nixos/murmur: add apparmor policy

2023-07-09 01:01:03 +02:00 · 2023-07-09 01:01:03 +02:00 · 30ad9053ab
commit 30ad9053ab
parent ced170c030
2 changed files with 36 additions and 0 deletions
--- a/nixos/modules/services/networking/murmur.nix
+++ b/nixos/modules/services/networking/murmur.nix
@ -355,5 +355,37 @@ in
      '';
      destination = "/share/dbus-1/system.d/murmur.conf";
    })];
+
+    security.apparmor.policies."bin.mumble-server".profile = ''
+      include <tunables/global>
+
+      ${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} {
+        include <abstractions/base>
+        include <abstractions/nameservice>
+        include <abstractions/ssl_certs>
+        include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}"
+        pix ${cfg.package}/bin/.mumble-server-wrapped,
+
+        r ${config.environment.etc."os-release".source},
+        r ${config.environment.etc."lsb-release".source},
+        owner rwk /var/lib/murmur/murmur.sqlite,
+        owner rw /var/lib/murmur/murmur.sqlite-journal,
+        owner r /var/lib/murmur/,
+        r /run/murmur/murmurd.pid,
+        r /run/murmur/murmurd.ini,
+        r ${configFile},
+      '' + optionalString (cfg.logFile != null) ''
+        rw ${cfg.logFile},
+      '' + optionalString (cfg.sslCert != "") ''
+        r ${cfg.sslCert},
+      '' + optionalString (cfg.sslKey != "") ''
+        r ${cfg.sslKey},
+      '' + optionalString (cfg.sslCa != "") ''
+        r ${cfg.sslCa},
+      '' + optionalString (cfg.dbus != null) ''
+        dbus bus=${cfg.dbus}
+      '' + ''
+      }
+    '';
  };
 }
--- a/nixos/tests/mumble.nix
+++ b/nixos/tests/mumble.nix
@ -20,6 +20,7 @@ in

  nodes = {
    server = { config, ... }: {
+      security.apparmor.enable = true;
      services.murmur.enable = true;
      services.murmur.registerName = "NixOS tests";
      services.murmur.password = "$MURMURD_PASSWORD";
@ -81,5 +82,8 @@ in
    server.sleep(5)  # wait to get screenshot
    client1.screenshot("screen1")
    client2.screenshot("screen2")
+
+    # check if apparmor denied anything
+    server.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
  '';
 })