mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-07-13 21:50:33 +03:00
nixos: add AppArmor PAM support
Enables attaching AppArmor profiles at the user/group level. This is not intended to be used directly, but as part of a role-based access control scheme. For now, profile attachment is 'session optional', but should be changed to 'required' once a more comprehensive solution is in place.
This commit is contained in:
parent
6ad8fab785
commit
2e0933787b
2 changed files with 12 additions and 8 deletions
|
@ -37,13 +37,5 @@ in
|
||||||
) cfg.profiles;
|
) cfg.profiles;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
security.pam.services.apparmor.text = ''
|
|
||||||
## AppArmor changes hats according to `order`: first try user, then
|
|
||||||
## group, and finally fall back to a hat called "DEFAULT"
|
|
||||||
##
|
|
||||||
## For now, enable debugging as this is an experimental feature.
|
|
||||||
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -192,6 +192,16 @@ let
|
||||||
description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>.";
|
description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>.";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
enableAppArmor = mkOption {
|
||||||
|
default = false;
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Enable support for attaching AppArmor profiles at the
|
||||||
|
user/group level, e.g., as part of a role based access
|
||||||
|
control scheme.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
text = mkOption {
|
text = mkOption {
|
||||||
type = types.nullOr types.lines;
|
type = types.nullOr types.lines;
|
||||||
description = "Contents of the PAM service file.";
|
description = "Contents of the PAM service file.";
|
||||||
|
@ -294,6 +304,8 @@ let
|
||||||
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
|
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
|
||||||
${optionalString cfg.pamMount
|
${optionalString cfg.pamMount
|
||||||
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
||||||
|
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
|
||||||
|
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue