nixos/security/wrappers: generate a separate and more complete apparmor policy fragment for each wrapper
This change includes some stuff (e.g. reading of the `.real` file, execution of the wrapper's target) that belongs to the apparmor policy of the wrapper. This necessitates making them distinct for each wrapper. The main reason for this change is as a preparation for making each wrapper be a distinct binary.
This commit is contained in:
parent
c0e607da61
commit
44fde723be
2 changed files with 8 additions and 7 deletions
|
@ -248,11 +248,14 @@ in
|
|||
export PATH="${wrapperDir}:$PATH"
|
||||
'';
|
||||
|
||||
security.apparmor.includes."nixos/security.wrappers" = ''
|
||||
include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [
|
||||
security.apparmor.includes = lib.mapAttrs' (wrapName: wrap: lib.nameValuePair
|
||||
"nixos/security.wrappers/${wrapName}" ''
|
||||
include "${pkgs.apparmorRulesFromClosure { name="security.wrappers.${wrapName}"; } [
|
||||
securityWrapper
|
||||
]}"
|
||||
'';
|
||||
mrpx ${wrap.source},
|
||||
r /run/wrappers/wrappers.*/${wrapName}.real,
|
||||
'') wrappers;
|
||||
|
||||
###### wrappers activation script
|
||||
system.activationScripts.wrappers =
|
||||
|
|
|
@ -1396,14 +1396,12 @@ in
|
|||
security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
|
||||
/run/wrappers/bin/ping {
|
||||
include <abstractions/base>
|
||||
include <nixos/security.wrappers>
|
||||
include <nixos/security.wrappers/ping>
|
||||
rpx /run/wrappers/wrappers.*/ping,
|
||||
}
|
||||
/run/wrappers/wrappers.*/ping {
|
||||
include <abstractions/base>
|
||||
include <nixos/security.wrappers>
|
||||
r /run/wrappers/wrappers.*/ping.real,
|
||||
mrpx ${config.security.wrappers.ping.source},
|
||||
include <nixos/security.wrappers/ping>
|
||||
capability net_raw,
|
||||
capability setpcap,
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue