Skip to content

Instantly share code, notes, and snippets.

@tilpner

tilpner/config.nix

Created February 13, 2019 12:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tilpner/1a35da6a80a350ae868d7001b44056bb to your computer and use it in GitHub Desktop.
Save tilpner/1a35da6a80a350ae868d7001b44056bb to your computer and use it in GitHub Desktop.
Download ZIP
Apparmor profiles from closure
Raw
config.nix
{ ... }: {
security.apparmor.enable = true;
security.apparmor.profiles = [
(pkgs.mkApparmorProfile rec {
subject = pkgs.pbServe;
runtimeDeps = [ subject pkgs.tzdata ];
append = [
"${config.users.users.static.home}** r"
];
rlimit.as = 100 * pkgs.lib.units.megabyte;
})
];
}
Raw
mkApparmorProfile.nix
{ stdenvNoCC, lib, writeText, closureInfo }: with lib;
{ subject,
name ? "${subject.name}.profile",
runtimeDeps ? [ subject ],
enforce ? true,
rlimit ? {},
signalReceive ? true,
prepend ? [],
append ? [] }:
let
flags = if enforce then "" else "flags=(complain)";
closurePaths = path:
let closure = closureInfo { rootPaths = path; };
text = lib.fileContents "${closure}/store-paths";
in lib.splitString "\n" text;
rules = [
prepend
"@{PROC}/@{pid}/** r"
"@{PROC}/sys/vm/overcommit_memory r"
"/sys/kernel/mm/transparent_hugepage/enabled r"
(optional signalReceive "signal (receive)")
(mapAttrsToList
(k: v: "set rlimit ${k} <= ${toString v}")
rlimit)
(map (p: "${p}** mkrix") (closurePaths runtimeDeps))
append
];
lines = [
"include <tunables/global>"
"${lib.getBin subject}/bin/* ${flags} {"
(map (r: " ${r},") (flatten rules))
"}"
];
in writeText name (concatStringsSep "\n" (flatten lines))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment