" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind"
${etcRule {path="samba"; trail="/smb.conf";}}
${etcRule {path="samba"; trail="/dhcp.conf";}}
${etcRule { path = "samba"; trail = "/smb.conf"; }}
${etcRule { path = "samba"; trail = "/dhcp.conf"; }}
'';
"abstractions/X" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X"
${etcRule {path="X11/cursors"; trail="/";}}
${etcRule {path="X11/cursors"; trail="/**";}}
${etcRule { path = "X11/cursors"; trail = "/"; }}
${etcRule { path = "X11/cursors"; trail = "/**"; }}
'';
};
}

4
nixos/modules/security/misc.nix
View file

@ -7,6 +7,10 @@ with lib;
maintainers = [ maintainers.joachifm ];
};
imports = [
(lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
];
options = {
security.allowUserNamespaces = mkOption {
type = types.bool;

112
nixos/modules/security/pam.nix
View file

@ -897,59 +897,79 @@ in
security.apparmor.includes."abstractions/pam" = let
isEnabled = test: fold or false (map test (attrValues config.security.pam.services));
in ''
${lib.concatMapStringsSep "\n"
(name: "r ${config.environment.etc."pam.d/${name}".source},")
(attrNames config.security.pam.services)}
in
lib.concatMapStringsSep "\n"
(name: "r ${config.environment.etc."pam.d/${name}".source},")
(attrNames config.security.pam.services) +
''
mr ${getLib pkgs.pam}/lib/security/pam_filter/*,
mr ${getLib pkgs.pam}/lib/security/pam_*.so,
r ${getLib pkgs.pam}/lib/security/,
${optionalString use_ldap
"mr ${pam_ldap}/lib/security/pam_ldap.so,"}
${optionalString config.services.sssd.enable
"mr ${pkgs.sssd}/lib/security/pam_sss.so,"}
${optionalString config.krb5.enable ''
'' +
optionalString use_ldap ''
mr ${pam_ldap}/lib/security/pam_ldap.so,
'' +
optionalString config.services.sssd.enable ''
mr ${pkgs.sssd}/lib/security/pam_sss.so,
'' +
optionalString config.krb5.enable ''
mr ${pam_krb5}/lib/security/pam_krb5.so,
mr ${pam_ccreds}/lib/security/pam_ccreds.so,
''}
${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''
'' +
optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,
''}
${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication))
"mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"}
${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth))
"mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"}
${optionalString (isEnabled (cfg: cfg.fprintAuth))
"mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"}
${optionalString (isEnabled (cfg: cfg.u2fAuth))
"mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"}
${optionalString (isEnabled (cfg: cfg.usbAuth))
"mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"}
${optionalString (isEnabled (cfg: cfg.oathAuth))
"mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"}
${optionalString (isEnabled (cfg: cfg.yubicoAuth))
"mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"}
${optionalString (isEnabled (cfg: cfg.duoSecurity.enable))
"mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"}
${optionalString (isEnabled (cfg: cfg.otpwAuth))
"mr ${pkgs.otpw}/lib/security/pam_otpw.so,"}
${optionalString config.security.pam.enableEcryptfs
"mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"}
${optionalString (isEnabled (cfg: cfg.pamMount))
"mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"}
${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring))
"mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"}
${optionalString (isEnabled (cfg: cfg.startSession))
"mr ${pkgs.systemd}/lib/security/pam_systemd.so,"}
${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable)
"mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"}
${optionalString (isEnabled (cfg: cfg.enableKwallet))
"mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"}
${optionalString config.virtualisation.lxc.lxcfs.enable
"mr ${pkgs.lxc}/lib/security/pam_cgfs.so"}
'';
'' +
optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) ''
mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
'' +
optionalString (config.security.pam.enableSSHAgentAuth
&& isEnabled (cfg: cfg.sshAgentAuth)) ''
mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,
'' +
optionalString (isEnabled (cfg: cfg.fprintAuth)) ''
mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,
'' +
optionalString (isEnabled (cfg: cfg.u2fAuth)) ''
mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,
'' +
optionalString (isEnabled (cfg: cfg.usbAuth)) ''
mr ${pkgs.pam_usb}/lib/security/pam_usb.so,
'' +
optionalString (isEnabled (cfg: cfg.oathAuth)) ''
"mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,
'' +
optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''
mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,
'' +
optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) ''
mr ${pkgs.duo-unix}/lib/security/pam_duo.so,
'' +
optionalString (isEnabled (cfg: cfg.otpwAuth)) ''
mr ${pkgs.otpw}/lib/security/pam_otpw.so,
'' +
optionalString config.security.pam.enableEcryptfs ''
mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,
'' +
optionalString (isEnabled (cfg: cfg.pamMount)) ''
mr ${pkgs.pam_mount}/lib/security/pam_mount.so,
'' +
optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) ''
mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,
'' +
optionalString (isEnabled (cfg: cfg.startSession)) ''
mr ${pkgs.systemd}/lib/security/pam_systemd.so,
'' +
optionalString (isEnabled (cfg: cfg.enableAppArmor)
&& config.security.apparmor.enable) ''
mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,
'' +
optionalString (isEnabled (cfg: cfg.enableKwallet)) ''
mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,
'' +
optionalString config.virtualisation.lxc.lxcfs.enable ''
mr ${pkgs.lxc}/lib/security/pam_cgfs.so
'';
};
}

2
pkgs/os-specific/linux/apparmor/default.nix
View file

@ -290,7 +290,7 @@ let
, name ? ""
}: rootPaths: runCommand
( "apparmor-closure-rules"
+ lib.optionalString (name != "") "-${name}") {} ''
+ lib.optionalString (name != "") "-${name}" ) {} ''
touch $out
while read -r path
do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}