nixos/miniflux: add apparmor policy

This change also extends the test to ensure that normal operations aren't denied.
2023-07-08 02:18:34 +02:00 · 2023-07-08 02:18:34 +02:00 · ced170c030
commit ced170c030
parent 1256178263
2 changed files with 18 additions and 0 deletions
--- a/nixos/modules/services/web-apps/miniflux.nix
+++ b/nixos/modules/services/web-apps/miniflux.nix
@ -130,5 +130,17 @@ in
      environment = cfg.config;
    };
    environment.systemPackages = [ cfg.package ];
+
+    security.apparmor.policies."bin.miniflux".profile = ''
+      include <tunables/global>
+      ${cfg.package}/bin/miniflux {
+        include <abstractions/base>
+        include <abstractions/nameservice>
+        include <abstractions/ssl_certs>
+        include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}"
+        r ${cfg.package}/bin/miniflux,
+        r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size,
+      }
+    '';
  };
 }
--- a/nixos/tests/miniflux.nix
+++ b/nixos/tests/miniflux.nix
@ -25,6 +25,7 @@ in
    default =
      { ... }:
      {
+        security.apparmor.enable = true;
        services.miniflux = {
          enable = true;
          inherit adminCredentialsFile;
@ -34,6 +35,7 @@ in
    withoutSudo =
      { ... }:
      {
+        security.apparmor.enable = true;
        services.miniflux = {
          enable = true;
          inherit adminCredentialsFile;
@ -44,6 +46,7 @@ in
    customized =
      { ... }:
      {
+        security.apparmor.enable = true;
        services.miniflux = {
          enable = true;
          config = {
@ -63,6 +66,7 @@ in
    default.succeed(
        "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"
    )
+    default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')

    withoutSudo.wait_for_unit("miniflux.service")
    withoutSudo.wait_for_open_port(${toString defaultPort})
@ -70,6 +74,7 @@ in
    withoutSudo.succeed(
        "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"
    )
+    withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')

    customized.wait_for_unit("miniflux.service")
    customized.wait_for_open_port(${toString port})
@ -77,5 +82,6 @@ in
    customized.succeed(
        "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'"
    )
+    customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
  '';
 })