]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/security/apparmor/profiles.nix
wireguard: improve initrd setup
[sourcephile-nix.git] / nixos / modules / security / apparmor / profiles.nix
1 { config, lib, pkgs, ... }:
2
3 let
4 inherit (builtins) attrNames hasAttr isAttrs;
5 inherit (lib) getLib;
6 inherit (config.environment) etc;
7 etcRule = arg:
8 let go = {path ? null, mode ? "r", trail ? ""}:
9 lib.optionalString (hasAttr path etc)
10 ("${mode} ${config.environment.etc."${path}".source}${trail},");
11 in if isAttrs arg
12 then go arg
13 else go {path=arg;};
14 in
15
16 {
17 config.security.apparmor.packages = [ pkgs.apparmor-profiles ];
18 # FIXME: most of the etcRule calls below have been
19 # written systematically by converting from apparmor-profiles's profiles
20 # without testing nor deep understanding of their uses,
21 # and thus may need more rules or can have less rules;
22 # this remains to me determined case by case,
23 # some may even be completely useless.
24 config.security.apparmor.includes = {
25 # This one is included by <tunables/global>
26 # which is usualy included before any profile.
27 "abstractions/tunables/alias" = ''
28 alias /bin -> /run/current-system/sw/bin,
29 # Unfortunately /etc is mainly built using symlinks,
30 # thus aliasing does not work.
31 #alias /etc -> /run/current-system/etc,
32 alias /lib/modules -> /run/current-system/kernel/lib/modules,
33 alias /sbin -> /run/current-system/sw/sbin,
34 alias /usr -> /run/current-system/sw,
35 '';
36 "abstractions/audio" = ''
37 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio
38 ${etcRule "asound.conf"}
39 ${etcRule "esound/esd.conf"}
40 ${etcRule "libao.conf"}
41 ${etcRule {path="pulse"; trail="/";}}
42 ${etcRule {path="pulse"; trail="/**";}}
43 ${etcRule {path="sound"; trail="/";}}
44 ${etcRule {path="sound"; trail="/**";}}
45 ${etcRule {path="alsa/conf.d"; trail="/";}}
46 ${etcRule {path="alsa/conf.d"; trail="/*";}}
47 ${etcRule "openal/alsoft.conf"}
48 ${etcRule "wildmidi/wildmidi.conf"}
49 '';
50 # FIXME: security.pam configures more .so than allowed here,
51 # but has many tests to decide what .so to use,
52 # so it would be simpler to let security.pam add those .so
53 # to the present security.apparmor.includes."abstractions/authentication"
54 "abstractions/authentication" = ''
55 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication
56 ${etcRule "nologin"}
57 ${lib.concatMapStringsSep "\n"
58 (name: "r ${etc."pam.d/${name}".source} ,".source)
59 (attrNames config.security.pam.services)}
60 mr ${getLib pkgs.pam}/lib/security/pam_filter/*,
61 mr ${getLib pkgs.pam}/lib/security/pam_*.so,
62 r ${getLib pkgs.pam}/lib/security/,
63 ${etcRule "securetty"}
64 ${etcRule {path="security"; trail="/*";}}
65 ${etcRule "shadow"}
66 ${etcRule "gshadow"}
67 ${etcRule "pwdb.conf"}
68 ${etcRule "default/passwd"}
69 ${etcRule "login.defs"}
70 '';
71 "abstractions/base" = ''
72 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base
73 r ${pkgs.stdenv.cc.libc}/share/locale/**,
74 r ${pkgs.stdenv.cc.libc}/share/locale.alias,
75 ${etcRule "localtime"}
76 r /etc/ld-nix.so.preload,
77 ${etcRule "ld-nix.so.preload"}
78 ${lib.concatMapStrings (p: lib.optionalString (p != "") "mr ${p},\n")
79 (lib.splitString "\n" etc."ld-nix.so.preload".text)
80 # TODO: avoid this line splitting by nixifying ld-nix.so.preload as a list or attrset,
81 # and make services.config.malloc use it.
82 }
83 r ${pkgs.tzdata}/share/zoneinfo/**,
84 r ${pkgs.stdenv.cc.libc}/share/i18n/**,
85 '';
86 "abstractions/bash" = ''
87 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash
88 # system-wide bash configuration
89 ${etcRule "profile.dos"}
90 ${etcRule "profile"}
91 ${etcRule "profile.d"}
92 ${etcRule {path="profile.d"; trail="/*";}}
93 ${etcRule "bashrc"}
94 ${etcRule "bash.bashrc"}
95 ${etcRule "bash.bashrc.local"}
96 ${etcRule "bash_completion"}
97 ${etcRule "bash_completion.d"}
98 ${etcRule {path="bash_completion.d"; trail="/*";}}
99 # bash relies on system-wide readline configuration
100 ${etcRule "inputrc"}
101 # bash inspects filesystems at startup
102 # and /etc/mtab is linked to /proc/mounts
103 @{PROC}/mounts
104
105 # run out of /etc/bash.bashrc
106 ${etcRule "DIR_COLORS"}
107 '';
108 "abstractions/cups-client" = ''
109 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client
110 ${etcRule "cups/cups-client.conf"}
111 '';
112 "abstractions/consoles" = ''
113 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles
114 '';
115 "abstractions/dbus-session-strict" = ''
116 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict
117 ${etcRule "machine-id"}
118 '';
119 "abstractions/dconf" = ''
120 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf
121 ${etcRule {path="dconf"; trail="/**";}}
122 '';
123 "abstractions/dri-common" = ''
124 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common
125 ${etcRule "drirc"}
126 '';
127 # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/
128 # by symlinking them but without exporting them outside of its NixOS module,
129 # those are therefore added there to this "abstractions/fonts".
130 "abstractions/fonts" = ''
131 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts
132 ${etcRule {path="fonts"; trail="/**";}}
133 '';
134 "abstractions/gnome" = ''
135 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome
136 ${etcRule {path="gnome"; trail="/gtkrc*";}}
137 ${etcRule {path="gtk"; trail="/*";}}
138 ${etcRule {path="gtk-2.0"; trail="/*";}}
139 ${etcRule {path="gtk-3.0"; trail="/*";}}
140 ${etcRule "orbitrc"}
141 #include <abstractions/fonts>
142 ${etcRule {path="pango"; trail="/*";}}
143 ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}}
144 ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}}
145 ${etcRule "papersize"}
146 ${etcRule {path="cups"; trail="/lpoptions";}}
147 ${etcRule {path="gnome"; trail="/defaults.list";}}
148 ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}}
149 ${etcRule "xdg/mimeapps.list"}
150 '';
151 "abstractions/kde" = ''
152 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde
153 ${etcRule {path="qt3"; trail="/kstylerc";}}
154 ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}}
155 ${etcRule {path="qt3"; trail="/qtrc";}}
156 ${etcRule "kderc"}
157 ${etcRule {path="kde3"; trail="/*";}}
158 ${etcRule "kde4rc"}
159 ${etcRule {path="xdg"; trail="/kdeglobals";}}
160 ${etcRule {path="xdg"; trail="/Trolltech.conf";}}
161 '';
162 "abstractions/kerberosclient" = ''
163 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient
164 ${etcRule {path="krb5.keytab"; mode="rk";}}
165 ${etcRule "krb5.conf"}
166 ${etcRule "krb5.conf.d"}
167 ${etcRule {path="krb5.conf.d"; trail="/*";}}
168
169 # config files found via strings on libs
170 ${etcRule "krb.conf"}
171 ${etcRule "krb.realms"}
172 ${etcRule "srvtab"}
173 '';
174 "abstractions/ldapclient" = ''
175 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient
176 ${etcRule "ldap.conf"}
177 ${etcRule "ldap.secret"}
178 ${etcRule {path="openldap"; trail="/*";}}
179 ${etcRule {path="openldap"; trail="/cacerts/*";}}
180 ${etcRule {path="sasl2"; trail="/*";}}
181 '';
182 "abstractions/likewise" = ''
183 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise
184 '';
185 "abstractions/mdns" = ''
186 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns
187 ${etcRule "nss_mdns.conf"}
188 '';
189 "abstractions/nameservice" = ''
190 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice
191
192 # Many programs wish to perform nameservice-like operations, such as
193 # looking up users by name or id, groups by name or id, hosts by name
194 # or IP, etc. These operations may be performed through files, dns,
195 # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
196 ${etcRule "group"}
197 ${etcRule "host.conf"}
198 ${etcRule "hosts"}
199 ${etcRule "nsswitch.conf"}
200 ${etcRule "gai.conf"}
201 ${etcRule "passwd"}
202 ${etcRule "protocols"}
203
204 # libtirpc (used for NIS/YP login) needs this
205 ${etcRule "netconfig"}
206
207 ${etcRule "resolv.conf"}
208
209 ${etcRule {path="samba"; trail="/lmhosts";}}
210 ${etcRule "services"}
211
212 ${etcRule "default/nss"}
213
214 # libnl-3-200 via libnss-gw-name
215 ${etcRule {path="libnl"; trail="/classid";}}
216 ${etcRule {path="libnl-3"; trail="/classid";}}
217
218 mr ${getLib pkgs.nss}/lib/libnss_*.so*,
219 mr ${getLib pkgs.nss}/lib64/libnss_*.so*,
220 '';
221 "abstractions/nis" = ''
222 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis
223 '';
224 "abstractions/nvidia" = ''
225 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia
226 ${etcRule "vdpau_wrapper.cfg"}
227 '';
228 "abstractions/opencl-common" = ''
229 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common
230 ${etcRule {path="OpenCL"; trail="/**";}}
231 '';
232 "abstractions/opencl-mesa" = ''
233 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa
234 ${etcRule "default/drirc"}
235 '';
236 "abstractions/openssl" = ''
237 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl
238 ${etcRule {path="ssl"; trail="/openssl.cnf";}}
239 '';
240 "abstractions/p11-kit" = ''
241 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit
242 ${etcRule {path="pkcs11"; trail="/";}}
243 ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}}
244 ${etcRule {path="pkcs11"; trail="/modules/";}}
245 ${etcRule {path="pkcs11"; trail="/modules/*";}}
246 '';
247 "abstractions/perl" = ''
248 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl
249 ${etcRule {path="perl"; trail="/**";}}
250 '';
251 "abstractions/php" = ''
252 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php
253 ${etcRule {path="php"; trail="/**/";}}
254 ${etcRule {path="php5"; trail="/**/";}}
255 ${etcRule {path="php7"; trail="/**/";}}
256 ${etcRule {path="php"; trail="/**.ini";}}
257 ${etcRule {path="php5"; trail="/**.ini";}}
258 ${etcRule {path="php7"; trail="/**.ini";}}
259 '';
260 "abstractions/postfix-common" = ''
261 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common
262 ${etcRule "mailname"}
263 ${etcRule {path="postfix"; trail="/*.cf";}}
264 ${etcRule "postfix/main.cf"}
265 ${etcRule "postfix/master.cf"}
266 '';
267 "abstractions/python" = ''
268 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python
269 ${etcRule {path="python2.4"; trail="/**";}}
270 ${etcRule {path="python2.5"; trail="/**";}}
271 ${etcRule {path="python2.6"; trail="/**";}}
272 ${etcRule {path="python2.7"; trail="/**";}}
273 ${etcRule {path="python3.0"; trail="/**";}}
274 ${etcRule {path="python3.1"; trail="/**";}}
275 ${etcRule {path="python3.2"; trail="/**";}}
276 ${etcRule {path="python3.3"; trail="/**";}}
277 ${etcRule {path="python3.4"; trail="/**";}}
278 ${etcRule {path="python3.5"; trail="/**";}}
279 ${etcRule {path="python3.6"; trail="/**";}}
280 ${etcRule {path="python3.7"; trail="/**";}}
281 ${etcRule {path="python3.8"; trail="/**";}}
282 ${etcRule {path="python3.9"; trail="/**";}}
283 '';
284 "abstractions/qt5" = ''
285 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5
286 ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}}
287 ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}}
288 ${etcRule "xdg/QtProject/qtlogging.ini"}
289 '';
290 "abstractions/samba" = ''
291 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba
292 ${etcRule {path="samba"; trail="/*";}}
293 '';
294 "abstractions/ssl_certs" = ''
295 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs
296 ${etcRule "ssl/certs/ca-certificates.crt"}
297 ${etcRule "ssl/certs/ca-bundle.crt"}
298 ${etcRule "pki/tls/certs/ca-bundle.crt"}
299
300 ${etcRule {path="ssl/trust"; trail="/";}}
301 ${etcRule {path="ssl/trust"; trail="/*";}}
302 ${etcRule {path="ssl/trust/anchors"; trail="/";}}
303 ${etcRule {path="ssl/trust/anchors"; trail="/**";}}
304 ${etcRule {path="pki/trust"; trail="/";}}
305 ${etcRule {path="pki/trust"; trail="/*";}}
306 ${etcRule {path="pki/trust/anchors"; trail="/";}}
307 ${etcRule {path="pki/trust/anchors"; trail="/**";}}
308
309 # security.acme NixOS module
310 /var/lib/acme/*/cert.pem r,
311 /var/lib/acme/*/chain.pem r,
312 /var/lib/acme/*/fullchain.pem r,
313 '';
314 "abstractions/ssl_keys" = ''
315 # security.acme NixOS module
316 /var/lib/acme/*/full.pem r,
317 /var/lib/acme/*/key.pem r,
318 '';
319 "abstractions/vulkan" = ''
320 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan
321 ${etcRule {path="vulkan/icd.d"; trail="/";}}
322 ${etcRule {path="vulkan/icd.d"; trail="/*.json";}}
323 '';
324 "abstractions/winbind" = ''
325 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind
326 ${etcRule {path="samba"; trail="/smb.conf";}}
327 ${etcRule {path="samba"; trail="/dhcp.conf";}}
328 '';
329 "abstractions/X" = ''
330 #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X
331 ${etcRule {path="X11/cursors"; trail="/";}}
332 ${etcRule {path="X11/cursors"; trail="/**";}}
333 '';
334 };
335 }