Commit 4cee2f4e authored by Philipp Bartsch's avatar Philipp Bartsch
Browse files

nixos/apparmor: add abstraction for golang 

Since "Container-aware GOMAXPROCS" was introduced in golang version
1.25.0, there are new paths accessed on every go runtime startup.

Release notes: https://tip.golang.org/doc/go1.25#container-aware-gomaxprocs

> At startup (defaultGOMAXPROCSInit), we read /proc/self/cgroup and
> /proc/self/mountinfo to find our current CPU cgroup and open its
> limit file(s), which remain open for the entire process lifetime. We
> periodically read the current limit by  rereading the limit file(s)
> from the beginning.
>
> https://github.com/golang/go/blob/go1.25.0/src/runtime/cgroup_linux.go#L13
parent 7d0addaf

nixos/modules/security/apparmor/includes.nix

+7 −0
Original line number Diff line number Diff line
@@ -431,6 +431,13 @@ in 
    "abstractions/python" = ''

      include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python"

    '';

    "abstractions/golang" = ''

      # Container-aware GOMAXPROCS

      owner @{PROC}/@{pid}/mountinfo r,

      owner @{PROC}/@{pid}/cgroup r,

      @{sys}/fs/cgroup/**/{cpu.cfs_quota_us,cpu.cfs_period_us} r, # V1

      @{sys}/fs/cgroup/**/cpu.max r, # V2

    '';

    "abstractions/qt5" = ''

      include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5"

    ''