Commit e712b6e8 authored by Majiir Paktu's avatar Majiir Paktu
Browse files

nixos/pam: generate apparmor includes from rules 

Removes redundant config from the module. Fixes a bug where some modules
(e.g. ussh) were added to apparmor even though they had no rules enabled.
parent 43f7cb4a

nixos/modules/security/pam.nix

+13 −85
Original line number Diff line number Diff line
@@ -1508,9 +1508,7 @@ in 
        fscrypt = {};

      };



    security.apparmor.includes."abstractions/pam" = let

      isEnabled = test: fold or false (map test (attrValues config.security.pam.services));

      in

    security.apparmor.includes."abstractions/pam" =

      lib.concatMapStrings

        (name: "r ${config.environment.etc."pam.d/${name}".source},\n")

        (attrNames config.security.pam.services) +
@@ -1519,88 +1517,18 @@ in 
      mr ${getLib pkgs.pam}/lib/security/pam_*.so,

      r ${getLib pkgs.pam}/lib/security/,

      '' +

      optionalString use_ldap ''

         mr ${pam_ldap}/lib/security/pam_ldap.so,

      '' +

      optionalString config.services.kanidm.enablePam ''

        mr ${pkgs.kanidm}/lib/pam_kanidm.so,

      '' +

      optionalString config.services.sssd.enable ''

        mr ${pkgs.sssd}/lib/security/pam_sss.so,

      '' +

      optionalString config.security.pam.krb5.enable ''

        mr ${pam_krb5}/lib/security/pam_krb5.so,

        mr ${pam_ccreds}/lib/security/pam_ccreds.so,

      '' +

      optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''

        mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,

        mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so,

      '' +

      optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) ''

        mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,

      '' +

      optionalString (config.security.pam.enableSSHAgentAuth

                     && isEnabled (cfg: cfg.sshAgentAuth)) ''

        mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,

      '' +

      optionalString (isEnabled (cfg: cfg.fprintAuth)) ''

        mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,

      '' +

      optionalString (isEnabled (cfg: cfg.u2fAuth)) ''

        mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,

      '' +

      optionalString (isEnabled (cfg: cfg.usbAuth)) ''

        mr ${pkgs.pam_usb}/lib/security/pam_usb.so,

      '' +

      optionalString (isEnabled (cfg: cfg.usshAuth)) ''

        mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so,

      '' +

      optionalString (isEnabled (cfg: cfg.oathAuth)) ''

        "mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so,

      '' +

      optionalString (isEnabled (cfg: cfg.mysqlAuth)) ''

        mr ${pkgs.pam_mysql}/lib/security/pam_mysql.so,

      '' +

      optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''

        mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,

      '' +

      optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) ''

        mr ${pkgs.duo-unix}/lib/security/pam_duo.so,

      '' +

      optionalString (isEnabled (cfg: cfg.otpwAuth)) ''

        mr ${pkgs.otpw}/lib/security/pam_otpw.so,

      '' +

      optionalString config.security.pam.enableEcryptfs ''

        mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,

      '' +

      optionalString config.security.pam.enableFscrypt ''

        mr ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so,

      '' +

      optionalString (isEnabled (cfg: cfg.pamMount)) ''

        mr ${pkgs.pam_mount}/lib/security/pam_mount.so,

      '' +

      optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) ''

        mr ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so,

      '' +

      optionalString (isEnabled (cfg: cfg.startSession)) ''

        mr ${config.systemd.package}/lib/security/pam_systemd.so,

      '' +

      optionalString (isEnabled (cfg: cfg.enableAppArmor)

                     && config.security.apparmor.enable) ''

        mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,

      '' +

      optionalString (isEnabled (cfg: cfg.enableKwallet)) ''

        mr ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so,

      '' +

      optionalString config.virtualisation.lxc.lxcfs.enable ''

        mr ${pkgs.lxc}/lib/security/pam_cgfs.so,

      '' +

      optionalString (isEnabled (cfg: cfg.zfs)) ''

        mr ${config.boot.zfs.package}/lib/security/pam_zfs_key.so,

      '' +

      optionalString config.services.homed.enable ''

        mr ${config.systemd.package}/lib/security/pam_systemd_home.so

      '';

      (with lib; pipe config.security.pam.services [

        attrValues

        (catAttrs "rules")

        (concatMap attrValues)

        (concatMap attrValues)

        (filter (rule: rule.enable))

        (catAttrs "modulePath")

        (filter (hasPrefix "/"))

        unique

        (map (module: "mr ${module},"))

        concatLines

      ]);

  };



}