staging-next 2025-11-14 (#461523) (3dd12c46) · Commits · nix / nixpkgs

nixos/modules/security/apparmor/includes.nix

+15 −15

Original line number	Diff line number	Diff line
		@@ -19,7 +19,7 @@ let
		mode ? "r",
		trail ? "",
		}:
		lib.optionalString (hasAttr path etc) "${mode} ${config.environment.etc.${path}.source}${trail},";
		lib.optionalString (hasAttr path etc) "${config.environment.etc.${path}.source}${trail} ${mode},";
		in
		if isAttrs arg then go arg else go { path = arg; };
		in
		@@ -93,19 +93,19 @@ in
		];
		"abstractions/base" = ''
		include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"
		r ${pkgs.stdenv.cc.libc}/share/locale/**,
		r ${pkgs.stdenv.cc.libc}/share/locale.alias,
		r ${config.i18n.glibcLocales}/lib/locale/locale-archive,
		${pkgs.stdenv.cc.libc}/share/locale/** r,
		${pkgs.stdenv.cc.libc}/share/locale.alias r,
		${config.i18n.glibcLocales}/lib/locale/locale-archive r,
		${etcRule "localtime"}
		r ${pkgs.tzdata}/share/zoneinfo/**,
		r ${pkgs.stdenv.cc.libc}/share/i18n/**,
		${pkgs.tzdata}/share/zoneinfo/** r,
		${pkgs.stdenv.cc.libc}/share/i18n/** r,
		'';
		"abstractions/bash" = ''
		include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash"

		# bash inspects filesystems at startup
		# and /etc/mtab is linked to /proc/mounts
		r @{PROC}/mounts,
		@{PROC}/mounts r,

		# system-wide bash configuration
		''
		@@ -296,8 +296,8 @@ in
		# looking up users by name or id, groups by name or id, hosts by name
		# or IP, etc. These operations may be performed through files, dns,
		# NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
		mr ${getLib pkgs.nss}/lib/libnss_.so,
		mr ${getLib pkgs.nss}/lib64/libnss_.so,
		${getLib pkgs.nss}/lib/libnss_.so mr,
		${getLib pkgs.nss}/lib64/libnss_.so mr,
		''
		+ lib.concatMapStringsSep "\n" etcRule [
		"group"
		@@ -463,11 +463,11 @@ in
		include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs"

		# For the NixOS module: security.acme
		r /var/lib/acme/*/cert.pem,
		r /var/lib/acme/*/chain.pem,
		r /var/lib/acme/*/fullchain.pem,
		/var/lib/acme/*/cert.pem r,
		/var/lib/acme/*/chain.pem r,
		/var/lib/acme/*/fullchain.pem r,

		r /etc/pki/tls/certs/,
		/etc/pki/tls/certs/ r,

		''
		+ lib.concatMapStringsSep "\n" etcRule [
		@@ -510,8 +510,8 @@ in
		];
		"abstractions/ssl_keys" = ''
		# security.acme NixOS module
		r /var/lib/acme/*/full.pem,
		r /var/lib/acme/*/key.pem,
		/var/lib/acme/*/full.pem r,
		/var/lib/acme/*/key.pem r,
		'';
		"abstractions/vulkan" = ''
		include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan"

nixos/modules/services/networking/murmur.nix

+28 −28

Original line number	Diff line number	Diff line
		@@ -401,40 +401,40 @@ in
		];

		security.apparmor.policies."bin.mumble-server".profile = ''
		abi <abi/4.0>,
		include <tunables/global>

		${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} {
		profile ${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} {
		include <abstractions/base>
		include <abstractions/nameservice>
		include <abstractions/ssl_certs>
		include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}"
		pix ${cfg.package}/bin/.mumble-server-wrapped,

		r ${config.environment.etc."os-release".source},
		r ${config.environment.etc."lsb-release".source},
		owner rwk ${cfg.stateDir}/murmur.sqlite,
		owner rw ${cfg.stateDir}/murmur.sqlite-journal,
		owner r ${cfg.stateDir}/,
		r /run/murmur/murmurd.pid,
		r /run/murmur/murmurd.ini,
		r ${configFile},
		''
		+ lib.optionalString cfg.logToFile ''
		rw /var/log/murmur/murmurd.log,
		''
		+ lib.optionalString (cfg.sslCert != null) ''
		r ${cfg.sslCert},
		''
		+ lib.optionalString (cfg.sslKey != null) ''
		r ${cfg.sslKey},
		''
		+ lib.optionalString (cfg.sslCa != null) ''
		r ${cfg.sslCa},
		''
		+ lib.optionalString (cfg.dbus != null) ''
		dbus bus=${cfg.dbus}
		''
		+ ''
		${cfg.package}/bin/.mumble-server-wrapped pix,

		${config.environment.etc."os-release".source} r,
		${config.environment.etc."lsb-release".source} r,
		owner ${cfg.stateDir}/murmur.sqlite rwk,
		owner ${cfg.stateDir}/murmur.sqlite-journal rw,
		owner ${cfg.stateDir}/ r,
		/run/murmur/murmurd.pid r,
		/run/murmur/murmurd.ini r,
		${configFile} r,
		${lib.optionalString cfg.logToFile ''
		/var/log/murmur/murmurd.log rw,
		''}
		${lib.optionalString (cfg.sslCert != null) ''
		${cfg.sslCert} r,
		''}
		${lib.optionalString (cfg.sslKey != null) ''
		${cfg.sslKey} r,
		''}
		${lib.optionalString (cfg.sslCa != null) ''
		${cfg.sslCa} r,
		''}
		${lib.optionalString (cfg.dbus != null) ''
		dbus bus=${cfg.dbus},
		''}
		include if exists <local/bin.mumble-server>
		}
		'';
		};

nixos/modules/services/torrent/transmission.nix

+10 −10

Original line number	Diff line number	Diff line
		@@ -585,23 +585,23 @@ in
		include "${cfg.package.apparmor}/bin.transmission-daemon"
		'';
		security.apparmor.includes."local/bin.transmission-daemon" = ''
		r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},
		${config.systemd.services.transmission.environment.CURL_CA_BUNDLE} r,

		owner rw ${cfg.home}/${settingsDir}/**,
		rw ${cfg.settings.download-dir}/**,
		owner ${cfg.home}/${settingsDir}/** rw,
		${cfg.settings.download-dir}/** rw,
		${optionalString cfg.settings.incomplete-dir-enabled ''
		rw ${cfg.settings.incomplete-dir}/**,
		${cfg.settings.incomplete-dir}/** rw,
		''}
		${optionalString cfg.settings.watch-dir-enabled ''
		r${optionalString cfg.settings.trash-original-torrent-files "w"} ${cfg.settings.watch-dir}/**,
		${cfg.settings.watch-dir}/** r${optionalString cfg.settings.trash-original-torrent-files "w"},
		''}
		profile dirs {
		rw ${cfg.settings.download-dir}/**,
		${cfg.settings.download-dir}/** rw,
		${optionalString cfg.settings.incomplete-dir-enabled ''
		rw ${cfg.settings.incomplete-dir}/**,
		${cfg.settings.incomplete-dir}/** rw,
		''}
		${optionalString cfg.settings.watch-dir-enabled ''
		r${optionalString cfg.settings.trash-original-torrent-files "w"} ${cfg.settings.watch-dir}/**,
		${cfg.settings.watch-dir}/** r${optionalString cfg.settings.trash-original-torrent-files "w"},
		''}
		}

		@@ -612,12 +612,12 @@ in
		# any existing profile for script-torrent-done-filename
		# FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=
		# https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs
		px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},
		${cfg.settings.script-torrent-done-filename} px -> &@{dirs},
		''
		}

		${optionalString (cfg.webHome != null) ''
		r ${cfg.webHome}/**,
		${cfg.webHome}/** r,
		''}
		'';
		};

nixos/modules/services/web-apps/miniflux.nix

+6 −3

Original line number	Diff line number	Diff line
		@@ -207,15 +207,18 @@ in
		environment.systemPackages = [ cfg.package ];

		security.apparmor.policies."bin.miniflux".profile = ''
		abi <abi/4.0>,
		include <tunables/global>
		${cfg.package}/bin/miniflux {

		profile ${cfg.package}/bin/miniflux {
		include <abstractions/base>
		include <abstractions/nameservice>
		include <abstractions/ssl_certs>
		include <abstractions/golang>
		include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}"
		r ${cfg.package}/bin/miniflux,
		rw /run/miniflux/**,
		${cfg.package}/bin/miniflux r,
		/run/miniflux/** rw,
		include if exists <local/bin.miniflux>
		}
		'';
		};

nixos/tests/systemd-shutdown.nix

+1 −1

Original line number	Diff line number	Diff line
		@@ -27,7 +27,7 @@ in
		# automatically and that 'systemd-shutdown' runs our script.
		machine.wait_for_unit("multi-user.target")
		# .shutdown() would wait for the machine to power off
		machine.succeed("systemctl poweroff")
		machine.execute("systemctl poweroff", check_return=False)
		# Message printed by systemd-shutdown
		machine.wait_for_console_text("Unmounting '/oldroot'")
		machine.wait_for_console_text("${msg}")