Merge pull request #7344 from joachifm/apparmor-pam

nixos: add AppArmor PAM support
This commit is contained in:
Jaka Hudoklin 2015-08-29 18:59:53 +02:00
commit c7bb64cb97
2 changed files with 12 additions and 8 deletions

View File

@ -37,13 +37,5 @@ in
) cfg.profiles; ) cfg.profiles;
}; };
}; };
security.pam.services.apparmor.text = ''
## AppArmor changes hats according to `order`: first try user, then
## group, and finally fall back to a hat called "DEFAULT"
##
## For now, enable debugging as this is an experimental feature.
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
'';
}; };
} }

View File

@ -192,6 +192,16 @@ let
description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>."; description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>.";
}; };
enableAppArmor = mkOption {
default = false;
type = types.bool;
description = ''
Enable support for attaching AppArmor profiles at the
user/group level, e.g., as part of a role based access
control scheme.
'';
};
text = mkOption { text = mkOption {
type = types.nullOr types.lines; type = types.nullOr types.lines;
description = "Contents of the PAM service file."; description = "Contents of the PAM service file.";
@ -294,6 +304,8 @@ let
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
${optionalString cfg.pamMount ${optionalString cfg.pamMount
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
''; '';
}; };