]> Git — Sourcephile - sourcephile-nix.git/blob - nixos/modules/security/apparmor-suid.nix
nix: use nixpkgs/patches/ instead of nixos/modules/
[sourcephile-nix.git] / nixos / modules / security / apparmor-suid.nix
1 { config, lib, pkgs, ... }:
2 let
3 cfg = config.security.apparmor;
4 in
5 with lib;
6 {
7 imports = [
8 (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
9 ];
10
11 options.security.apparmor.confineSUIDApplications = mkOption {
12 type = types.bool;
13 default = true;
14 description = ''
15 Install AppArmor profiles for commonly-used SUID application
16 to mitigate potential privilege escalation attacks due to bugs
17 in such applications.
18
19 Currently available profiles: ping
20 '';
21 };
22
23 config = mkIf (cfg.confineSUIDApplications) {
24 security.apparmor.policies."bin/ping".profile = ''
25 #include <tunables/global>
26 /run/wrappers/wrappers.*/ping {
27 #include <abstractions/base>
28 #include <abstractions/consoles>
29 #include <abstractions/nameservice>
30
31 capability net_raw,
32 capability setuid,
33 network inet raw,
34
35 ${getLib pkgs.stdenv.cc.cc}/lib/*.so* mr,
36 ${getLib pkgs.stdenv.cc.libc}/lib/*.so* mr,
37 ${getLib pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules r,
38 ${getLib pkgs.glibcLocales}/lib/locale/locale-archive r,
39 ${getLib pkgs.attr.out}/lib/libattr.so* mr,
40 ${getLib pkgs.libcap.lib}/lib/libcap.so* mr,
41 ${getLib pkgs.libcap_ng}/lib/libcap-ng.so* mr,
42 ${getLib pkgs.libidn2}/lib/libidn2.so* mr,
43 ${getLib pkgs.libunistring}/lib/libunistring.so* mr,
44 ${getLib pkgs.nettle}/lib/libnettle.so* mr,
45
46 #@{PROC}/@{pid}/environ r,
47 /run/wrappers/wrappers.*/ping.real r,
48 ${pkgs.iputils}/bin/ping mixr,
49
50 #/etc/modules.conf r,
51
52 ## Site-specific additions and overrides. See local/README for details.
53 ##include <local/bin.ping>
54 }
55 '';
56 };
57
58 }