nixos/miniflux: add apparmor policy · pyrox.dev/nixpkgs@ced170c

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/miniflux: add apparmor policy

This change also extends the test to ensure that normal operations
aren't denied.

Philipp Bartsch 2 years ago ced170c0 12561782

+18

2 changed files

expand all

nixos

modules

services

web-apps

miniflux.nix

tests

miniflux.nix

+12

nixos/modules/services/web-apps/miniflux.nix

··· 130 130 environment = cfg.config; 131 131 }; 132 132 environment.systemPackages = [ cfg.package ]; 133 + 134 + security.apparmor.policies."bin.miniflux".profile = '' 135 + include <tunables/global> 136 + ${cfg.package}/bin/miniflux { 137 + include <abstractions/base> 138 + include <abstractions/nameservice> 139 + include <abstractions/ssl_certs> 140 + include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}" 141 + r ${cfg.package}/bin/miniflux, 142 + r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size, 143 + } 144 + ''; 133 145 }; 134 146 }

nixos/tests/miniflux.nix

··· 25 25 default = 26 26 { ... }: 27 27 { 28 + security.apparmor.enable = true; 28 29 services.miniflux = { 29 30 enable = true; 30 31 inherit adminCredentialsFile; ··· 34 35 withoutSudo = 35 36 { ... }: 36 37 { 38 + security.apparmor.enable = true; 37 39 services.miniflux = { 38 40 enable = true; 39 41 inherit adminCredentialsFile; ··· 44 46 customized = 45 47 { ... }: 46 48 { 49 + security.apparmor.enable = true; 47 50 services.miniflux = { 48 51 enable = true; 49 52 config = { ··· 63 66 default.succeed( 64 67 "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" 65 68 ) 69 + default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') 66 70 67 71 withoutSudo.wait_for_unit("miniflux.service") 68 72 withoutSudo.wait_for_open_port(${toString defaultPort}) ··· 70 74 withoutSudo.succeed( 71 75 "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" 72 76 ) 77 + withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') 73 78 74 79 customized.wait_for_unit("miniflux.service") 75 80 customized.wait_for_open_port(${toString port}) ··· 77 82 customized.succeed( 78 83 "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'" 79 84 ) 85 + customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') 80 86 ''; 81 87 })