1 { config, lib, pkgs, ... }:
3 cfg = config.security.apparmor;
8 (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])
11 options.security.apparmor.confineSUIDApplications = mkOption {
15 Install AppArmor profiles for commonly-used SUID application
16 to mitigate potential privilege escalation attacks due to bugs
19 Currently available profiles: ping
23 config = mkIf (cfg.confineSUIDApplications) {
24 security.apparmor.policies."bin/ping".profile = ''
25 #include <tunables/global>
26 /run/wrappers/wrappers.*/ping {
27 #include <abstractions/base>
28 #include <abstractions/consoles>
29 #include <abstractions/nameservice>
35 ${getLib pkgs.stdenv.cc.cc}/lib/*.so* mr,
36 ${getLib pkgs.stdenv.cc.libc}/lib/*.so* mr,
37 ${getLib pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules r,
38 ${getLib pkgs.glibcLocales}/lib/locale/locale-archive r,
39 ${getLib pkgs.attr.out}/lib/libattr.so* mr,
40 ${getLib pkgs.libcap.lib}/lib/libcap.so* mr,
41 ${getLib pkgs.libcap_ng}/lib/libcap-ng.so* mr,
42 ${getLib pkgs.libidn2}/lib/libidn2.so* mr,
43 ${getLib pkgs.libunistring}/lib/libunistring.so* mr,
44 ${getLib pkgs.nettle}/lib/libnettle.so* mr,
46 #@{PROC}/@{pid}/environ r,
47 /run/wrappers/wrappers.*/ping.real r,
48 ${pkgs.iputils}/bin/ping mixr,
52 ## Site-specific additions and overrides. See local/README for details.
53 ##include <local/bin.ping>
sourcephile / git / sourcephile-nix.git / blob