vuls: init at 0.27.0
[NixPkgs.git] / nixos / modules / security / apparmor / includes.nix
blob88051de484c50051517b486823d51c56dfbc9399
1 { config, lib, pkgs, ... }:
2 let
3   inherit (builtins) attrNames hasAttr isAttrs;
4   inherit (lib) getLib;
5   inherit (config.environment) etc;
6   # Utility to generate an AppArmor rule
7   # only when the given path exists in config.environment.etc
8   etcRule = arg:
9     let go = { path ? null, mode ? "r", trail ? "" }:
10       lib.optionalString (hasAttr path etc)
11         "${mode} ${config.environment.etc.${path}.source}${trail},";
12     in if isAttrs arg
13     then go arg
14     else go { path = arg; };
17 # FIXME: most of the etcRule calls below have been
18 # written systematically by converting from apparmor-profiles's profiles
19 # without testing nor deep understanding of their uses,
20 # and thus may need more rules or can have less rules;
21 # this remains to be determined case by case,
22 # some may even be completely useless.
23 config.security.apparmor.includes = {
24   # This one is included by <tunables/global>
25   # which is usually included before any profile.
26   "abstractions/tunables/alias" = ''
27     alias /bin -> /run/current-system/sw/bin,
28     alias /lib/modules -> /run/current-system/kernel/lib/modules,
29     alias /sbin -> /run/current-system/sw/sbin,
30     alias /usr -> /run/current-system/sw,
31   '';
32   "abstractions/audio" = ''
33     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio"
34     '' + lib.concatMapStringsSep "\n" etcRule [
35       "asound.conf"
36       "esound/esd.conf"
37       "libao.conf"
38       { path = "pulse";  trail = "/"; }
39       { path = "pulse";  trail = "/**"; }
40       { path = "sound";  trail = "/"; }
41       { path = "sound";  trail = "/**"; }
42       { path = "alsa/conf.d";  trail = "/"; }
43       { path = "alsa/conf.d";  trail = "/*"; }
44       "openal/alsoft.conf"
45       "wildmidi/wildmidi.conf"
46     ];
47   "abstractions/authentication" = ''
48     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication"
49     # Defined in security.pam
50     include <abstractions/pam>
51     '' + lib.concatMapStringsSep "\n" etcRule [
52       "nologin"
53       "securetty"
54       { path = "security";  trail = "/*"; }
55       "shadow"
56       "gshadow"
57       "pwdb.conf"
58       "default/passwd"
59       "login.defs"
60     ];
61   "abstractions/base" = ''
62     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"
63     r ${pkgs.stdenv.cc.libc}/share/locale/**,
64     r ${pkgs.stdenv.cc.libc}/share/locale.alias,
65     r ${config.i18n.glibcLocales}/lib/locale/locale-archive,
66     ${etcRule "localtime"}
67     r ${pkgs.tzdata}/share/zoneinfo/**,
68     r ${pkgs.stdenv.cc.libc}/share/i18n/**,
69   '';
70   "abstractions/bash" = ''
71     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash"
73     # bash inspects filesystems at startup
74     # and /etc/mtab is linked to /proc/mounts
75     r @{PROC}/mounts,
77     # system-wide bash configuration
78     '' + lib.concatMapStringsSep "\n" etcRule [
79       "profile.dos"
80       "profile"
81       "profile.d"
82       { path = "profile.d";  trail = "/*"; }
83       "bashrc"
84       "bash.bashrc"
85       "bash.bashrc.local"
86       "bash_completion"
87       "bash_completion.d"
88       { path = "bash_completion.d";  trail = "/*"; }
89       # bash relies on system-wide readline configuration
90       "inputrc"
91       # run out of /etc/bash.bashrc
92       "DIR_COLORS"
93     ];
94   "abstractions/consoles" = ''
95      include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles"
96   '';
97   "abstractions/cups-client" = ''
98     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cups-client"
99     ${etcRule "cups/cups-client.conf"}
100   '';
101   "abstractions/dbus-session-strict" = ''
102     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict"
103     ${etcRule "machine-id"}
104   '';
105   "abstractions/dconf" = ''
106     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf"
107     ${etcRule { path = "dconf";  trail = "/**"; }}
108   '';
109   "abstractions/dri-common" = ''
110     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common"
111     ${etcRule "drirc"}
112   '';
113   # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/
114   # by symlinking them but without exporting them outside of its NixOS module,
115   # those are therefore added there to this "abstractions/fonts".
116   "abstractions/fonts" = ''
117     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts"
118     ${etcRule { path = "fonts";  trail = "/**"; }}
119   '';
120   "abstractions/gnome" = ''
121     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome"
122     include <abstractions/fonts>
123     '' + lib.concatMapStringsSep "\n" etcRule [
124       { path = "gnome";  trail = "/gtkrc*"; }
125       { path = "gtk";  trail = "/*"; }
126       { path = "gtk-2.0";  trail = "/*"; }
127       { path = "gtk-3.0";  trail = "/*"; }
128       "orbitrc"
129       { path = "pango";  trail = "/*"; }
130       { path = "/etc/gnome-vfs-2.0";  trail = "/modules/"; }
131       { path = "/etc/gnome-vfs-2.0";  trail = "/modules/*"; }
132       "papersize"
133       { path = "cups";  trail = "/lpoptions"; }
134       { path = "gnome";  trail = "/defaults.list"; }
135       { path = "xdg";  trail = "/{,*-}mimeapps.list"; }
136       "xdg/mimeapps.list"
137     ];
138   "abstractions/kde" = ''
139     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde"
140     '' + lib.concatMapStringsSep "\n" etcRule [
141       { path = "qt3";  trail = "/kstylerc"; }
142       { path = "qt3";  trail = "/qt_plugins_3.3rc"; }
143       { path = "qt3";  trail = "/qtrc"; }
144       "kderc"
145       { path = "kde3";  trail = "/*"; }
146       "kde4rc"
147       { path = "xdg";  trail = "/kdeglobals"; }
148       { path = "xdg";  trail = "/Trolltech.conf"; }
149     ];
150   "abstractions/kerberosclient" = ''
151     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient"
152     '' + lib.concatMapStringsSep "\n" etcRule [
153     { path = "krb5.keytab"; mode="rk"; }
154     "krb5.conf"
155     "krb5.conf.d"
156     { path = "krb5.conf.d";  trail = "/*"; }
158     # config files found via strings on libs
159     "krb.conf"
160     "krb.realms"
161     "srvtab"
162     ];
163   "abstractions/ldapclient" = ''
164     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient"
165     '' + lib.concatMapStringsSep "\n" etcRule [
166       "ldap.conf"
167       "ldap.secret"
168       { path = "openldap";  trail = "/*"; }
169       { path = "openldap";  trail = "/cacerts/*"; }
170       { path = "sasl2";  trail = "/*"; }
171     ];
172   "abstractions/likewise" = ''
173     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise"
174   '';
175   "abstractions/mdns" = ''
176     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns"
177     ${etcRule "nss_mdns.conf"}
178   '';
179   "abstractions/nameservice" = ''
180     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice"
182     # Many programs wish to perform nameservice-like operations, such as
183     # looking up users by name or id, groups by name or id, hosts by name
184     # or IP, etc. These operations may be performed through files, dns,
185     # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
186     mr ${getLib pkgs.nss}/lib/libnss_*.so*,
187     mr ${getLib pkgs.nss}/lib64/libnss_*.so*,
188     '' + lib.concatMapStringsSep "\n" etcRule [
189       "group"
190       "host.conf"
191       "hosts"
192       "nsswitch.conf"
193       "gai.conf"
194       "passwd"
195       "protocols"
197       # libtirpc (used for NIS/YP login) needs this
198       "netconfig"
200       "resolv.conf"
202       { path = "samba";  trail = "/lmhosts"; }
203       "services"
205       "default/nss"
207       # libnl-3-200 via libnss-gw-name
208       { path = "libnl";  trail = "/classid"; }
209       { path = "libnl-3";  trail = "/classid"; }
210     ];
211   "abstractions/nis" = ''
212     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis"
213   '';
214   "abstractions/nss-systemd" = ''
215     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nss-systemd"
216   '';
217   "abstractions/nvidia" = ''
218     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia"
219     ${etcRule "vdpau_wrapper.cfg"}
220   '';
221   "abstractions/opencl-common" = ''
222     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common"
223     ${etcRule { path = "OpenCL";  trail = "/**"; }}
224   '';
225   "abstractions/opencl-mesa" = ''
226     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa"
227     ${etcRule "default/drirc"}
228   '';
229   "abstractions/openssl" = ''
230     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl"
231     ${etcRule { path = "ssl";  trail = "/openssl.cnf"; }}
232   '';
233   "abstractions/p11-kit" = ''
234     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit"
235     '' + lib.concatMapStringsSep "\n" etcRule [
236       { path = "pkcs11";  trail = "/"; }
237       { path = "pkcs11";  trail = "/pkcs11.conf"; }
238       { path = "pkcs11";  trail = "/modules/"; }
239       { path = "pkcs11";  trail = "/modules/*"; }
240     ];
241   "abstractions/perl" = ''
242     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl"
243     ${etcRule { path = "perl";  trail = "/**"; }}
244   '';
245   "abstractions/php" = ''
246     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php"
247     '' + lib.concatMapStringsSep "\n" etcRule [
248       { path = "php";  trail = "/**/"; }
249       { path = "php5";  trail = "/**/"; }
250       { path = "php7";  trail = "/**/"; }
251       { path = "php";  trail = "/**.ini"; }
252       { path = "php5";  trail = "/**.ini"; }
253       { path = "php7";  trail = "/**.ini"; }
254     ];
255   "abstractions/postfix-common" = ''
256     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common"
257     '' + lib.concatMapStringsSep "\n" etcRule [
258       "mailname"
259       { path = "postfix";  trail = "/*.cf"; }
260       "postfix/main.cf"
261       "postfix/master.cf"
262     ];
263   "abstractions/python" = ''
264     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python"
265   '';
266   "abstractions/qt5" = ''
267     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5"
268     '' + lib.concatMapStringsSep "\n" etcRule [
269       { path = "xdg";  trail = "/QtProject/qtlogging.ini"; }
270       { path = "xdg/QtProject";  trail = "/qtlogging.ini"; }
271       "xdg/QtProject/qtlogging.ini"
272     ];
273   "abstractions/samba" = ''
274     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba"
275     ${etcRule { path = "samba";  trail = "/*"; }}
276   '';
277   "abstractions/ssl_certs" = ''
278     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs"
280     # For the NixOS module: security.acme
281     r /var/lib/acme/*/cert.pem,
282     r /var/lib/acme/*/chain.pem,
283     r /var/lib/acme/*/fullchain.pem,
285     r /etc/pki/tls/certs/,
287     '' + lib.concatMapStringsSep "\n" etcRule [
288       "ssl/certs/ca-certificates.crt"
289       "ssl/certs/ca-bundle.crt"
290       "pki/tls/certs/ca-bundle.crt"
292       { path = "ssl/trust";  trail = "/"; }
293       { path = "ssl/trust";  trail = "/*"; }
294       { path = "ssl/trust/anchors";  trail = "/"; }
295       { path = "ssl/trust/anchors";  trail = "/**"; }
296       { path = "pki/trust";  trail = "/"; }
297       { path = "pki/trust";  trail = "/*"; }
298       { path = "pki/trust/anchors";  trail = "/"; }
299       { path = "pki/trust/anchors";  trail = "/**"; }
300     ];
301   "abstractions/ssl_keys" = ''
302     # security.acme NixOS module
303     r /var/lib/acme/*/full.pem,
304     r /var/lib/acme/*/key.pem,
305   '';
306   "abstractions/vulkan" = ''
307     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan"
308     ${etcRule { path = "vulkan/icd.d";  trail = "/"; }}
309     ${etcRule { path = "vulkan/icd.d";  trail = "/*.json"; }}
310   '';
311   "abstractions/winbind" = ''
312     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind"
313     ${etcRule { path = "samba";  trail = "/smb.conf"; }}
314     ${etcRule { path = "samba";  trail = "/dhcp.conf"; }}
315   '';
316   "abstractions/X" = ''
317     include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X"
318     ${etcRule { path = "X11/cursors";  trail = "/"; }}
319     ${etcRule { path = "X11/cursors";  trail = "/**"; }}
320   '';