Loading nixos/modules/services/networking/murmur.nix +32 −0 Original line number Diff line number Diff line Loading @@ -355,5 +355,37 @@ in ''; destination = "/share/dbus-1/system.d/murmur.conf"; })]; security.apparmor.policies."bin.mumble-server".profile = '' include <tunables/global> ${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}" pix ${cfg.package}/bin/.mumble-server-wrapped, r ${config.environment.etc."os-release".source}, r ${config.environment.etc."lsb-release".source}, owner rwk /var/lib/murmur/murmur.sqlite, owner rw /var/lib/murmur/murmur.sqlite-journal, owner r /var/lib/murmur/, r /run/murmur/murmurd.pid, r /run/murmur/murmurd.ini, r ${configFile}, '' + optionalString (cfg.logFile != null) '' rw ${cfg.logFile}, '' + optionalString (cfg.sslCert != "") '' r ${cfg.sslCert}, '' + optionalString (cfg.sslKey != "") '' r ${cfg.sslKey}, '' + optionalString (cfg.sslCa != "") '' r ${cfg.sslCa}, '' + optionalString (cfg.dbus != null) '' dbus bus=${cfg.dbus} '' + '' } ''; }; } nixos/tests/mumble.nix +4 −0 Original line number Diff line number Diff line Loading @@ -20,6 +20,7 @@ in nodes = { server = { config, ... }: { security.apparmor.enable = true; services.murmur.enable = true; services.murmur.registerName = "NixOS tests"; services.murmur.password = "$MURMURD_PASSWORD"; Loading Loading @@ -81,5 +82,8 @@ in server.sleep(5) # wait to get screenshot client1.screenshot("screen1") client2.screenshot("screen2") # check if apparmor denied anything server.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') ''; }) Loading
nixos/modules/services/networking/murmur.nix +32 −0 Original line number Diff line number Diff line Loading @@ -355,5 +355,37 @@ in ''; destination = "/share/dbus-1/system.d/murmur.conf"; })]; security.apparmor.policies."bin.mumble-server".profile = '' include <tunables/global> ${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}" pix ${cfg.package}/bin/.mumble-server-wrapped, r ${config.environment.etc."os-release".source}, r ${config.environment.etc."lsb-release".source}, owner rwk /var/lib/murmur/murmur.sqlite, owner rw /var/lib/murmur/murmur.sqlite-journal, owner r /var/lib/murmur/, r /run/murmur/murmurd.pid, r /run/murmur/murmurd.ini, r ${configFile}, '' + optionalString (cfg.logFile != null) '' rw ${cfg.logFile}, '' + optionalString (cfg.sslCert != "") '' r ${cfg.sslCert}, '' + optionalString (cfg.sslKey != "") '' r ${cfg.sslKey}, '' + optionalString (cfg.sslCa != "") '' r ${cfg.sslCa}, '' + optionalString (cfg.dbus != null) '' dbus bus=${cfg.dbus} '' + '' } ''; }; }
nixos/tests/mumble.nix +4 −0 Original line number Diff line number Diff line Loading @@ -20,6 +20,7 @@ in nodes = { server = { config, ... }: { security.apparmor.enable = true; services.murmur.enable = true; services.murmur.registerName = "NixOS tests"; services.murmur.password = "$MURMURD_PASSWORD"; Loading Loading @@ -81,5 +82,8 @@ in server.sleep(5) # wait to get screenshot client1.screenshot("screen1") client2.screenshot("screen2") # check if apparmor denied anything server.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') ''; })
