pyrox.dev
lol
nixos/murmur: add apparmor policy
+36
+32
nixos/modules/services/networking/murmur.nix
+32
nixos/modules/services/networking/murmur.nix
···
355
355
'';
356
356
destination = "/share/dbus-1/system.d/murmur.conf";
357
357
})];
358
+
359
+
security.apparmor.policies."bin.mumble-server".profile = ''
360
+
include <tunables/global>
361
+
362
+
${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} {
363
+
include <abstractions/base>
364
+
include <abstractions/nameservice>
365
+
include <abstractions/ssl_certs>
366
+
include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}"
367
+
pix ${cfg.package}/bin/.mumble-server-wrapped,
368
+
369
+
r ${config.environment.etc."os-release".source},
370
+
r ${config.environment.etc."lsb-release".source},
371
+
owner rwk /var/lib/murmur/murmur.sqlite,
372
+
owner rw /var/lib/murmur/murmur.sqlite-journal,
373
+
owner r /var/lib/murmur/,
374
+
r /run/murmur/murmurd.pid,
375
+
r /run/murmur/murmurd.ini,
376
+
r ${configFile},
377
+
'' + optionalString (cfg.logFile != null) ''
378
+
rw ${cfg.logFile},
379
+
'' + optionalString (cfg.sslCert != "") ''
380
+
r ${cfg.sslCert},
381
+
'' + optionalString (cfg.sslKey != "") ''
382
+
r ${cfg.sslKey},
383
+
'' + optionalString (cfg.sslCa != "") ''
384
+
r ${cfg.sslCa},
385
+
'' + optionalString (cfg.dbus != null) ''
386
+
dbus bus=${cfg.dbus}
387
+
'' + ''
388
+
}
389
+
'';
358
390
};
359
391
}
+4
nixos/tests/mumble.nix
+4
nixos/tests/mumble.nix
···
20
20
21
21
nodes = {
22
22
server = { config, ... }: {
23
+
security.apparmor.enable = true;
23
24
services.murmur.enable = true;
24
25
services.murmur.registerName = "NixOS tests";
25
26
services.murmur.password = "$MURMURD_PASSWORD";
···
81
82
server.sleep(5) # wait to get screenshot
82
83
client1.screenshot("screen1")
83
84
client2.screenshot("screen2")
85
+
86
+
# check if apparmor denied anything
87
+
server.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
84
88
'';
85
89
})