nixos/security/wrappers: generate a separate and more complete apparmor policy fragment for each wrapper

This change includes some stuff (e.g. reading of the `.real` file,
execution of the wrapper's target) that belongs to the apparmor policy
of the wrapper. This necessitates making them distinct for each wrapper.
The main reason for this change is as a preparation for making each
wrapper be a distinct binary.
This commit is contained in:
Robert Obryk 2023-08-25 21:52:40 +02:00
parent c0e607da61
commit 44fde723be
2 changed files with 8 additions and 7 deletions

View file

@ -248,11 +248,14 @@ in
export PATH="${wrapperDir}:$PATH"
'';
security.apparmor.includes."nixos/security.wrappers" = ''
include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [
security.apparmor.includes = lib.mapAttrs' (wrapName: wrap: lib.nameValuePair
"nixos/security.wrappers/${wrapName}" ''
include "${pkgs.apparmorRulesFromClosure { name="security.wrappers.${wrapName}"; } [
securityWrapper
]}"
'';
mrpx ${wrap.source},
r /run/wrappers/wrappers.*/${wrapName}.real,
'') wrappers;
###### wrappers activation script
system.activationScripts.wrappers =

View file

@ -1396,14 +1396,12 @@ in
security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
/run/wrappers/bin/ping {
include <abstractions/base>
include <nixos/security.wrappers>
include <nixos/security.wrappers/ping>
rpx /run/wrappers/wrappers.*/ping,
}
/run/wrappers/wrappers.*/ping {
include <abstractions/base>
include <nixos/security.wrappers>
r /run/wrappers/wrappers.*/ping.real,
mrpx ${config.security.wrappers.ping.source},
include <nixos/security.wrappers/ping>
capability net_raw,
capability setpcap,
}