Loading nixos/modules/security/apparmor/includes.nix +7 −2 Original line number Diff line number Diff line Loading @@ -62,7 +62,7 @@ config.security.apparmor.includes = { include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" r ${pkgs.stdenv.cc.libc}/share/locale/**, r ${pkgs.stdenv.cc.libc}/share/locale.alias, ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} r ${config.i18n.glibcLocales}/lib/locale/locale-archive, ${etcRule "localtime"} r ${pkgs.tzdata}/share/zoneinfo/**, r ${pkgs.stdenv.cc.libc}/share/i18n/**, Loading @@ -72,7 +72,7 @@ config.security.apparmor.includes = { # bash inspects filesystems at startup # and /etc/mtab is linked to /proc/mounts @{PROC}/mounts r @{PROC}/mounts, # system-wide bash configuration '' + lib.concatMapStringsSep "\n" etcRule [ Loading Loading @@ -211,6 +211,9 @@ config.security.apparmor.includes = { "abstractions/nis" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" ''; "abstractions/nss-systemd" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nss-systemd" ''; "abstractions/nvidia" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" ${etcRule "vdpau_wrapper.cfg"} Loading Loading @@ -279,6 +282,8 @@ config.security.apparmor.includes = { r /var/lib/acme/*/chain.pem, r /var/lib/acme/*/fullchain.pem, r /etc/pki/tls/certs/, '' + lib.concatMapStringsSep "\n" etcRule [ "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" Loading nixos/modules/services/networking/murmur.nix +32 −0 Original line number Diff line number Diff line Loading @@ -355,5 +355,37 @@ in ''; destination = "/share/dbus-1/system.d/murmur.conf"; })]; security.apparmor.policies."bin.mumble-server".profile = '' include <tunables/global> ${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}" pix ${cfg.package}/bin/.mumble-server-wrapped, r ${config.environment.etc."os-release".source}, r ${config.environment.etc."lsb-release".source}, owner rwk /var/lib/murmur/murmur.sqlite, owner rw /var/lib/murmur/murmur.sqlite-journal, owner r /var/lib/murmur/, r /run/murmur/murmurd.pid, r /run/murmur/murmurd.ini, r ${configFile}, '' + optionalString (cfg.logFile != null) '' rw ${cfg.logFile}, '' + optionalString (cfg.sslCert != "") '' r ${cfg.sslCert}, '' + optionalString (cfg.sslKey != "") '' r ${cfg.sslKey}, '' + optionalString (cfg.sslCa != "") '' r ${cfg.sslCa}, '' + optionalString (cfg.dbus != null) '' dbus bus=${cfg.dbus} '' + '' } ''; }; } nixos/modules/services/web-apps/miniflux.nix +12 −0 Original line number Diff line number Diff line Loading @@ -130,5 +130,17 @@ in environment = cfg.config; }; environment.systemPackages = [ cfg.package ]; security.apparmor.policies."bin.miniflux".profile = '' include <tunables/global> ${cfg.package}/bin/miniflux { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}" r ${cfg.package}/bin/miniflux, r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size, } ''; }; } nixos/tests/miniflux.nix +6 −0 Original line number Diff line number Diff line Loading @@ -25,6 +25,7 @@ in default = { ... }: { security.apparmor.enable = true; services.miniflux = { enable = true; inherit adminCredentialsFile; Loading @@ -34,6 +35,7 @@ in withoutSudo = { ... }: { security.apparmor.enable = true; services.miniflux = { enable = true; inherit adminCredentialsFile; Loading @@ -44,6 +46,7 @@ in customized = { ... }: { security.apparmor.enable = true; services.miniflux = { enable = true; config = { Loading @@ -63,6 +66,7 @@ in default.succeed( "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') withoutSudo.wait_for_unit("miniflux.service") withoutSudo.wait_for_open_port(${toString defaultPort}) Loading @@ -70,6 +74,7 @@ in withoutSudo.succeed( "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') customized.wait_for_unit("miniflux.service") customized.wait_for_open_port(${toString port}) Loading @@ -77,5 +82,6 @@ in customized.succeed( "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') ''; }) nixos/tests/mumble.nix +4 −0 Original line number Diff line number Diff line Loading @@ -20,6 +20,7 @@ in nodes = { server = { config, ... }: { security.apparmor.enable = true; services.murmur.enable = true; services.murmur.registerName = "NixOS tests"; services.murmur.password = "$MURMURD_PASSWORD"; Loading Loading @@ -81,5 +82,8 @@ in server.sleep(5) # wait to get screenshot client1.screenshot("screen1") client2.screenshot("screen2") # check if apparmor denied anything server.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') ''; }) Loading
nixos/modules/security/apparmor/includes.nix +7 −2 Original line number Diff line number Diff line Loading @@ -62,7 +62,7 @@ config.security.apparmor.includes = { include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" r ${pkgs.stdenv.cc.libc}/share/locale/**, r ${pkgs.stdenv.cc.libc}/share/locale.alias, ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} r ${config.i18n.glibcLocales}/lib/locale/locale-archive, ${etcRule "localtime"} r ${pkgs.tzdata}/share/zoneinfo/**, r ${pkgs.stdenv.cc.libc}/share/i18n/**, Loading @@ -72,7 +72,7 @@ config.security.apparmor.includes = { # bash inspects filesystems at startup # and /etc/mtab is linked to /proc/mounts @{PROC}/mounts r @{PROC}/mounts, # system-wide bash configuration '' + lib.concatMapStringsSep "\n" etcRule [ Loading Loading @@ -211,6 +211,9 @@ config.security.apparmor.includes = { "abstractions/nis" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" ''; "abstractions/nss-systemd" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nss-systemd" ''; "abstractions/nvidia" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" ${etcRule "vdpau_wrapper.cfg"} Loading Loading @@ -279,6 +282,8 @@ config.security.apparmor.includes = { r /var/lib/acme/*/chain.pem, r /var/lib/acme/*/fullchain.pem, r /etc/pki/tls/certs/, '' + lib.concatMapStringsSep "\n" etcRule [ "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" Loading
nixos/modules/services/networking/murmur.nix +32 −0 Original line number Diff line number Diff line Loading @@ -355,5 +355,37 @@ in ''; destination = "/share/dbus-1/system.d/murmur.conf"; })]; security.apparmor.policies."bin.mumble-server".profile = '' include <tunables/global> ${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}" pix ${cfg.package}/bin/.mumble-server-wrapped, r ${config.environment.etc."os-release".source}, r ${config.environment.etc."lsb-release".source}, owner rwk /var/lib/murmur/murmur.sqlite, owner rw /var/lib/murmur/murmur.sqlite-journal, owner r /var/lib/murmur/, r /run/murmur/murmurd.pid, r /run/murmur/murmurd.ini, r ${configFile}, '' + optionalString (cfg.logFile != null) '' rw ${cfg.logFile}, '' + optionalString (cfg.sslCert != "") '' r ${cfg.sslCert}, '' + optionalString (cfg.sslKey != "") '' r ${cfg.sslKey}, '' + optionalString (cfg.sslCa != "") '' r ${cfg.sslCa}, '' + optionalString (cfg.dbus != null) '' dbus bus=${cfg.dbus} '' + '' } ''; }; }
nixos/modules/services/web-apps/miniflux.nix +12 −0 Original line number Diff line number Diff line Loading @@ -130,5 +130,17 @@ in environment = cfg.config; }; environment.systemPackages = [ cfg.package ]; security.apparmor.policies."bin.miniflux".profile = '' include <tunables/global> ${cfg.package}/bin/miniflux { include <abstractions/base> include <abstractions/nameservice> include <abstractions/ssl_certs> include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}" r ${cfg.package}/bin/miniflux, r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size, } ''; }; }
nixos/tests/miniflux.nix +6 −0 Original line number Diff line number Diff line Loading @@ -25,6 +25,7 @@ in default = { ... }: { security.apparmor.enable = true; services.miniflux = { enable = true; inherit adminCredentialsFile; Loading @@ -34,6 +35,7 @@ in withoutSudo = { ... }: { security.apparmor.enable = true; services.miniflux = { enable = true; inherit adminCredentialsFile; Loading @@ -44,6 +46,7 @@ in customized = { ... }: { security.apparmor.enable = true; services.miniflux = { enable = true; config = { Loading @@ -63,6 +66,7 @@ in default.succeed( "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') withoutSudo.wait_for_unit("miniflux.service") withoutSudo.wait_for_open_port(${toString defaultPort}) Loading @@ -70,6 +74,7 @@ in withoutSudo.succeed( "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') customized.wait_for_unit("miniflux.service") customized.wait_for_open_port(${toString port}) Loading @@ -77,5 +82,6 @@ in customized.succeed( "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') ''; })
nixos/tests/mumble.nix +4 −0 Original line number Diff line number Diff line Loading @@ -20,6 +20,7 @@ in nodes = { server = { config, ... }: { security.apparmor.enable = true; services.murmur.enable = true; services.murmur.registerName = "NixOS tests"; services.murmur.password = "$MURMURD_PASSWORD"; Loading Loading @@ -81,5 +82,8 @@ in server.sleep(5) # wait to get screenshot client1.screenshot("screen1") client2.screenshot("screen2") # check if apparmor denied anything server.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') ''; })
