nixos/modules/security/apparmor-suid.nix

   1 { config, lib, pkgs, ... }:
   2 let
   3   cfg = config.security.apparmor;
   4 in
   5 with lib;
   6 {
   7   imports = [
   8     (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
   9   ];
  10
  11   options.security.apparmor.confineSUIDApplications = mkOption {
  12     type = types.bool;
  13     default = true;
  14     description = ''
  15       Install AppArmor profiles for commonly-used SUID application
  16       to mitigate potential privilege escalation attacks due to bugs
  17       in such applications.
  18
  19       Currently available profiles: ping
  20     '';
  21   };
  22
  23   config = mkIf (cfg.confineSUIDApplications) {
  24     security.apparmor.complainProfiles = [ "bin/ping" ];
  25     security.apparmor.profiles."bin/ping" = ''
  26       #include <tunables/global>
  27       /run/wrappers/bin/ping {
  28         #include <abstractions/base>
  29         #include <abstractions/consoles>
  30         #include <abstractions/nameservice>
  31
  32         capability net_raw,
  33         capability setuid,
  34         network inet raw,
  35
  36         ${pkgs.stdenv.cc.libc.out}/lib/*.so mr,
  37         ${pkgs.libcap.lib}/lib/libcap.so* mr,
  38         ${pkgs.attr.out}/lib/libattr.so* mr,
  39
  40         ${pkgs.iputils}/bin/ping mixr,
  41
  42         #/etc/modules.conf r,
  43
  44         ## Site-specific additions and overrides. See local/README for details.
  45         ##include <local/bin.ping>
  46       }
  47     '';
  48   };
  49
  50 }