From f824dad19aa3605d0178a3121bfcba9bda8a4ddb Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sun, 28 Apr 2019 14:22:19 +0200 Subject: [PATCH 1/2] nixos/apparmor: order before sysinit.target Otherwise, profiles may be loaded way too late in the init process. --- nixos/modules/security/apparmor.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index d323a158a4df..fdff85774a2f 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -33,7 +33,12 @@ in paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") ([ pkgs.apparmor-profiles ] ++ cfg.packages); in { - wantedBy = [ "local-fs.target" ]; + after = [ "local-fs.target" ]; + before = [ "sysinit.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + DefaultDependencies = "no"; + }; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; From aa24c4e95b54acb8bcd526ee04afb5492808457c Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sun, 28 Apr 2019 15:12:37 +0200 Subject: [PATCH 2/2] nixos/apparmor: allow reloading profiles without losing confinement Define ExecReload, otherwise reload implies stop followed by start, which leaves existing processes in unconfined state [1]. [1]: https://gitlab.com/apparmor/apparmor/wikis/AppArmorInSystemd --- nixos/modules/security/apparmor.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index fdff85774a2f..4512a7a80f6d 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -48,6 +48,9 @@ in ExecStop = map (p: ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' ) cfg.profiles; + ExecReload = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' + ) cfg.profiles; }; }; };