From 9f7131e97f15ad7d1c1154dc0df844470244784a Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sun, 17 Nov 2024 18:27:49 +0100 Subject: [PATCH] nixos/apparmor: profile activation tristate and profile path support --- .../manual/release-notes/rl-2505.section.md | 3 + nixos/modules/security/apparmor.nix | 62 ++++++++++++------- 2 files changed, 42 insertions(+), 23 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md index 29af283010c9a5..c315e3014fc246 100644 --- a/nixos/doc/manual/release-notes/rl-2505.section.md +++ b/nixos/doc/manual/release-notes/rl-2505.section.md @@ -25,6 +25,9 @@ [v1.7.0](https://github.com/jtroo/kanata/releases/tag/v1.7.0) for more information. +- `security.apparmor.policies..enforce` and `security.apparmor.policies..enable` were removed. + Configuring the state of apparmor policies must now be done using `security.apparmor.policies..state` tristate option. + ## Other Notable Changes {#sec-release-25.05-notable-changes} diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index f0b88a4c30aa62..8afe20ed2dc224 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -8,24 +8,11 @@ with lib; let - inherit (builtins) - attrNames - head - map - match - readFile - ; + inherit (builtins) attrNames map match; inherit (lib) types; inherit (config.environment) etc; cfg = config.security.apparmor; - mkDisableOption = - name: - mkEnableOption name - // { - default = true; - example = false; - }; - enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies; + enabledPolicies = filterAttrs (n: p: p.state != "disable") cfg.policies; in { @@ -34,7 +21,7 @@ in "security" "apparmor" "confineSUIDApplications" - ] "Please use the new options: `security.apparmor.policies..enable'.") + ] "Please use the new options: `security.apparmor.policies..state'.") (mkRemovedOptionModule [ "security" "apparmor" @@ -69,15 +56,43 @@ in ''; type = types.attrsOf ( types.submodule ( - { name, config, ... }: + { + name, + config, + options, + ... + }: { options = { - enable = mkDisableOption "loading of the profile into the kernel"; - enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; + state = mkOption { + description = "The state of the profile as applied to the system by nix"; + type = types.enum [ + "disable" + "complain" + "enforce" + ]; + # should enforce really be the default? + # the docs state that this should only be used once one is REALLY sure nothing's gonna break + default = "enforce"; + }; + profile = mkOption { - description = "The policy of the profile."; + description = "The policy of the profile. Incompatible with path."; type = types.lines; - apply = pkgs.writeText name; + }; + + path = mkOption { + type = types.nullOr types.path; + default = null; + description = "A path of a profile to include. Incompatible with profile."; + apply = + p: + assert ( + assertMsg ( + (p != null && !options.profile.isDefined) || (p == null && options.profile.isDefined) + ) "`security.apparmor.policies.\"${name}\"` must define exactly one of either path or profile." + ); + (if (p != null) then p else (pkgs.writeText name config.profile)); }; }; } @@ -136,7 +151,7 @@ in # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* mapAttrsToList (name: p: { inherit name; - path = p.profile; + inherit (p) path; }) enabledPolicies ++ mapAttrsToList (name: path: { inherit name path; }) cfg.includes ); @@ -228,7 +243,8 @@ in xargs --verbose --no-run-if-empty --delimiter='\n' \ kill ''; - commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}"; + commonOpts = + p: "--verbose --show-cache ${optionalString (p.state == "complain") "--complain "}${p.path}"; in { Type = "oneshot";