From 44fde723be696020dc4c78d5deae3501b6cb088f Mon Sep 17 00:00:00 2001
From: Robert Obryk <robryk@gmail.com>
Date: Fri, 25 Aug 2023 21:52:40 +0200
Subject: [PATCH] nixos/security/wrappers: generate a separate and more
 complete apparmor policy fragment for each wrapper

This change includes some stuff (e.g. reading of the `.real` file,
execution of the wrapper's target) that belongs to the apparmor policy
of the wrapper. This necessitates making them distinct for each wrapper.
The main reason for this change is as a preparation for making each
wrapper be a distinct binary.
---
 nixos/modules/security/wrappers/default.nix | 9 ++++++---
 nixos/modules/tasks/network-interfaces.nix  | 6 ++----
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix
index 12255d8392fe..2f886cef3a7e 100644
--- a/nixos/modules/security/wrappers/default.nix
+++ b/nixos/modules/security/wrappers/default.nix
@@ -248,11 +248,14 @@ in
       export PATH="${wrapperDir}:$PATH"
     '';
 
-    security.apparmor.includes."nixos/security.wrappers" = ''
-      include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [
+    security.apparmor.includes = lib.mapAttrs' (wrapName: wrap: lib.nameValuePair
+     "nixos/security.wrappers/${wrapName}" ''
+      include "${pkgs.apparmorRulesFromClosure { name="security.wrappers.${wrapName}"; } [
         securityWrapper
       ]}"
-    '';
+      mrpx ${wrap.source},
+      r /run/wrappers/wrappers.*/${wrapName}.real,
+    '') wrappers;
 
     ###### wrappers activation script
     system.activationScripts.wrappers =
diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix
index eb1c7512d920..0d4033ca9430 100644
--- a/nixos/modules/tasks/network-interfaces.nix
+++ b/nixos/modules/tasks/network-interfaces.nix
@@ -1396,14 +1396,12 @@ in
     security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''
       /run/wrappers/bin/ping {
         include <abstractions/base>
-        include <nixos/security.wrappers>
+        include <nixos/security.wrappers/ping>
         rpx /run/wrappers/wrappers.*/ping,
       }
       /run/wrappers/wrappers.*/ping {
         include <abstractions/base>
-        include <nixos/security.wrappers>
-        r /run/wrappers/wrappers.*/ping.real,
-        mrpx ${config.security.wrappers.ping.source},
+        include <nixos/security.wrappers/ping>
         capability net_raw,
         capability setpcap,
       }