From 2e0933787bff6772a698a3e8e8f3c93cb2bb7370 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sat, 18 Apr 2015 23:15:35 +0200 Subject: [PATCH] nixos: add AppArmor PAM support Enables attaching AppArmor profiles at the user/group level. This is not intended to be used directly, but as part of a role-based access control scheme. For now, profile attachment is 'session optional', but should be changed to 'required' once a more comprehensive solution is in place. --- nixos/modules/security/apparmor.nix | 8 -------- nixos/modules/security/pam.nix | 12 ++++++++++++ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 4fef62cbffd7..202639f98701 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -37,13 +37,5 @@ in ) cfg.profiles; }; }; - - security.pam.services.apparmor.text = '' - ## AppArmor changes hats according to `order`: first try user, then - ## group, and finally fall back to a hat called "DEFAULT" - ## - ## For now, enable debugging as this is an experimental feature. - session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug - ''; }; } diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 02520fb88cdd..15533fbdc3d5 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -192,6 +192,16 @@ let description = "Whether to log authentication failures in /var/log/faillog."; }; + enableAppArmor = mkOption { + default = false; + type = types.bool; + description = '' + Enable support for attaching AppArmor profiles at the + user/group level, e.g., as part of a role based access + control scheme. + ''; + }; + text = mkOption { type = types.nullOr types.lines; description = "Contents of the PAM service file."; @@ -294,6 +304,8 @@ let "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} ${optionalString cfg.pamMount "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} + ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable) + "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"} ''; };