1 diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
2 index 2225619d481..d5c1a5cb614 100644
3 --- a/nixos/doc/manual/release-notes/rl-2009.xml
4 +++ b/nixos/doc/manual/release-notes/rl-2009.xml
5 @@ -680,6 +680,37 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ];
6 was removed, as udev gained native support to handle FIDO security tokens.
11 + The <literal>services.transmission</literal> module
12 + was enhanced with the new options:
13 + <xref linkend="opt-services.transmission.credentialsFile"/>,
14 + <xref linkend="opt-services.transmission.openFirewall"/>,
15 + and <xref linkend="opt-services.transmission.performanceNetParameters"/>.
18 + <literal>transmission-daemon</literal> is now started with additional systemd sandbox/hardening options for better security.
19 + Please <link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link>
20 + any use case where this is not working well.
21 + In particular, the <literal>RootDirectory</literal> option newly set
22 + forbids uploading or downloading a torrent outside of the default directory
23 + configured at <link linkend="opt-services.transmission.settings">settings.download-dir</link>.
24 + If you really need Transmission to access other directories,
25 + you must include those directories into the <literal>BindPaths</literal> of the service:
27 +systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ];
31 + Also, connection to the RPC (Remote Procedure Call) of <literal>transmission-daemon</literal>
32 + is now only available on the local network interface by default.
35 +services.transmission.settings.rpc-bind-address = "0.0.0.0";
37 + to get the previous behavior of listening on all network interfaces.
42 With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>)
43 diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix
44 index 52d284f739b..3670487200d 100644
45 --- a/nixos/modules/config/fonts/fontconfig.nix
46 +++ b/nixos/modules/config/fonts/fontconfig.nix
47 @@ -485,6 +485,38 @@ in
49 environment.systemPackages = [ pkgs.fontconfig ];
50 environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/";
51 + security.apparmor.includes."abstractions/fonts" = ''
53 + r ${supportFontsConf},
54 + r ${latestPkg.out}/etc/fonts/fonts.conf,
56 + # fontconfig default config files
57 + r ${supportPkg.out}/etc/fonts/conf.d/*.conf,
58 + r ${latestPkg.out}/etc/fonts/conf.d/*.conf,
60 + # 00-nixos-cache.conf
61 + r ${cacheConfSupport},
62 + r ${cacheConfLatest},
64 + # 10-nixos-rendering.conf
67 + # local.conf (indirect priority 51)
68 + ${optionalString (cfg.localConf != "") ''
72 + # 52-nixos-default-fonts.conf
73 + r ${defaultFontsConf},
75 + # 53-no-bitmaps.conf
78 + ${optionalString (!cfg.allowType1) ''
79 + # 53-nixos-reject-type1.conf
84 (mkIf (cfg.enable && !cfg.penultimate.enable) {
85 fonts.fontconfig.confPackages = [ confPkg ];
86 diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix
87 index 6c479e070e2..e6d9467f296 100644
88 --- a/nixos/modules/security/apparmor-suid.nix
89 +++ b/nixos/modules/security/apparmor-suid.nix
90 @@ -21,9 +21,9 @@ with lib;
93 config = mkIf (cfg.confineSUIDApplications) {
94 - security.apparmor.profiles = [ (pkgs.writeText "ping" ''
95 + security.apparmor.policies."bin/ping".profile = ''
96 #include <tunables/global>
97 - /run/wrappers/bin/ping {
98 + /run/wrappers/wrappers.*/ping {
99 #include <abstractions/base>
100 #include <abstractions/consoles>
101 #include <abstractions/nameservice>
102 @@ -32,10 +32,19 @@ with lib;
106 - ${pkgs.stdenv.cc.libc.out}/lib/*.so mr,
107 - ${pkgs.libcap.lib}/lib/libcap.so* mr,
108 - ${pkgs.attr.out}/lib/libattr.so* mr,
109 + ${getLib pkgs.stdenv.cc.cc}/lib/*.so* mr,
110 + ${getLib pkgs.stdenv.cc.libc}/lib/*.so* mr,
111 + ${getLib pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules r,
112 + ${getLib pkgs.glibcLocales}/lib/locale/locale-archive r,
113 + ${getLib pkgs.attr.out}/lib/libattr.so* mr,
114 + ${getLib pkgs.libcap.lib}/lib/libcap.so* mr,
115 + ${getLib pkgs.libcap_ng}/lib/libcap-ng.so* mr,
116 + ${getLib pkgs.libidn2}/lib/libidn2.so* mr,
117 + ${getLib pkgs.libunistring}/lib/libunistring.so* mr,
118 + ${getLib pkgs.nettle}/lib/libnettle.so* mr,
120 + #@{PROC}/@{pid}/environ r,
121 + /run/wrappers/wrappers.*/ping.real r,
122 ${pkgs.iputils}/bin/ping mixr,
124 #/etc/modules.conf r,
125 @@ -43,7 +52,7 @@ with lib;
126 ## Site-specific additions and overrides. See local/README for details.
127 ##include <local/bin.ping>
134 diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
135 index cfc65b347bc..f9abb18afd2 100644
136 --- a/nixos/modules/security/apparmor.nix
137 +++ b/nixos/modules/security/apparmor.nix
139 { config, lib, pkgs, ... }:
142 - inherit (lib) mkIf mkOption types concatMapStrings;
143 + inherit (builtins) head match readFile;
144 + inherit (lib) types;
145 + inherit (config.environment) etc;
146 cfg = config.security.apparmor;
147 + mkDisableOption = name: lib.mkEnableOption name // {
155 - security.apparmor = {
156 - enable = mkOption {
159 - description = "Enable the AppArmor Mandatory Access Control system.";
161 - profiles = mkOption {
162 - type = types.listOf types.path;
164 - description = "List of files containing AppArmor profiles.";
166 - packages = mkOption {
167 - type = types.listOf types.package;
169 - description = "List of packages to be added to apparmor's include path";
174 + (lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")
175 + apparmor/profiles.nix
178 + security.apparmor = {
179 + enable = lib.mkEnableOption "the AppArmor Mandatory Access Control system";
180 + policies = lib.mkOption {
184 + type = types.attrsOf (types.submodule ({ name, config, ... }: {
186 + enable = mkDisableOption "loading of the profile into the kernel";
187 + enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
188 + profile = lib.mkOption {
189 + description = "The policy of the profile.";
190 + type = types.lines;
191 + apply = pkgs.writeText name;
197 + includes = lib.mkOption {
198 + type = types.attrsOf types.lines;
201 + List of paths to be added to AppArmor's searched paths
202 + when resolving absolute #include directives.
204 + apply = lib.mapAttrs pkgs.writeText;
206 + packages = lib.mkOption {
207 + type = types.listOf types.package;
209 + description = "List of packages to be added to AppArmor's include path";
211 + enableCache = lib.mkEnableOption ''caching of AppArmor policies
212 + in <literal>/var/cache/apparmor/</literal>.
213 + Beware that AppArmor policies almost always contain Nix store paths,
214 + and thus produce at each change of these paths
215 + a new cached version accumulating in the cache.
217 + killUnconfinedConfinables = mkDisableOption ''killing of processes
218 + which have an AppArmor profile enabled
219 + (in <link linkend="opt-security.apparmor.policies">policies</link>)
220 + but are not confined (because AppArmor can only confine new processes).
225 - config = mkIf cfg.enable {
226 - environment.systemPackages = [ pkgs.apparmor-utils ];
227 + config = lib.mkIf cfg.enable {
228 + environment.systemPackages = [ pkgs.apparmor-utils ];
229 + environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
230 + lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) cfg.policies ++
231 + lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes
233 + environment.etc."apparmor/parser.conf".text = ''
234 + ${if cfg.enableCache then "write-cache" else "skip-cache"}
235 + cache-loc /var/cache/apparmor
236 + Include /etc/apparmor.d
238 + lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;
239 + environment.etc."apparmor/logprof.conf".text = ''
241 + profiledir = /etc/apparmor.d
242 + inactive_profiledir = ${pkgs.apparmor-profiles}/share/apparmor/extra-profiles
243 + logfiles = /var/log/audit/audit.log /var/log/syslog /var/log/messages
245 - boot.kernelParams = [ "apparmor=1" "security=apparmor" ];
246 + parser = ${pkgs.apparmor-parser}/bin/apparmor_parser
247 + ldd = ${pkgs.glibc.bin}/bin/ldd
248 + logger = ${pkgs.utillinux}/bin/logger
250 - systemd.services.apparmor = let
251 - paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d")
252 - ([ pkgs.apparmor-profiles ] ++ cfg.packages);
254 - after = [ "local-fs.target" ];
255 - before = [ "sysinit.target" ];
256 - wantedBy = [ "multi-user.target" ];
258 - DefaultDependencies = "no";
262 - RemainAfterExit = "yes";
263 - ExecStart = map (p:
264 - ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"''
267 - ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"''
269 - ExecReload = map (p:
270 - ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"''
275 + # customize how file ownership permissions are presented
277 + # 1 - default of what ever mode the log reported
278 + # 2 - force the new permissions to be user
279 + # 3 - force all perms on the rule to be user
280 + default_owner_prompt = 1
282 + # custom directory locations to look for #includes
284 + # each name should be a valid directory containing possible #include
285 + # candidate files under the profile dir which by default is /etc/apparmor.d.
287 + # So an entry of my-includes will allow /etc/apparmor.d/my-includes to
288 + # be used by the yast UI and profiling tools as a source of #include
293 + ${pkgs.runtimeShell} = icnu
294 + ${pkgs.bashInteractive}/bin/sh = icnu
295 + ${pkgs.bashInteractive}/bin/bash = icnu
296 + '' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section.
297 + (readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"));
299 + boot.kernelParams = [ "apparmor=1" "security=apparmor" ];
301 + systemd.services.apparmor = {
304 + "systemd-journald-audit.socket"
306 + before = [ "sysinit.target" ];
307 + wantedBy = [ "multi-user.target" ];
308 + restartTriggers = [
309 + etc."apparmor/parser.conf".source
310 + etc."apparmor.d".source
313 + Description="Load AppArmor policies";
314 + DefaultDependencies = "no";
315 + ConditionSecurity = "apparmor";
317 + # Reloading instead of restarting enables to load new AppArmor profiles
318 + # without necessarily restarting all services which have Requires=apparmor.service
320 + # - Adding or replacing into the kernel profiles enabled in cfg.policies
321 + # (because AppArmor can do that without stopping the processes already confined).
322 + # - Removing from the kernel any profile whose name is not
323 + # one of the names within the content of the profiles in cfg.policies.
324 + # - Killing the processes which are unconfined but now have a profile loaded
325 + # (because AppArmor can only confine new processes).
326 + reloadIfChanged = true;
327 + # Avoid searchs in /usr/share/locale/
328 + environment.LANG="C";
329 + serviceConfig = let
330 + enabledPolicies = lib.attrValues (lib.filterAttrs (n: p: p.enable) cfg.policies);
331 + removeDisabledProfiles = pkgs.writeShellScript "apparmor-remove" ''
334 + enabledProfiles=$(mktemp)
335 + loadedProfiles=$(mktemp)
336 + trap "rm -f $enabledProfiles $loadedProfiles" EXIT
338 + ${pkgs.apparmor-parser}/bin/apparmor_parser --names /dev/null ${
339 + lib.concatMapStrings (p: "\\\n "+p.profile) enabledPolicies} |
340 + sort -u >"$enabledProfiles"
342 + sed -e "s/ (\(enforce\|complain\))$//" /sys/kernel/security/apparmor/profiles |
343 + sort -u >"$loadedProfiles"
345 + comm -23 "$loadedProfiles" "$enabledProfiles" |
346 + while IFS=$'\n\r' read -r profile
347 + do printf %s "$profile" >/sys/kernel/security/apparmor/.remove
350 + killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" ''
352 + ${pkgs.apparmor-utils}/bin/aa-status --json |
353 + ${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' |
354 + xargs --verbose --no-run-if-empty --delimiter='\n' \
357 + commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}";
360 + RemainAfterExit = "yes";
361 + ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
362 + ExecStart = map (p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;
363 + ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
365 + map (p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++
366 + [ removeDisabledProfiles ] ++
367 + lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
368 + ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
369 + CacheDirectory = [ "apparmor" ];
370 + CacheDirectoryMode = "0700";
375 + meta.maintainers = with lib.maintainers; [ julm ];
377 diff --git a/nixos/modules/security/apparmor/profiles.nix b/nixos/modules/security/apparmor/profiles.nix
379 index 00000000000..7e33e630798
381 +++ b/nixos/modules/security/apparmor/profiles.nix
383 +{ config, lib, pkgs, ... }:
385 + inherit (builtins) attrNames hasAttr isAttrs;
386 + inherit (lib) getLib;
387 + inherit (config.environment) etc;
389 + let go = {path ? null, mode ? "r", trail ? ""}:
390 + lib.optionalString (hasAttr path etc)
391 + "${mode} ${config.environment.etc."${path}".source}${trail},";
394 + else go {path=arg;};
397 +config.security.apparmor.packages = [ pkgs.apparmor-profiles ];
398 +# FIXME: most of the etcRule calls below have been
399 +# written systematically by converting from apparmor-profiles's profiles
400 +# without testing nor deep understanding of their uses,
401 +# and thus may need more rules or can have less rules;
402 +# this remains to me determined case by case,
403 +# some may even be completely useless.
404 +config.security.apparmor.includes = {
405 + # This one is included by <tunables/global>
406 + # which is usualy included before any profile.
407 + "abstractions/tunables/alias" = ''
408 + alias /bin -> /run/current-system/sw/bin,
409 + # Unfortunately /etc is mainly built using symlinks,
410 + # thus aliasing does not work.
411 + #alias /etc -> /run/current-system/etc,
412 + alias /lib/modules -> /run/current-system/kernel/lib/modules,
413 + alias /sbin -> /run/current-system/sw/sbin,
414 + alias /usr -> /run/current-system/sw,
416 + "abstractions/audio" = ''
417 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio
418 + ${etcRule "asound.conf"}
419 + ${etcRule "esound/esd.conf"}
420 + ${etcRule "libao.conf"}
421 + ${etcRule {path="pulse"; trail="/";}}
422 + ${etcRule {path="pulse"; trail="/**";}}
423 + ${etcRule {path="sound"; trail="/";}}
424 + ${etcRule {path="sound"; trail="/**";}}
425 + ${etcRule {path="alsa/conf.d"; trail="/";}}
426 + ${etcRule {path="alsa/conf.d"; trail="/*";}}
427 + ${etcRule "openal/alsoft.conf"}
428 + ${etcRule "wildmidi/wildmidi.conf"}
430 + # FIXME: security.pam configures more .so than allowed here,
431 + # but has many tests to decide what .so to use,
432 + # so it would be simpler to let security.pam add those .so
433 + # to the present security.apparmor.includes."abstractions/authentication"
434 + "abstractions/authentication" = ''
435 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication
436 + ${etcRule "nologin"}
437 + ${lib.concatMapStringsSep "\n"
438 + (name: "r ${etc."pam.d/${name}".source},")
439 + (attrNames config.security.pam.services)}
440 + mr ${getLib pkgs.pam}/lib/security/pam_filter/*,
441 + mr ${getLib pkgs.pam}/lib/security/pam_*.so,
442 + r ${getLib pkgs.pam}/lib/security/,
443 + ${etcRule "securetty"}
444 + ${etcRule {path="security"; trail="/*";}}
445 + ${etcRule "shadow"}
446 + ${etcRule "gshadow"}
447 + ${etcRule "pwdb.conf"}
448 + ${etcRule "default/passwd"}
449 + ${etcRule "login.defs"}
451 + "abstractions/base" = ''
452 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base
453 + r ${pkgs.stdenv.cc.libc}/share/locale/**,
454 + r ${pkgs.stdenv.cc.libc}/share/locale.alias,
455 + ${etcRule "localtime"}
456 + r /etc/ld-nix.so.preload,
457 + ${etcRule "ld-nix.so.preload"}
458 + ${lib.concatMapStrings (p: lib.optionalString (p != "") "mr ${p},\n")
459 + (lib.splitString "\n" etc."ld-nix.so.preload".text)
460 + # TODO: avoid this line splitting by nixifying ld-nix.so.preload as a list or attrset,
461 + # and make services.config.malloc use it.
463 + r ${pkgs.tzdata}/share/zoneinfo/**,
464 + r ${pkgs.stdenv.cc.libc}/share/i18n/**,
466 + "abstractions/bash" = ''
467 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash
468 + # system-wide bash configuration
469 + ${etcRule "profile.dos"}
470 + ${etcRule "profile"}
471 + ${etcRule "profile.d"}
472 + ${etcRule {path="profile.d"; trail="/*";}}
473 + ${etcRule "bashrc"}
474 + ${etcRule "bash.bashrc"}
475 + ${etcRule "bash.bashrc.local"}
476 + ${etcRule "bash_completion"}
477 + ${etcRule "bash_completion.d"}
478 + ${etcRule {path="bash_completion.d"; trail="/*";}}
479 + # bash relies on system-wide readline configuration
480 + ${etcRule "inputrc"}
481 + # bash inspects filesystems at startup
482 + # and /etc/mtab is linked to /proc/mounts
485 + # run out of /etc/bash.bashrc
486 + ${etcRule "DIR_COLORS"}
488 + "abstractions/cups-client" = ''
489 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client
490 + ${etcRule "cups/cups-client.conf"}
492 + "abstractions/consoles" = ''
493 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles
495 + "abstractions/dbus-session-strict" = ''
496 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict
497 + ${etcRule "machine-id"}
499 + "abstractions/dconf" = ''
500 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf
501 + ${etcRule {path="dconf"; trail="/**";}}
503 + "abstractions/dri-common" = ''
504 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common
507 + # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/
508 + # by symlinking them but without exporting them outside of its NixOS module,
509 + # those are therefore added there to this "abstractions/fonts".
510 + "abstractions/fonts" = ''
511 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts
512 + ${etcRule {path="fonts"; trail="/**";}}
514 + "abstractions/gnome" = ''
515 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome
516 + ${etcRule {path="gnome"; trail="/gtkrc*";}}
517 + ${etcRule {path="gtk"; trail="/*";}}
518 + ${etcRule {path="gtk-2.0"; trail="/*";}}
519 + ${etcRule {path="gtk-3.0"; trail="/*";}}
520 + ${etcRule "orbitrc"}
521 + #include <abstractions/fonts>
522 + ${etcRule {path="pango"; trail="/*";}}
523 + ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}}
524 + ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}}
525 + ${etcRule "papersize"}
526 + ${etcRule {path="cups"; trail="/lpoptions";}}
527 + ${etcRule {path="gnome"; trail="/defaults.list";}}
528 + ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}}
529 + ${etcRule "xdg/mimeapps.list"}
531 + "abstractions/kde" = ''
532 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde
533 + ${etcRule {path="qt3"; trail="/kstylerc";}}
534 + ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}}
535 + ${etcRule {path="qt3"; trail="/qtrc";}}
537 + ${etcRule {path="kde3"; trail="/*";}}
538 + ${etcRule "kde4rc"}
539 + ${etcRule {path="xdg"; trail="/kdeglobals";}}
540 + ${etcRule {path="xdg"; trail="/Trolltech.conf";}}
542 + "abstractions/kerberosclient" = ''
543 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient
544 + ${etcRule {path="krb5.keytab"; mode="rk";}}
545 + ${etcRule "krb5.conf"}
546 + ${etcRule "krb5.conf.d"}
547 + ${etcRule {path="krb5.conf.d"; trail="/*";}}
549 + # config files found via strings on libs
550 + ${etcRule "krb.conf"}
551 + ${etcRule "krb.realms"}
552 + ${etcRule "srvtab"}
554 + "abstractions/ldapclient" = ''
555 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient
556 + ${etcRule "ldap.conf"}
557 + ${etcRule "ldap.secret"}
558 + ${etcRule {path="openldap"; trail="/*";}}
559 + ${etcRule {path="openldap"; trail="/cacerts/*";}}
560 + ${etcRule {path="sasl2"; trail="/*";}}
562 + "abstractions/likewise" = ''
563 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise
565 + "abstractions/mdns" = ''
566 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns
567 + ${etcRule "nss_mdns.conf"}
569 + "abstractions/nameservice" = ''
570 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice
572 + # Many programs wish to perform nameservice-like operations, such as
573 + # looking up users by name or id, groups by name or id, hosts by name
574 + # or IP, etc. These operations may be performed through files, dns,
575 + # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
577 + ${etcRule "host.conf"}
579 + ${etcRule "nsswitch.conf"}
580 + ${etcRule "gai.conf"}
581 + ${etcRule "passwd"}
582 + ${etcRule "protocols"}
584 + # libtirpc (used for NIS/YP login) needs this
585 + ${etcRule "netconfig"}
587 + ${etcRule "resolv.conf"}
589 + ${etcRule {path="samba"; trail="/lmhosts";}}
590 + ${etcRule "services"}
592 + ${etcRule "default/nss"}
594 + # libnl-3-200 via libnss-gw-name
595 + ${etcRule {path="libnl"; trail="/classid";}}
596 + ${etcRule {path="libnl-3"; trail="/classid";}}
598 + mr ${getLib pkgs.nss}/lib/libnss_*.so*,
599 + mr ${getLib pkgs.nss}/lib64/libnss_*.so*,
601 + "abstractions/nis" = ''
602 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis
604 + "abstractions/nvidia" = ''
605 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia
606 + ${etcRule "vdpau_wrapper.cfg"}
608 + "abstractions/opencl-common" = ''
609 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common
610 + ${etcRule {path="OpenCL"; trail="/**";}}
612 + "abstractions/opencl-mesa" = ''
613 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa
614 + ${etcRule "default/drirc"}
616 + "abstractions/openssl" = ''
617 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl
618 + ${etcRule {path="ssl"; trail="/openssl.cnf";}}
620 + "abstractions/p11-kit" = ''
621 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit
622 + ${etcRule {path="pkcs11"; trail="/";}}
623 + ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}}
624 + ${etcRule {path="pkcs11"; trail="/modules/";}}
625 + ${etcRule {path="pkcs11"; trail="/modules/*";}}
627 + "abstractions/perl" = ''
628 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl
629 + ${etcRule {path="perl"; trail="/**";}}
631 + "abstractions/php" = ''
632 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php
633 + ${etcRule {path="php"; trail="/**/";}}
634 + ${etcRule {path="php5"; trail="/**/";}}
635 + ${etcRule {path="php7"; trail="/**/";}}
636 + ${etcRule {path="php"; trail="/**.ini";}}
637 + ${etcRule {path="php5"; trail="/**.ini";}}
638 + ${etcRule {path="php7"; trail="/**.ini";}}
640 + "abstractions/postfix-common" = ''
641 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common
642 + ${etcRule "mailname"}
643 + ${etcRule {path="postfix"; trail="/*.cf";}}
644 + ${etcRule "postfix/main.cf"}
645 + ${etcRule "postfix/master.cf"}
647 + "abstractions/python" = ''
648 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python
649 + ${etcRule {path="python2.4"; trail="/**";}}
650 + ${etcRule {path="python2.5"; trail="/**";}}
651 + ${etcRule {path="python2.6"; trail="/**";}}
652 + ${etcRule {path="python2.7"; trail="/**";}}
653 + ${etcRule {path="python3.0"; trail="/**";}}
654 + ${etcRule {path="python3.1"; trail="/**";}}
655 + ${etcRule {path="python3.2"; trail="/**";}}
656 + ${etcRule {path="python3.3"; trail="/**";}}
657 + ${etcRule {path="python3.4"; trail="/**";}}
658 + ${etcRule {path="python3.5"; trail="/**";}}
659 + ${etcRule {path="python3.6"; trail="/**";}}
660 + ${etcRule {path="python3.7"; trail="/**";}}
661 + ${etcRule {path="python3.8"; trail="/**";}}
662 + ${etcRule {path="python3.9"; trail="/**";}}
664 + "abstractions/qt5" = ''
665 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5
666 + ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}}
667 + ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}}
668 + ${etcRule "xdg/QtProject/qtlogging.ini"}
670 + "abstractions/samba" = ''
671 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba
672 + ${etcRule {path="samba"; trail="/*";}}
674 + "abstractions/ssl_certs" = ''
675 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs
676 + ${etcRule "ssl/certs/ca-certificates.crt"}
677 + ${etcRule "ssl/certs/ca-bundle.crt"}
678 + ${etcRule "pki/tls/certs/ca-bundle.crt"}
680 + ${etcRule {path="ssl/trust"; trail="/";}}
681 + ${etcRule {path="ssl/trust"; trail="/*";}}
682 + ${etcRule {path="ssl/trust/anchors"; trail="/";}}
683 + ${etcRule {path="ssl/trust/anchors"; trail="/**";}}
684 + ${etcRule {path="pki/trust"; trail="/";}}
685 + ${etcRule {path="pki/trust"; trail="/*";}}
686 + ${etcRule {path="pki/trust/anchors"; trail="/";}}
687 + ${etcRule {path="pki/trust/anchors"; trail="/**";}}
689 + # security.acme NixOS module
690 + r /var/lib/acme/*/cert.pem,
691 + r /var/lib/acme/*/chain.pem,
692 + r /var/lib/acme/*/fullchain.pem,
694 + "abstractions/ssl_keys" = ''
695 + # security.acme NixOS module
696 + r /var/lib/acme/*/full.pem,
697 + r /var/lib/acme/*/key.pem,
699 + "abstractions/vulkan" = ''
700 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan
701 + ${etcRule {path="vulkan/icd.d"; trail="/";}}
702 + ${etcRule {path="vulkan/icd.d"; trail="/*.json";}}
704 + "abstractions/winbind" = ''
705 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind
706 + ${etcRule {path="samba"; trail="/smb.conf";}}
707 + ${etcRule {path="samba"; trail="/dhcp.conf";}}
709 + "abstractions/X" = ''
710 + #include ${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X
711 + ${etcRule {path="X11/cursors"; trail="/";}}
712 + ${etcRule {path="X11/cursors"; trail="/**";}}
716 diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
717 index 565c15dec24..66219d37c7d 100644
718 --- a/nixos/modules/security/pam.nix
719 +++ b/nixos/modules/security/pam.nix
720 @@ -836,6 +836,57 @@ in
721 runuser-l = { rootOK = true; unixAuth = false; };
724 + security.apparmor.includes."abstractions/pam" = let
725 + isEnabled = test: fold or false (map test (attrValues config.security.pam.services));
727 + ${optionalString use_ldap
728 + "mr ${pam_ldap}/lib/security/pam_ldap.so,"}
729 + ${optionalString config.services.sssd.enable
730 + "mr ${pkgs.sssd}/lib/security/pam_sss.so,"}
731 + ${optionalString config.krb5.enable ''
732 + mr ${pam_krb5}/lib/security/pam_krb5.so,
733 + mr ${pam_ccreds}/lib/security/pam_ccreds.so,
735 + ${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''
736 + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,
737 + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,
739 + ${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication))
740 + "mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"}
741 + ${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth))
742 + "mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"}
743 + ${optionalString (isEnabled (cfg: cfg.fprintAuth))
744 + "mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"}
745 + ${optionalString (isEnabled (cfg: cfg.u2fAuth))
746 + "mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"}
747 + ${optionalString (isEnabled (cfg: cfg.usbAuth))
748 + "mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"}
749 + ${optionalString (isEnabled (cfg: cfg.oathAuth))
750 + "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"}
751 + ${optionalString (isEnabled (cfg: cfg.yubicoAuth))
752 + "mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"}
753 + ${optionalString (isEnabled (cfg: cfg.duoSecurity.enable))
754 + "mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"}
755 + ${optionalString (isEnabled (cfg: cfg.otpwAuth))
756 + "mr ${pkgs.otpw}/lib/security/pam_otpw.so,"}
757 + ${optionalString config.security.pam.enableEcryptfs
758 + "mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"}
759 + ${optionalString (isEnabled (cfg: cfg.pamMount))
760 + "mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"}
761 + ${optionalString config.services.samba.syncPasswordsByPam
762 + "mr ${pkgs.samba}/lib/security/pam_smbpass.so,"}
763 + ${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring))
764 + "mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"}
765 + ${optionalString (isEnabled (cfg: cfg.startSession))
766 + "mr ${pkgs.systemd}/lib/security/pam_systemd.so,"}
767 + ${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable)
768 + "mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"}
769 + ${optionalString (isEnabled (cfg: cfg.enableKwallet))
770 + "mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"}
771 + ${optionalString config.virtualisation.lxc.lxcfs.enable
772 + "mr ${pkgs.lxc}/lib/security/pam_cgfs.so"}
778 diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix
779 index 1bfcf2de82f..f589c31ad75 100644
780 --- a/nixos/modules/services/torrent/transmission.nix
781 +++ b/nixos/modules/services/torrent/transmission.nix
783 -{ config, lib, pkgs, ... }:
784 +{ config, lib, pkgs, options, ... }:
789 cfg = config.services.transmission;
790 + inherit (config.environment) etc;
791 apparmor = config.security.apparmor.enable;
793 - homeDir = cfg.home;
794 - downloadDirPermissions = cfg.downloadDirPermissions;
795 - downloadDir = "${homeDir}/Downloads";
796 - incompleteDir = "${homeDir}/.incomplete";
798 - settingsDir = "${homeDir}/config";
799 - settingsFile = pkgs.writeText "settings.json" (builtins.toJSON fullSettings);
801 - # for users in group "transmission" to have access to torrents
802 - fullSettings = { umask = 2; download-dir = downloadDir; incomplete-dir = incompleteDir; } // cfg.settings;
804 - preStart = pkgs.writeScript "transmission-pre-start" ''
805 - #!${pkgs.runtimeShell}
807 - cp -f ${settingsFile} ${settingsDir}/settings.json
809 + rootDir = "/run/transmission";
810 + homeDir = "/var/lib/transmission";
811 + settingsDir = ".config/transmission-daemon";
812 + downloadsDir = "Downloads";
813 + incompleteDir = ".incomplete";
814 + # TODO: switch to configGen.json once RFC0042 is implemented
815 + settingsFile = pkgs.writeText "settings.json" (builtins.toJSON cfg.settings);
819 services.transmission = {
820 - enable = mkOption {
824 - Whether or not to enable the headless Transmission BitTorrent daemon.
825 + enable = mkEnableOption ''the headless Transmission BitTorrent daemon.
827 - Transmission daemon can be controlled via the RPC interface using
828 - transmission-remote or the WebUI (http://localhost:9091/ by default).
829 + Transmission daemon can be controlled via the RPC interface using
830 + transmission-remote, the WebUI (http://127.0.0.1:9091/ by default),
831 + or other clients like stig or tremc.
833 - Torrents are downloaded to ${downloadDir} by default and are
834 - accessible to users in the "transmission" group.
837 + Torrents are downloaded to ${homeDir}/${downloadsDir} by default and are
838 + accessible to users in the "transmission" group'';
840 - settings = mkOption {
841 + settings = mkOption rec {
842 + # TODO: switch to types.config.json as prescribed by RFC0042 once it's implemented
844 + apply = recursiveUpdate default;
847 - download-dir = downloadDir;
848 - incomplete-dir = incompleteDir;
849 + download-dir = "${cfg.home}/${downloadsDir}";
850 + incomplete-dir = "${cfg.home}/${incompleteDir}";
851 incomplete-dir-enabled = true;
854 + peer-port-random-high = 65535;
855 + peer-port-random-low = 49152;
856 + peer-port-random-on-start = false;
857 + rpc-bind-address = "127.0.0.1";
859 + script-torrent-done-enabled = false;
860 + script-torrent-done-filename = "";
861 + umask = 2; # 0o002 in decimal as expected by Transmission
862 + utp-enabled = true;
866 @@ -56,11 +55,12 @@ in
867 rpc-whitelist = "127.0.0.1,192.168.*.*";
870 - Attribute set whos fields overwrites fields in settings.json (each
871 - time the service starts). String values must be quoted, integer and
872 + Attribute set whose fields overwrites fields in
873 + <literal>.config/transmission-daemon/settings.json</literal>
874 + (each time the service starts). String values must be quoted, integer and
875 boolean values must not.
877 - See https://github.com/transmission/transmission/wiki/Editing-Configuration-Files
878 + See <link xlink:href="https://github.com/transmission/transmission/wiki/Editing-Configuration-Files">Transmission's Wiki</link>
882 @@ -70,22 +70,32 @@ in
886 - The permissions to set for download-dir and incomplete-dir.
887 - They will be applied on every service start.
888 + The permissions set by <literal>systemd.activationScripts.transmission-daemon</literal>
889 + on the directories <link linkend="opt-services.transmission.settings">settings.download-dir</link>
890 + and <link linkend="opt-services.transmission.settings">settings.incomplete-dir</link>.
891 + Note that you may also want to change
892 + <link linkend="opt-services.transmission.settings">settings.umask</link>.
899 - description = "TCP port number to run the RPC/web interface.";
902 + TCP port number to run the RPC/web interface.
904 + If instead you want to change the peer port,
905 + use <link linkend="opt-services.transmission.settings">settings.peer-port</link>
906 + or <link linkend="opt-services.transmission.settings">settings.peer-port-random-on-start</link>.
912 - default = "/var/lib/transmission";
915 - The directory where transmission will create files.
916 + The directory where Transmission will create <literal>${settingsDir}</literal>.
917 + as well as <literal>${downloadsDir}/</literal> unless <link linkend="opt-services.transmission.settings">settings.download-dir</link> is changed,
918 + and <literal>${incompleteDir}/</literal> unless <link linkend="opt-services.transmission.settings">settings.incomplete-dir</link> is changed.
922 @@ -100,32 +110,173 @@ in
923 default = "transmission";
924 description = "Group account under which Transmission runs.";
927 + credentialsFile = mkOption {
930 + Path to a JSON file to be merged with the settings.
931 + Useful to merge a file which is better kept out of the Nix store
932 + because it contains sensible data like <link linkend="opt-services.transmission.settings">settings.rpc-password</link>.
934 + default = "/dev/null";
935 + example = "/var/lib/secrets/transmission/settings.json";
938 + openFirewall = mkEnableOption "opening of the peer port(s) in the firewall";
940 + performanceNetParameters = mkEnableOption ''tweaking of kernel parameters
941 + to open many more connections at the same time.
943 + Note that you may also want to increase
944 + <link linkend="opt-services.transmission.settings">settings.peer-limit-global</link>.
945 + And be aware that these settings are quite aggressive
946 + and might not suite your regular desktop use.
947 + For instance, SSH sessions may time out more easily'';
951 config = mkIf cfg.enable {
952 - systemd.tmpfiles.rules = [
953 - "d '${homeDir}' 0770 '${cfg.user}' '${cfg.group}' - -"
954 - "d '${settingsDir}' 0700 '${cfg.user}' '${cfg.group}' - -"
955 - "d '${fullSettings.download-dir}' '${downloadDirPermissions}' '${cfg.user}' '${cfg.group}' - -"
956 - "d '${fullSettings.incomplete-dir}' '${downloadDirPermissions}' '${cfg.user}' '${cfg.group}' - -"
957 + # Note that using systemd.tmpfiles would not work here
958 + # because it would fail when creating a directory
959 + # with a different owner than its parent directory, by saying:
960 + # Detected unsafe path transition /home/foo → /home/foo/Downloads during canonicalization of /home/foo/Downloads
961 + # when /home/foo is not owned by cfg.user.
962 + # Note also that using an ExecStartPre= wouldn't work either
963 + # because BindPaths= needs these directories before.
964 + system.activationScripts.transmission-daemon = ''
965 + install -D -d -m 700 '${cfg.home}/${settingsDir}'
966 + chown -R '${cfg.user}:${cfg.group}' ${cfg.home}/${settingsDir}
967 + install -D -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.download-dir}'
968 + '' + optionalString cfg.settings.incomplete-dir-enabled ''
969 + install -D -d -m '${cfg.downloadDirPermissions}' -o '${cfg.user}' -g '${cfg.group}' '${cfg.settings.incomplete-dir}'
973 + { assertion = builtins.match "^/.*" cfg.home != null;
974 + message = "`services.transmission.home' must be an absolute path.";
976 + { assertion = types.path.check cfg.settings.download-dir;
977 + message = "`services.transmission.settings.download-dir' must be an absolute path.";
979 + { assertion = types.path.check cfg.settings.incomplete-dir;
980 + message = "`services.transmission.settings.incomplete-dir' must be an absolute path.";
982 + { assertion = cfg.settings.script-torrent-done-filename == "" || types.path.check cfg.settings.script-torrent-done-filename;
983 + message = "`services.transmission.settings.script-torrent-done-filename' must be an absolute path.";
985 + { assertion = types.port.check cfg.settings.rpc-port;
986 + message = "${toString cfg.settings.rpc-port} is not a valid port number for `services.transmission.settings.rpc-port`.";
988 + # In case both port and settings.rpc-port are explicitely defined: they must be the same.
989 + { assertion = !options.services.transmission.port.isDefined || cfg.port == cfg.settings.rpc-port;
990 + message = "`services.transmission.port' is not equal to `services.transmission.settings.rpc-port'";
994 + services.transmission.settings =
995 + optionalAttrs options.services.transmission.port.isDefined { rpc-port = cfg.port; };
997 systemd.services.transmission = {
998 description = "Transmission BitTorrent Service";
999 after = [ "network.target" ] ++ optional apparmor "apparmor.service";
1000 - requires = mkIf apparmor [ "apparmor.service" ];
1001 + requires = optional apparmor "apparmor.service";
1002 wantedBy = [ "multi-user.target" ];
1003 + environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source;
1005 - # 1) Only the "transmission" user and group have access to torrents.
1006 - # 2) Optionally update/force specific fields into the configuration file.
1007 - serviceConfig.ExecStartPre = preStart;
1008 - serviceConfig.ExecStart = "${pkgs.transmission}/bin/transmission-daemon -f --port ${toString config.services.transmission.port} --config-dir ${settingsDir}";
1009 - serviceConfig.ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
1010 - serviceConfig.User = cfg.user;
1011 - serviceConfig.Group = cfg.group;
1012 - # NOTE: transmission has an internal umask that also must be set (in settings.json)
1013 - serviceConfig.UMask = "0002";
1015 + # Use "+" because credentialsFile may not be accessible to User= or Group=.
1016 + ExecStartPre = "+" + pkgs.writeShellScript "transmission-prestart" ''
1017 + set -eu${lib.optionalString (cfg.settings.message-level >= 3) "x"}
1018 + ${pkgs.jq}/bin/jq --slurp add ${settingsFile} '${cfg.credentialsFile}' |
1019 + install -D -m 600 -o '${cfg.user}' -g '${cfg.group}' /dev/stdin \
1020 + '${cfg.home}/${settingsDir}/settings.json'
1022 + ExecStart="${pkgs.transmission}/bin/transmission-daemon -f";
1023 + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
1025 + Group = cfg.group;
1026 + # Create rootDir in the host's mount namespace.
1027 + RuntimeDirectory = [(baseNameOf rootDir)];
1028 + RuntimeDirectoryMode = "755";
1029 + # Avoid mounting rootDir in the own rootDir of ExecStart='s mount namespace.
1030 + InaccessiblePaths = ["-+${rootDir}"];
1031 + # This is for BindPaths= and BindReadOnlyPaths=
1032 + # to allow traversal of directories they create in RootDirectory=.
1034 + # Using a RootDirectory= allows to use the same paths download-dir/incomplete-dir
1035 + # (which appear in user's interfaces) without requiring cfg.user
1036 + # to have access to their parent directories,
1037 + # by using BindPaths=/BindReadOnlyPaths=.
1038 + # Note that TemporaryFileSystem= could have been used instead
1039 + # but not without adding some BindPaths=/BindReadOnlyPaths=
1040 + # that would only be needed for ExecStartPre=,
1041 + # because RootDirectoryStartOnly=true would not help.
1042 + RootDirectory = rootDir;
1043 + RootDirectoryStartOnly = true;
1044 + MountAPIVFS = true;
1046 + [ "${cfg.home}/${settingsDir}"
1047 + cfg.settings.download-dir
1049 + optional cfg.settings.incomplete-dir-enabled
1050 + cfg.settings.incomplete-dir;
1051 + BindReadOnlyPaths = [
1052 + # No confinement done of /nix/store here like in systemd-confinement.nix,
1053 + # an AppArmor profile is provided to get a confinement based upon paths and rights.
1056 + "-/etc/ld-nix.so.preload"
1059 + optional (cfg.settings.script-torrent-done-enabled &&
1060 + cfg.settings.script-torrent-done-filename != "")
1061 + cfg.settings.script-torrent-done-filename;
1062 + # The following options are only for optimizing:
1063 + # systemd-analyze security transmission
1064 + AmbientCapabilities = "";
1065 + CapabilityBoundingSet = "";
1066 + # ProtectClock= adds DeviceAllow=char-rtc r
1068 + LockPersonality = true;
1069 + MemoryDenyWriteExecute = true;
1070 + NoNewPrivileges = true;
1071 + PrivateDevices = true;
1072 + PrivateMounts = true;
1073 + PrivateNetwork = false;
1074 + PrivateTmp = true;
1075 + PrivateUsers = true;
1076 + ProtectClock = true;
1077 + ProtectControlGroups = true;
1078 + # ProtectHome=true would not allow BindPaths= to work accross /home,
1079 + # and ProtectHome=tmpfs would break statfs(),
1080 + # preventing transmission-daemon to report the available free space.
1081 + # However, RootDirectory= is used, so this is not a security concern
1082 + # since there would be nothing in /home but any BindPaths= wanted by the user.
1083 + ProtectHome = "read-only";
1084 + ProtectHostname = true;
1085 + ProtectKernelLogs = true;
1086 + ProtectKernelModules = true;
1087 + ProtectKernelTunables = true;
1088 + ProtectSystem = "strict";
1090 + # AF_UNIX may become usable one day:
1091 + # https://github.com/transmission/transmission/issues/441
1092 + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
1093 + RestrictNamespaces = true;
1094 + RestrictRealtime = true;
1095 + RestrictSUIDSGID = true;
1096 + SystemCallFilter = [
1098 + # Groups in @system-service which do not contain a syscall
1099 + # listed by perf -e 'syscalls:sys_enter_*' transmission-daemon -f
1100 + # in tests, and seem likely not necessary for transmission-daemon.
1101 + "~@aio" "~@chown" "~@keyring" "~@memlock" "~@resources" "~@setuid" "~@timer"
1102 + # In the @privileged group, but reached when querying infos through RPC (eg. with stig).
1105 + SystemCallArchitectures = "native";
1106 + SystemCallErrorNumber = "EPERM";
1110 # It's useful to have transmission in path, e.g. for remote control
1111 @@ -133,70 +284,137 @@ in
1113 users.users = optionalAttrs (cfg.user == "transmission") ({
1115 - name = "transmission";
1117 uid = config.ids.uids.transmission;
1118 description = "Transmission BitTorrent user";
1120 - createHome = true;
1125 users.groups = optionalAttrs (cfg.group == "transmission") ({
1127 - name = "transmission";
1128 gid = config.ids.gids.transmission;
1132 - # AppArmor profile
1133 - security.apparmor.profiles = mkIf apparmor [
1134 - (pkgs.writeText "apparmor-transmission-daemon" ''
1135 - #include <tunables/global>
1136 + networking.firewall = mkIf cfg.openFirewall (
1137 + if cfg.settings.peer-port-random-on-start
1139 + { allowedTCPPortRanges =
1140 + [ { from = cfg.settings.peer-port-random-low;
1141 + to = cfg.settings.peer-port-random-high;
1144 + allowedUDPPortRanges =
1145 + [ { from = cfg.settings.peer-port-random-low;
1146 + to = cfg.settings.peer-port-random-high;
1151 + { allowedTCPPorts = [ cfg.settings.peer-port ];
1152 + allowedUDPPorts = [ cfg.settings.peer-port ];
1156 + boot.kernel.sysctl = mkMerge [
1157 + # Transmission uses a single UDP socket in order to implement multiple uTP sockets,
1158 + # and thus expects large kernel buffers for the UDP socket,
1159 + # https://trac.transmissionbt.com/browser/trunk/libtransmission/tr-udp.c?rev=11956.
1160 + # at least up to the values hardcoded here:
1161 + (mkIf cfg.settings.utp-enabled {
1162 + "net.core.rmem_max" = mkDefault "4194304"; # 4MB
1163 + "net.core.wmem_max" = mkDefault "1048576"; # 1MB
1165 + (mkIf cfg.performanceNetParameters {
1166 + # Increase the number of available source (local) TCP and UDP ports to 49151.
1167 + # Usual default is 32768 60999, ie. 28231 ports.
1168 + # Find out your current usage with: ss -s
1169 + "net.ipv4.ip_local_port_range" = "16384 65535";
1170 + # Timeout faster generic TCP states.
1171 + # Usual default is 600.
1172 + # Find out your current usage with: watch -n 1 netstat -nptuo
1173 + "net.netfilter.nf_conntrack_generic_timeout" = 60;
1174 + # Timeout faster established but inactive connections.
1175 + # Usual default is 432000.
1176 + "net.netfilter.nf_conntrack_tcp_timeout_established" = 600;
1177 + # Clear immediately TCP states after timeout.
1178 + # Usual default is 120.
1179 + "net.netfilter.nf_conntrack_tcp_timeout_time_wait" = 1;
1180 + # Increase the number of trackable connections.
1181 + # Usual default is 262144.
1182 + # Find out your current usage with: conntrack -C
1183 + "net.netfilter.nf_conntrack_max" = 1048576;
1187 + security.apparmor.policies."bin/transmission-daemon".profile = ''
1188 + include <tunables/global>
1190 ${pkgs.transmission}/bin/transmission-daemon {
1191 - #include <abstractions/base>
1192 - #include <abstractions/nameservice>
1193 + include <abstractions/base>
1194 + include <abstractions/nameservice>
1196 - ${getLib pkgs.glibc}/lib/*.so mr,
1197 - ${getLib pkgs.libevent}/lib/libevent*.so* mr,
1198 - ${getLib pkgs.curl}/lib/libcurl*.so* mr,
1199 - ${getLib pkgs.openssl}/lib/libssl*.so* mr,
1200 - ${getLib pkgs.openssl}/lib/libcrypto*.so* mr,
1201 - ${getLib pkgs.zlib}/lib/libz*.so* mr,
1202 - ${getLib pkgs.libssh2}/lib/libssh2*.so* mr,
1203 - ${getLib pkgs.systemd}/lib/libsystemd*.so* mr,
1204 - ${getLib pkgs.xz}/lib/liblzma*.so* mr,
1205 - ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so* mr,
1206 - ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so* mr,
1207 - ${getLib pkgs.nghttp2}/lib/libnghttp2*.so* mr,
1208 - ${getLib pkgs.c-ares}/lib/libcares*.so* mr,
1209 - ${getLib pkgs.libcap}/lib/libcap*.so* mr,
1210 - ${getLib pkgs.attr}/lib/libattr*.so* mr,
1211 - ${getLib pkgs.lz4}/lib/liblz4*.so* mr,
1212 - ${getLib pkgs.libkrb5}/lib/lib*.so* mr,
1213 - ${getLib pkgs.keyutils}/lib/libkeyutils*.so* mr,
1214 - ${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so.* mr,
1215 - ${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so.* mr,
1216 - ${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so.* mr,
1217 - ${getLib pkgs.gcc.cc.lib}/lib/libstdc++.so.* mr,
1218 - ${getLib pkgs.gcc.cc.lib}/lib/libgcc_s.so.* mr,
1219 + mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*,
1220 + mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*,
1221 + mr ${getLib pkgs.attr}/lib/libattr*.so*,
1222 + mr ${getLib pkgs.c-ares}/lib/libcares*.so*,
1223 + mr ${getLib pkgs.curl}/lib/libcurl*.so*,
1224 + mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*,
1225 + mr ${getLib pkgs.libcap}/lib/libcap*.so*,
1226 + mr ${getLib pkgs.libevent}/lib/libevent*.so*,
1227 + mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*,
1228 + mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*,
1229 + mr ${getLib pkgs.libkrb5}/lib/lib*.so*,
1230 + mr ${getLib pkgs.libssh2}/lib/libssh2*.so*,
1231 + mr ${getLib pkgs.lz4}/lib/liblz4*.so*,
1232 + mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*,
1233 + mr ${getLib pkgs.openssl}/lib/libcrypto*.so*,
1234 + mr ${getLib pkgs.openssl}/lib/libssl*.so*,
1235 + mr ${getLib pkgs.systemd}/lib/libsystemd*.so*,
1236 + mr ${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so*,
1237 + mr ${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so*,
1238 + mr ${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so*,
1239 + mr ${getLib pkgs.xz}/lib/liblzma*.so*,
1240 + mr ${getLib pkgs.zlib}/lib/libz*.so*,
1242 - @{PROC}/sys/kernel/random/uuid r,
1243 - @{PROC}/sys/vm/overcommit_memory r,
1244 + r @{PROC}/sys/kernel/random/uuid,
1245 + r @{PROC}/sys/vm/overcommit_memory,
1246 + # @{pid} is not a kernel variable yet but a regexp
1247 + #r @{PROC}/@{pid}/environ,
1248 + r @{PROC}/@{pid}/mounts,
1249 + rwk /tmp/tr_session_id_*,
1251 - ${pkgs.openssl.out}/etc/** r,
1252 - ${pkgs.transmission}/share/transmission/** r,
1253 + r ${pkgs.openssl.out}/etc/**,
1254 + r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},
1255 + r ${pkgs.transmission}/share/transmission/**,
1257 - owner ${settingsDir}/** rw,
1259 - ${fullSettings.download-dir}/** rw,
1260 - ${optionalString fullSettings.incomplete-dir-enabled ''
1261 - ${fullSettings.incomplete-dir}/** rw,
1262 + owner rw ${cfg.home}/${settingsDir}/**,
1263 + rw ${cfg.settings.download-dir}/**,
1264 + ${optionalString cfg.settings.incomplete-dir-enabled ''
1265 + rw ${cfg.settings.incomplete-dir}/**,
1268 + rw ${cfg.settings.download-dir}/**,
1269 + ${optionalString cfg.settings.incomplete-dir-enabled ''
1270 + rw ${cfg.settings.incomplete-dir}/**,
1274 + ${optionalString (cfg.settings.script-torrent-done-enabled &&
1275 + cfg.settings.script-torrent-done-filename != "") ''
1276 + # Stack transmission_directories profile on top of
1277 + # any existing profile for script-torrent-done-filename
1278 + # FIXME: to be tested as I'm not sure it works well with NoNewPrivileges=
1279 + # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs
1280 + px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},
1283 + # FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457
1284 + # include <local/transmission-daemon>
1291 + meta.maintainers = with lib.maintainers; [ julm ];
1293 diff --git a/nixos/modules/virtualisation/lxc.nix b/nixos/modules/virtualisation/lxc.nix
1294 index f484d5ee59a..a2f4a9867c6 100644
1295 --- a/nixos/modules/virtualisation/lxc.nix
1296 +++ b/nixos/modules/virtualisation/lxc.nix
1297 @@ -74,9 +74,13 @@ in
1298 systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];
1300 security.apparmor.packages = [ pkgs.lxc ];
1301 - security.apparmor.profiles = [
1302 - "${pkgs.lxc}/etc/apparmor.d/lxc-containers"
1303 - "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start"
1305 + security.apparmor.policies = {
1306 + "bin/lxc-start".profile = ''
1307 + #include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start
1309 + "lxc-containers".profile = ''
1310 + #include ${pkgs.lxc}/etc/apparmor.d/lxc-containers
1315 diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix
1316 index 3958fc2c1d7..84c8e88f8b4 100644
1317 --- a/nixos/modules/virtualisation/lxd.nix
1318 +++ b/nixos/modules/virtualisation/lxd.nix
1319 @@ -93,11 +93,15 @@ in
1321 security.apparmor = {
1324 - "${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start"
1325 - "${cfg.lxcPackage}/etc/apparmor.d/lxc-containers"
1327 packages = [ cfg.lxcPackage ];
1329 + "bin/lxc-start".profile = ''
1330 + #include ${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start
1332 + "lxc-containers".profile = ''
1333 + #include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers
1338 systemd.services.lxd = {
1339 diff --git a/nixos/tests/bittorrent.nix b/nixos/tests/bittorrent.nix
1340 index 0a97d5556a2..c195b60cd56 100644
1341 --- a/nixos/tests/bittorrent.nix
1342 +++ b/nixos/tests/bittorrent.nix
1343 @@ -19,6 +19,7 @@ let
1344 externalClient2Address = "80.100.100.2";
1345 externalTrackerAddress = "80.100.100.3";
1347 + download-dir = "/var/lib/transmission/Downloads";
1348 transmissionConfig = { ... }: {
1349 environment.systemPackages = [ pkgs.transmission ];
1350 services.transmission = {
1351 @@ -26,6 +27,7 @@ let
1353 dht-enabled = false;
1355 + inherit download-dir;
1359 @@ -117,12 +119,12 @@ in
1360 router.wait_for_unit("miniupnpd")
1362 # Create the torrent.
1363 - tracker.succeed("mkdir /tmp/data")
1364 + tracker.succeed("mkdir ${download-dir}/data")
1366 - "cp ${file} /tmp/data/test.tar.bz2"
1367 + "cp ${file} ${download-dir}/data/test.tar.bz2"
1370 - "transmission-create /tmp/data/test.tar.bz2 --private --tracker http://${externalTrackerAddress}:6969/announce --outfile /tmp/test.torrent"
1371 + "transmission-create ${download-dir}/data/test.tar.bz2 --private --tracker http://${externalTrackerAddress}:6969/announce --outfile /tmp/test.torrent"
1373 tracker.succeed("chmod 644 /tmp/test.torrent")
1375 @@ -133,18 +135,16 @@ in
1377 # Start the initial seeder.
1379 - "transmission-remote --add /tmp/test.torrent --no-portmap --no-dht --download-dir /tmp/data"
1380 + "transmission-remote --add /tmp/test.torrent --no-portmap --no-dht --download-dir ${download-dir}/data"
1383 # Now we should be able to download from the client behind the NAT.
1384 tracker.wait_for_unit("httpd")
1385 client1.wait_for_unit("network-online.target")
1386 + client1.succeed("transmission-remote --add http://${externalTrackerAddress}/test.torrent >&2 &")
1387 + client1.wait_for_file("${download-dir}/test.tar.bz2")
1389 - "transmission-remote --add http://${externalTrackerAddress}/test.torrent --download-dir /tmp >&2 &"
1391 - client1.wait_for_file("/tmp/test.tar.bz2")
1393 - "cmp /tmp/test.tar.bz2 ${file}"
1394 + "cmp ${download-dir}/test.tar.bz2 ${file}"
1397 # Bring down the initial seeder.
1398 @@ -154,11 +154,11 @@ in
1399 # the first client created a NAT hole in the router.
1400 client2.wait_for_unit("network-online.target")
1402 - "transmission-remote --add http://${externalTrackerAddress}/test.torrent --no-portmap --no-dht --download-dir /tmp >&2 &"
1403 + "transmission-remote --add http://${externalTrackerAddress}/test.torrent --no-portmap --no-dht >&2 &"
1405 - client2.wait_for_file("/tmp/test.tar.bz2")
1406 + client2.wait_for_file("${download-dir}/test.tar.bz2")
1408 - "cmp /tmp/test.tar.bz2 ${file}"
1409 + "cmp ${download-dir}/test.tar.bz2 ${file}"
1413 diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix
1414 index 807ab4fa44b..fa7cded9aed 100644
1415 --- a/pkgs/os-specific/linux/apparmor/default.nix
1416 +++ b/pkgs/os-specific/linux/apparmor/default.nix
1428 @@ -38,6 +42,22 @@ let
1429 sha256 = "0xw028iqp69j9mxv0kbwraplgkj5i5djdlgf0anpkc5cdbsf96r9";
1432 + aa-teardown = writeShellScript "aa-teardown" ''
1433 + SECURITYFS=/sys/kernel/security
1434 + SFS_MOUNTPOINT="$SECURITYFS/apparmor"
1435 + ${gnused}/bin/sed -e "s/ (\(enforce\|complain\))$//" "$SFS_MOUNTPOINT/profiles" | \
1436 + LC_COLLATE=C ${coreutils}/bin/sort | ${gnugrep}/bin/grep -v // | {
1437 + while read -r profile ; do
1438 + printf "%s" "$profile" > "$SFS_MOUNTPOINT/.remove"
1440 + if [ "$rc" -ne 0 ] ; then
1444 + exit "''${retval:-0}"
1449 patch -p1 < ${gnumake43Patch}
1450 chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh
1451 @@ -145,6 +165,8 @@ let
1452 # aa-notify checks its name and does not work named ".aa-notify-wrapped"
1453 mv $out/bin/aa-notify $out/bin/aa-notify-wrapped
1454 makeWrapper ${perl}/bin/perl $out/bin/aa-notify --set PERL5LIB ${libapparmor}/${perl.libPrefix} --add-flags $out/bin/aa-notify-wrapped
1456 + ln -s ${aa-teardown} $out/bin/aa-teardown