1 { config, lib, pkgs, ... }:
3 inherit (builtins) attrNames hasAttr isAttrs;
5 inherit (config.environment) etc;
6 # Utility to generate an AppArmor rule
7 # only when the given path exists in config.environment.etc
9 let go = { path ? null, mode ? "r", trail ? "" }:
10 lib.optionalString (hasAttr path etc)
11 "${mode} ${config.environment.etc.${path}.source}${trail},";
14 else go { path = arg; };
17 # FIXME: most of the etcRule calls below have been
18 # written systematically by converting from apparmor-profiles's profiles
19 # without testing nor deep understanding of their uses,
20 # and thus may need more rules or can have less rules;
21 # this remains to be determined case by case,
22 # some may even be completely useless.
23 config.security.apparmor.includes = {
24 # This one is included by <tunables/global>
25 # which is usualy included before any profile.
26 "abstractions/tunables/alias" = ''
27 alias /bin -> /run/current-system/sw/bin,
28 alias /lib/modules -> /run/current-system/kernel/lib/modules,
29 alias /sbin -> /run/current-system/sw/sbin,
30 alias /usr -> /run/current-system/sw,
32 "abstractions/audio" = ''
33 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio"
34 '' + lib.concatMapStringsSep "\n" etcRule [
38 { path = "pulse"; trail = "/"; }
39 { path = "pulse"; trail = "/**"; }
40 { path = "sound"; trail = "/"; }
41 { path = "sound"; trail = "/**"; }
42 { path = "alsa/conf.d"; trail = "/"; }
43 { path = "alsa/conf.d"; trail = "/*"; }
45 "wildmidi/wildmidi.conf"
47 "abstractions/authentication" = ''
48 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication"
49 # Defined in security.pam
50 include <abstractions/pam>
51 '' + lib.concatMapStringsSep "\n" etcRule [
54 { path = "security"; trail = "/*"; }
61 "abstractions/base" = ''
62 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"
63 r ${pkgs.stdenv.cc.libc}/share/locale/**,
64 r ${pkgs.stdenv.cc.libc}/share/locale.alias,
65 ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"}
66 ${etcRule "localtime"}
67 r ${pkgs.tzdata}/share/zoneinfo/**,
68 r ${pkgs.stdenv.cc.libc}/share/i18n/**,
70 "abstractions/bash" = ''
71 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash"
73 # bash inspects filesystems at startup
74 # and /etc/mtab is linked to /proc/mounts
77 # system-wide bash configuration
78 '' + lib.concatMapStringsSep "\n" etcRule [
82 { path = "profile.d"; trail = "/*"; }
88 { path = "bash_completion.d"; trail = "/*"; }
89 # bash relies on system-wide readline configuration
91 # run out of /etc/bash.bashrc
94 "abstractions/consoles" = ''
95 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles"
97 "abstractions/cups-client" = ''
98 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cups-client"
99 ${etcRule "cups/cups-client.conf"}
101 "abstractions/dbus-session-strict" = ''
102 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict"
103 ${etcRule "machine-id"}
105 "abstractions/dconf" = ''
106 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf"
107 ${etcRule { path = "dconf"; trail = "/**"; }}
109 "abstractions/dri-common" = ''
110 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common"
113 # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/
114 # by symlinking them but without exporting them outside of its NixOS module,
115 # those are therefore added there to this "abstractions/fonts".
116 "abstractions/fonts" = ''
117 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts"
118 ${etcRule { path = "fonts"; trail = "/**"; }}
120 "abstractions/gnome" = ''
121 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome"
122 include <abstractions/fonts>
123 '' + lib.concatMapStringsSep "\n" etcRule [
124 { path = "gnome"; trail = "/gtkrc*"; }
125 { path = "gtk"; trail = "/*"; }
126 { path = "gtk-2.0"; trail = "/*"; }
127 { path = "gtk-3.0"; trail = "/*"; }
129 { path = "pango"; trail = "/*"; }
130 { path = "/etc/gnome-vfs-2.0"; trail = "/modules/"; }
131 { path = "/etc/gnome-vfs-2.0"; trail = "/modules/*"; }
133 { path = "cups"; trail = "/lpoptions"; }
134 { path = "gnome"; trail = "/defaults.list"; }
135 { path = "xdg"; trail = "/{,*-}mimeapps.list"; }
138 "abstractions/kde" = ''
139 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde"
140 '' + lib.concatMapStringsSep "\n" etcRule [
141 { path = "qt3"; trail = "/kstylerc"; }
142 { path = "qt3"; trail = "/qt_plugins_3.3rc"; }
143 { path = "qt3"; trail = "/qtrc"; }
145 { path = "kde3"; trail = "/*"; }
147 { path = "xdg"; trail = "/kdeglobals"; }
148 { path = "xdg"; trail = "/Trolltech.conf"; }
150 "abstractions/kerberosclient" = ''
151 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient"
152 '' + lib.concatMapStringsSep "\n" etcRule [
153 { path = "krb5.keytab"; mode="rk"; }
156 { path = "krb5.conf.d"; trail = "/*"; }
158 # config files found via strings on libs
163 "abstractions/ldapclient" = ''
164 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient"
165 '' + lib.concatMapStringsSep "\n" etcRule [
168 { path = "openldap"; trail = "/*"; }
169 { path = "openldap"; trail = "/cacerts/*"; }
170 { path = "sasl2"; trail = "/*"; }
172 "abstractions/likewise" = ''
173 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise"
175 "abstractions/mdns" = ''
176 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns"
177 ${etcRule "nss_mdns.conf"}
179 "abstractions/nameservice" = ''
180 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice"
182 # Many programs wish to perform nameservice-like operations, such as
183 # looking up users by name or id, groups by name or id, hosts by name
184 # or IP, etc. These operations may be performed through files, dns,
185 # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.
186 mr ${getLib pkgs.nss}/lib/libnss_*.so*,
187 mr ${getLib pkgs.nss}/lib64/libnss_*.so*,
188 '' + lib.concatMapStringsSep "\n" etcRule [
197 # libtirpc (used for NIS/YP login) needs this
202 { path = "samba"; trail = "/lmhosts"; }
207 # libnl-3-200 via libnss-gw-name
208 { path = "libnl"; trail = "/classid"; }
209 { path = "libnl-3"; trail = "/classid"; }
211 "abstractions/nis" = ''
212 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis"
214 "abstractions/nvidia" = ''
215 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia"
216 ${etcRule "vdpau_wrapper.cfg"}
218 "abstractions/opencl-common" = ''
219 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common"
220 ${etcRule { path = "OpenCL"; trail = "/**"; }}
222 "abstractions/opencl-mesa" = ''
223 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa"
224 ${etcRule "default/drirc"}
226 "abstractions/openssl" = ''
227 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl"
228 ${etcRule { path = "ssl"; trail = "/openssl.cnf"; }}
230 "abstractions/p11-kit" = ''
231 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit"
232 '' + lib.concatMapStringsSep "\n" etcRule [
233 { path = "pkcs11"; trail = "/"; }
234 { path = "pkcs11"; trail = "/pkcs11.conf"; }
235 { path = "pkcs11"; trail = "/modules/"; }
236 { path = "pkcs11"; trail = "/modules/*"; }
238 "abstractions/perl" = ''
239 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl"
240 ${etcRule { path = "perl"; trail = "/**"; }}
242 "abstractions/php" = ''
243 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php"
244 '' + lib.concatMapStringsSep "\n" etcRule [
245 { path = "php"; trail = "/**/"; }
246 { path = "php5"; trail = "/**/"; }
247 { path = "php7"; trail = "/**/"; }
248 { path = "php"; trail = "/**.ini"; }
249 { path = "php5"; trail = "/**.ini"; }
250 { path = "php7"; trail = "/**.ini"; }
252 "abstractions/postfix-common" = ''
253 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common"
254 '' + lib.concatMapStringsSep "\n" etcRule [
256 { path = "postfix"; trail = "/*.cf"; }
260 "abstractions/python" = ''
261 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python"
263 "abstractions/qt5" = ''
264 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5"
265 '' + lib.concatMapStringsSep "\n" etcRule [
266 { path = "xdg"; trail = "/QtProject/qtlogging.ini"; }
267 { path = "xdg/QtProject"; trail = "/qtlogging.ini"; }
268 "xdg/QtProject/qtlogging.ini"
270 "abstractions/samba" = ''
271 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba"
272 ${etcRule { path = "samba"; trail = "/*"; }}
274 "abstractions/ssl_certs" = ''
275 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs"
277 # For the NixOS module: security.acme
278 r /var/lib/acme/*/cert.pem,
279 r /var/lib/acme/*/chain.pem,
280 r /var/lib/acme/*/fullchain.pem,
282 '' + lib.concatMapStringsSep "\n" etcRule [
283 "ssl/certs/ca-certificates.crt"
284 "ssl/certs/ca-bundle.crt"
285 "pki/tls/certs/ca-bundle.crt"
287 { path = "ssl/trust"; trail = "/"; }
288 { path = "ssl/trust"; trail = "/*"; }
289 { path = "ssl/trust/anchors"; trail = "/"; }
290 { path = "ssl/trust/anchors"; trail = "/**"; }
291 { path = "pki/trust"; trail = "/"; }
292 { path = "pki/trust"; trail = "/*"; }
293 { path = "pki/trust/anchors"; trail = "/"; }
294 { path = "pki/trust/anchors"; trail = "/**"; }
296 "abstractions/ssl_keys" = ''
297 # security.acme NixOS module
298 r /var/lib/acme/*/full.pem,
299 r /var/lib/acme/*/key.pem,
301 "abstractions/vulkan" = ''
302 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan"
303 ${etcRule { path = "vulkan/icd.d"; trail = "/"; }}
304 ${etcRule { path = "vulkan/icd.d"; trail = "/*.json"; }}
306 "abstractions/winbind" = ''
307 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind"
308 ${etcRule { path = "samba"; trail = "/smb.conf"; }}
309 ${etcRule { path = "samba"; trail = "/dhcp.conf"; }}
311 "abstractions/X" = ''
312 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X"
313 ${etcRule { path = "X11/cursors"; trail = "/"; }}
314 ${etcRule { path = "X11/cursors"; trail = "/**"; }}