kernel: enable AppArmor by default

AppArmor only requires a few patches to the 3.2 and 3.4 kernels in order to work properly (with the minor catch grsecurity -stable includes the 3.2 patches.) This adds them to the kernel builds by default, removes features.apparmor (since it's always true) and makes it the default MAC system. Signed-off-by: Austin Seipp <aseipp@pobox.com>
2025-07-13 21:50:33 +03:00 · 2014-05-07 17:59:29 -05:00 · 2014-05-07 17:59:29 -05:00 · 92abc4c610
commit 92abc4c610
parent 3efdeef6a3
13 changed files with 2868 additions and 54 deletions
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@ -23,13 +23,6 @@ in
  };

  config = mkIf cfg.enable {
-    assertions =
-      [ { assertion = config.boot.kernelPackages.kernel.features ? apparmor
-                   && config.boot.kernelPackages.kernel.features.apparmor;
-          message = "Your selected kernel does not have AppArmor support";
-        }
-      ];
-
    environment.systemPackages = [ pkgs.apparmor ];
    systemd.services.apparmor = {
      wantedBy = [ "local-fs.target" ];
--- a/nixos/modules/security/grsecurity.nix
+++ b/nixos/modules/security/grsecurity.nix
@ -73,8 +73,6 @@ let
        restrictLinks = optionalString cfg.testing
          "GRKERNSEC_LINK n";
    in ''
-      SECURITY_APPARMOR y
-      DEFAULT_SECURITY_APPARMOR y
      GRKERNSEC y
      ${grsecMainConfig}

@ -434,7 +432,7 @@ in
        chmod -R 0600 /etc/grsec
      '';

-    # Enable apparmor support, gradm udev rules, and utilities
+    # Enable AppArmor, gradm udev rules, and utilities
    security.apparmor.enable   = true;
    boot.kernelPackages        = grsecPackage;
    services.udev.packages     = [ pkgs.gradm ];