84c0af80d7
apparmor's systemd service wasn't working when multiple profiles were defined, due to the ExecStart commands in the service file being broken into multiple lines, instead of being separated by ';'.
69 lines
1.5 KiB
Nix
69 lines
1.5 KiB
Nix
{pkgs, config, ...}:
|
|
|
|
let
|
|
cfg = config.security.apparmor;
|
|
in
|
|
|
|
with pkgs.lib;
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
security.apparmor = {
|
|
|
|
enable = mkOption {
|
|
default = false;
|
|
description = ''
|
|
Enable AppArmor application security system. Enable only if
|
|
you want to further improve AppArmor.
|
|
'';
|
|
};
|
|
|
|
profiles = mkOption {
|
|
default = [];
|
|
merge = mergeListOption;
|
|
description = ''
|
|
List of file names of AppArmor profiles.
|
|
'';
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf (cfg.enable) {
|
|
|
|
assertions = [ { assertion = config.boot.kernelPackages.kernel.features ? apparmor
|
|
&& config.boot.kernelPackages.kernel.features.apparmor;
|
|
message = "AppArmor is enabled, but the kernel doesn't have AppArmor support"; }
|
|
];
|
|
|
|
environment.systemPackages = [ pkgs.apparmor ];
|
|
|
|
systemd.services.apparmor = {
|
|
#wantedBy = [ "basic.target" ];
|
|
wantedBy = [ "local-fs.target" ];
|
|
path = [ pkgs.apparmor ];
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
RemainAfterExit = "yes";
|
|
ExecStart = concatMapStrings (profile:
|
|
''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
|
|
) cfg.profiles;
|
|
ExecStop = concatMapStrings (profile:
|
|
''${pkgs.apparmor}/sbin/apparmor_parser -Rv "${profile}" ; ''
|
|
) cfg.profiles;
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|