Loading nixos/modules/module-list.nix +1 −0 Original line number Diff line number Diff line Loading @@ -367,6 +367,7 @@ ./security/auditd.nix ./security/ca.nix ./security/chromium-suid-sandbox.nix ./security/default.nix ./security/dhparams.nix ./security/doas.nix ./security/duosec.nix Loading nixos/modules/security/apparmor.nix +2 −4 Original line number Diff line number Diff line Loading @@ -200,10 +200,8 @@ in sed '1,/\[qualifiers\]/d' $footer >> $out ''; boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; boot.kernelParams = [ "apparmor=1" ]; security.lsm = [ "apparmor" ]; systemd.services.apparmor = { after = [ Loading nixos/modules/security/default.nix 0 → 100644 +28 −0 Original line number Diff line number Diff line { config, lib, ... }: let cfg = config.security; in { options = { security.lsm = lib.mkOption { type = lib.types.uniq (lib.types.listOf lib.types.str); default = [ ]; description = '' A list of the LSMs to initialize in order. ''; }; }; config = lib.mkIf (lib.lists.length cfg.lsm > 0) { assertions = [ { assertion = builtins.length (lib.filter (lib.hasPrefix "security=") config.boot.kernelParams) == 0; message = "security parameter in boot.kernelParams cannot be used when security.lsm is used"; } ]; boot.kernelParams = [ "lsm=${lib.concatStringsSep "," cfg.lsm}" ]; }; } Loading
nixos/modules/module-list.nix +1 −0 Original line number Diff line number Diff line Loading @@ -367,6 +367,7 @@ ./security/auditd.nix ./security/ca.nix ./security/chromium-suid-sandbox.nix ./security/default.nix ./security/dhparams.nix ./security/doas.nix ./security/duosec.nix Loading
nixos/modules/security/apparmor.nix +2 −4 Original line number Diff line number Diff line Loading @@ -200,10 +200,8 @@ in sed '1,/\[qualifiers\]/d' $footer >> $out ''; boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; boot.kernelParams = [ "apparmor=1" ]; security.lsm = [ "apparmor" ]; systemd.services.apparmor = { after = [ Loading
nixos/modules/security/default.nix 0 → 100644 +28 −0 Original line number Diff line number Diff line { config, lib, ... }: let cfg = config.security; in { options = { security.lsm = lib.mkOption { type = lib.types.uniq (lib.types.listOf lib.types.str); default = [ ]; description = '' A list of the LSMs to initialize in order. ''; }; }; config = lib.mkIf (lib.lists.length cfg.lsm > 0) { assertions = [ { assertion = builtins.length (lib.filter (lib.hasPrefix "security=") config.boot.kernelParams) == 0; message = "security parameter in boot.kernelParams cannot be used when security.lsm is used"; } ]; boot.kernelParams = [ "lsm=${lib.concatStringsSep "," cfg.lsm}" ]; }; }
