pyrox.dev / nixpkgs
lol
fork atom

apparmor: support for lxc profiles

Jörg Thalheim 30a554ac 3aca77a7

+15 -9
unified split
+13 -5
nixos/modules/security/apparmor.nix
··· 18 18 default = []; 19 19 description = "List of files containing AppArmor profiles."; 20 20 }; 21 + packages = mkOption { 22 + type = types.listOf types.package; 23 + default = []; 24 + description = "List of packages to be added to apparmor's include path"; 25 + }; 21 26 }; 22 27 }; 23 28 24 29 config = mkIf cfg.enable { 25 30 environment.systemPackages = [ pkgs.apparmor-utils ]; 26 31 27 - systemd.services.apparmor = { 32 + systemd.services.apparmor = let 33 + paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") 34 + ([ pkgs.apparmor-profiles ] ++ cfg.packages); 35 + in { 28 36 wantedBy = [ "local-fs.target" ]; 29 37 serviceConfig = { 30 38 Type = "oneshot"; 31 39 RemainAfterExit = "yes"; 32 - ExecStart = concatMapStrings (p: 33 - ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; '' 40 + ExecStart = map (p: 41 + ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"'' 34 42 ) cfg.profiles; 35 - ExecStop = concatMapStrings (p: 36 - ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; '' 43 + ExecStop = map (p: 44 + ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' 37 45 ) cfg.profiles; 38 46 }; 39 47 };
+2 -4
nixos/modules/virtualisation/lxc.nix
··· 62 62 </citerefentry>. 63 63 ''; 64 64 }; 65 - 66 65 }; 67 66 68 67 ###### implementation 69 68 70 69 config = mkIf cfg.enable { 71 - 72 70 environment.systemPackages = [ pkgs.lxc ]; 73 - 74 71 environment.etc."lxc/lxc.conf".text = cfg.systemConfig; 75 72 environment.etc."lxc/lxc-usernet".text = cfg.usernetConfig; 76 73 environment.etc."lxc/default.conf".text = cfg.defaultConfig; 77 74 75 + security.apparmor.packages = [ pkgs.lxc ]; 76 + security.apparmor.profiles = [ "${pkgs.lxc}/etc/apparmor.d/lxc-containers" ]; 78 77 }; 79 - 80 78 }