BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nixos/miniflux: add apparmor policy

Browse source 
This change also extends the test to ensure that normal operations
aren't denied.
This commit is contained in:
Philipp Bartsch 2023-07-08 02:18:34 +02:00
parent 1256178263
commit ced170c030
2 changed files with 18 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
nixos/modules/services/web-apps/miniflux.nix
View file

@ -130,5 +130,17 @@ in
environment = cfg.config; environment = cfg.config;
}; };
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
security.apparmor.policies."bin.miniflux".profile = ''
include <tunables/global>
${cfg.package}/bin/miniflux {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}"
r ${cfg.package}/bin/miniflux,
r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size,
}
'';
}; };
} }

6
nixos/tests/miniflux.nix
View file

@ -25,6 +25,7 @@ in
default = default =
{ ... }: { ... }:
{ {
security.apparmor.enable = true;
services.miniflux = { services.miniflux = {
enable = true; enable = true;
inherit adminCredentialsFile; inherit adminCredentialsFile;
@ -34,6 +35,7 @@ in
withoutSudo = withoutSudo =
{ ... }: { ... }:
{ {
security.apparmor.enable = true;
services.miniflux = { services.miniflux = {
enable = true; enable = true;
inherit adminCredentialsFile; inherit adminCredentialsFile;
@ -44,6 +46,7 @@ in
customized = customized =
{ ... }: { ... }:
{ {
security.apparmor.enable = true;
services.miniflux = { services.miniflux = {
enable = true; enable = true;
config = { config = {
@ -63,6 +66,7 @@ in
default.succeed( default.succeed(
"curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"
) )
default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
withoutSudo.wait_for_unit("miniflux.service") withoutSudo.wait_for_unit("miniflux.service")
withoutSudo.wait_for_open_port(${toString defaultPort}) withoutSudo.wait_for_open_port(${toString defaultPort})
@ -70,6 +74,7 @@ in
withoutSudo.succeed( withoutSudo.succeed(
"curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"
) )
withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
customized.wait_for_unit("miniflux.service") customized.wait_for_unit("miniflux.service")
customized.wait_for_open_port(${toString port}) customized.wait_for_open_port(${toString port})
@ -77,5 +82,6 @@ in
customized.succeed( customized.succeed(
"curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'" "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'"
) )
customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
''; '';
}) })