nixos/security: init lsm option (#395855)

nixos/modules/module-list.nix

@@ -367,6 +367,7 @@
   ./security/auditd.nix
   ./security/ca.nix
   ./security/chromium-suid-sandbox.nix
+  ./security/default.nix
   ./security/dhparams.nix
   ./security/doas.nix
   ./security/duosec.nix

nixos/modules/security/apparmor.nix

@@ -200,10 +200,8 @@ in
           sed '1,/\[qualifiers\]/d' $footer >> $out
         '';
 
-    boot.kernelParams = [
-      "apparmor=1"
-      "security=apparmor"
-    ];
+    boot.kernelParams = [ "apparmor=1" ];
+    security.lsm = [ "apparmor" ];
 
     systemd.services.apparmor = {
       after = [

nixos/modules/security/default.nix

@@ -0,0 +1,28 @@
+{ config, lib, ... }:
+let
+  cfg = config.security;
+in
+{
+  options = {
+    security.lsm = lib.mkOption {
+      type = lib.types.uniq (lib.types.listOf lib.types.str);
+      default = [ ];
+      description = ''
+        A list of the LSMs to initialize in order.
+      '';
+    };
+  };
+
+  config = lib.mkIf (lib.lists.length cfg.lsm > 0) {
+    assertions = [
+      {
+        assertion = builtins.length (lib.filter (lib.hasPrefix "security=") config.boot.kernelParams) == 0;
+        message = "security parameter in boot.kernelParams cannot be used when security.lsm is used";
+      }
+    ];
+
+    boot.kernelParams = [
+      "lsm=${lib.concatStringsSep "," cfg.lsm}"
+    ];
+  };
+}