nixos/murmur: add apparmor policy

This commit is contained in:
Philipp Bartsch 2023-07-09 01:01:03 +02:00
parent ced170c030
commit 30ad9053ab
2 changed files with 36 additions and 0 deletions

View file

@ -355,5 +355,37 @@ in
'';
destination = "/share/dbus-1/system.d/murmur.conf";
})];
security.apparmor.policies."bin.mumble-server".profile = ''
include <tunables/global>
${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}"
pix ${cfg.package}/bin/.mumble-server-wrapped,
r ${config.environment.etc."os-release".source},
r ${config.environment.etc."lsb-release".source},
owner rwk /var/lib/murmur/murmur.sqlite,
owner rw /var/lib/murmur/murmur.sqlite-journal,
owner r /var/lib/murmur/,
r /run/murmur/murmurd.pid,
r /run/murmur/murmurd.ini,
r ${configFile},
'' + optionalString (cfg.logFile != null) ''
rw ${cfg.logFile},
'' + optionalString (cfg.sslCert != "") ''
r ${cfg.sslCert},
'' + optionalString (cfg.sslKey != "") ''
r ${cfg.sslKey},
'' + optionalString (cfg.sslCa != "") ''
r ${cfg.sslCa},
'' + optionalString (cfg.dbus != null) ''
dbus bus=${cfg.dbus}
'' + ''
}
'';
};
}

View file

@ -20,6 +20,7 @@ in
nodes = {
server = { config, ... }: {
security.apparmor.enable = true;
services.murmur.enable = true;
services.murmur.registerName = "NixOS tests";
services.murmur.password = "$MURMURD_PASSWORD";
@ -81,5 +82,8 @@ in
server.sleep(5) # wait to get screenshot
client1.screenshot("screen1")
client2.screenshot("screen2")
# check if apparmor denied anything
server.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
'';
})