Admins will be upgrading ORNL GitLab Servers on Saturday, 16 May 2026, from 7 AM until 11 AM EST. Repositories will experience intermittent outages during this time.

Commit 44fde723 authored Aug 25, 2023 by Robert Obryk

nixos/security/wrappers: generate a separate and more complete apparmor policy...

nixos/security/wrappers: generate a separate and more complete apparmor policy fragment for each wrapper

This change includes some stuff (e.g. reading of the `.real` file,
execution of the wrapper's target) that belongs to the apparmor policy
of the wrapper. This necessitates making them distinct for each wrapper.
The main reason for this change is as a preparation for making each
wrapper be a distinct binary.

parent c0e607da

nixos/modules/security/wrappers/default.nix

+6 −3

Original line number	Diff line number	Diff line
		@@ -248,11 +248,14 @@ in
		export PATH="${wrapperDir}:$PATH"
		'';

		security.apparmor.includes."nixos/security.wrappers" = ''
		include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [
		security.apparmor.includes = lib.mapAttrs' (wrapName: wrap: lib.nameValuePair
		"nixos/security.wrappers/${wrapName}" ''
		include "${pkgs.apparmorRulesFromClosure { name="security.wrappers.${wrapName}"; } [
		securityWrapper
		]}"
		'';
		mrpx ${wrap.source},
		r /run/wrappers/wrappers.*/${wrapName}.real,
		'') wrappers;

		###### wrappers activation script
		system.activationScripts.wrappers =

nixos/modules/tasks/network-interfaces.nix

+2 −4

Original line number	Diff line number	Diff line
		@@ -1396,14 +1396,12 @@ in
		security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
		/run/wrappers/bin/ping {
		include <abstractions/base>
		include <nixos/security.wrappers>
		include <nixos/security.wrappers/ping>
		rpx /run/wrappers/wrappers.*/ping,
		}
		/run/wrappers/wrappers.*/ping {
		include <abstractions/base>
		include <nixos/security.wrappers>
		r /run/wrappers/wrappers.*/ping.real,
		mrpx ${config.security.wrappers.ping.source},
		include <nixos/security.wrappers/ping>
		capability net_raw,
		capability setpcap,
		}