dnscrypt-proxy service: update AppArmor profile

This patch fixes the AppArmor profile path clause and adds (currently ignored) network rules. The AppArmor profile used to be defined for the path sbin/dnscrypt-proxy, but the real path is bin/dnscrypt-proxy (due to sbin now being a symlink to bin), which permitted the service to run unconfined. Adding the network rules has no effect other than improving correctness, as the version of AppArmor in the NixOS kernel fails to enforce network rules.
2025-07-13 13:40:28 +03:00 · 2015-01-09 13:57:04 +01:00 · 2015-01-09 13:57:04 +01:00 · 97bac259d0
commit 97bac259d0
parent b6f8d1f6d5
1 changed files with 7 additions and 2 deletions
--- a/nixos/modules/services/networking/dnscrypt-proxy.nix
+++ b/nixos/modules/services/networking/dnscrypt-proxy.nix
@ -88,7 +88,12 @@ in
    security.apparmor.profiles = mkIf apparmorEnabled [
      (pkgs.writeText "apparmor-dnscrypt-proxy" ''

-        ${dnscrypt-proxy}/sbin/dnscrypt-proxy {
+        ${dnscrypt-proxy}/bin/dnscrypt-proxy {
+          network inet stream,
+          network inet6 stream,
+          network inet dgram,
+          network inet6 dgram,
+
          capability ipc_lock,
          capability net_bind_service,
          capability net_admin,
@ -126,7 +131,7 @@ in
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "forking";
-        ExecStart = "${dnscrypt-proxy}/sbin/dnscrypt-proxy ${toString daemonArgs}";
+        ExecStart = "${dnscrypt-proxy}/bin/dnscrypt-proxy ${toString daemonArgs}";
      };
    };