commit 30a554acfbb8421300dc835761e0e3a51bd7d718

pyrox.dev / nixpkgs

lol

fork atom

apparmor: support for lxc profiles

Jörg Thalheim 9 years ago 30a554ac 3aca77a7

+15 -9

2 changed files

expand all

unified split

nixos

modules

security

apparmor.nix

virtualisation

lxc.nix

+13 -5

nixos/modules/security/apparmor.nix

··· 18 default = []; 19 description = "List of files containing AppArmor profiles."; 20 }; 21 }; 22 }; 23 24 config = mkIf cfg.enable { 25 environment.systemPackages = [ pkgs.apparmor-utils ]; 26 27 - systemd.services.apparmor = { 28 wantedBy = [ "local-fs.target" ]; 29 serviceConfig = { 30 Type = "oneshot"; 31 RemainAfterExit = "yes"; 32 - ExecStart = concatMapStrings (p: 33 - ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; '' 34 ) cfg.profiles; 35 - ExecStop = concatMapStrings (p: 36 - ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; '' 37 ) cfg.profiles; 38 }; 39 };

··· 18 default = []; 19 description = "List of files containing AppArmor profiles."; 20 }; 21 + packages = mkOption { 22 + type = types.listOf types.package; 23 + default = []; 24 + description = "List of packages to be added to apparmor's include path"; 25 + }; 26 }; 27 }; 28 29 config = mkIf cfg.enable { 30 environment.systemPackages = [ pkgs.apparmor-utils ]; 31 32 + systemd.services.apparmor = let 33 + paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") 34 + ([ pkgs.apparmor-profiles ] ++ cfg.packages); 35 + in { 36 wantedBy = [ "local-fs.target" ]; 37 serviceConfig = { 38 Type = "oneshot"; 39 RemainAfterExit = "yes"; 40 + ExecStart = map (p: 41 + ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"'' 42 ) cfg.profiles; 43 + ExecStop = map (p: 44 + ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' 45 ) cfg.profiles; 46 }; 47 };

+2 -4

nixos/modules/virtualisation/lxc.nix

··· 62 </citerefentry>. 63 ''; 64 }; 65 - 66 }; 67 68 ###### implementation 69 70 config = mkIf cfg.enable { 71 - 72 environment.systemPackages = [ pkgs.lxc ]; 73 - 74 environment.etc."lxc/lxc.conf".text = cfg.systemConfig; 75 environment.etc."lxc/lxc-usernet".text = cfg.usernetConfig; 76 environment.etc."lxc/default.conf".text = cfg.defaultConfig; 77 78 }; 79 - 80 }

··· 62 </citerefentry>. 63 ''; 64 }; 65 }; 66 67 ###### implementation 68 69 config = mkIf cfg.enable { 70 environment.systemPackages = [ pkgs.lxc ]; 71 environment.etc."lxc/lxc.conf".text = cfg.systemConfig; 72 environment.etc."lxc/lxc-usernet".text = cfg.usernetConfig; 73 environment.etc."lxc/default.conf".text = cfg.defaultConfig; 74 75 + security.apparmor.packages = [ pkgs.lxc ]; 76 + security.apparmor.profiles = [ "${pkgs.lxc}/etc/apparmor.d/lxc-containers" ]; 77 }; 78 }