nixos/apparmor: disable killUnconfinedConfinables by default
This commit is contained in:
parent
76887d750b
commit
b42a0e205d
|
@ -869,10 +869,9 @@ environment.systemPackages = [
|
||||||
to provide a way to disable a profile
|
to provide a way to disable a profile
|
||||||
and to select whether to confine in enforce mode (default)
|
and to select whether to confine in enforce mode (default)
|
||||||
or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).
|
or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).
|
||||||
Before enabling this module, either directly
|
Security-minded users may also want to enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>,
|
||||||
or by importing <literal><nixpkgs/nixos/modules/profiles/hardened.nix></literal>,
|
at the cost of having some of their processes killed
|
||||||
please be sure to read the documentation of <link linkend="opt-security.apparmor.enable">security.apparmor.enable</link>,
|
when updating to a NixOS version introducing new AppArmor profiles.
|
||||||
and especially the part about <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>.
|
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|
|
@ -36,6 +36,7 @@ with lib;
|
||||||
security.virtualisation.flushL1DataCache = mkDefault "always";
|
security.virtualisation.flushL1DataCache = mkDefault "always";
|
||||||
|
|
||||||
security.apparmor.enable = mkDefault true;
|
security.apparmor.enable = mkDefault true;
|
||||||
|
security.apparmor.killUnconfinedConfinables = mkDefault true;
|
||||||
|
|
||||||
boot.kernelParams = [
|
boot.kernelParams = [
|
||||||
# Slab/slub sanity checks, redzoning, and poisoning
|
# Slab/slub sanity checks, redzoning, and poisoning
|
||||||
|
|
|
@ -30,16 +30,17 @@ in
|
||||||
If you're enabling this module on a running system,
|
If you're enabling this module on a running system,
|
||||||
note that a reboot will be required to activate AppArmor in the kernel.
|
note that a reboot will be required to activate AppArmor in the kernel.
|
||||||
|
|
||||||
Also, beware that enabling this module will by default
|
Also, beware that enabling this module privileges stability over security
|
||||||
try to kill unconfined but confinable running processes,
|
by not trying to kill unconfined but newly confinable running processes by default,
|
||||||
in order to obtain a confinement matching what is declared in the NixOS configuration.
|
though it would be needed because AppArmor can only confine new
|
||||||
This will happen when upgrading to a NixOS revision
|
or already confined processes of an executable.
|
||||||
introducing an AppArmor profile for the executable of a running process.
|
This killing would for instance be necessary when upgrading to a NixOS revision
|
||||||
This is because enabling an AppArmor profile for an executable
|
introducing for the first time an AppArmor profile for the executable
|
||||||
can only confine new or already confined processes of that executable,
|
of a running process.
|
||||||
but leaves already running processes unconfined.
|
|
||||||
Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link>
|
Enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>
|
||||||
to <literal>false</literal> if you prefer to leave those processes running'';
|
if you want this service to do such killing
|
||||||
|
by sending a <literal>SIGTERM</literal> to those running processes'';
|
||||||
policies = mkOption {
|
policies = mkOption {
|
||||||
description = ''
|
description = ''
|
||||||
AppArmor policies.
|
AppArmor policies.
|
||||||
|
@ -78,10 +79,14 @@ in
|
||||||
Beware that AppArmor policies almost always contain Nix store paths,
|
Beware that AppArmor policies almost always contain Nix store paths,
|
||||||
and thus produce at each change of these paths
|
and thus produce at each change of these paths
|
||||||
a new cached version accumulating in the cache'';
|
a new cached version accumulating in the cache'';
|
||||||
killUnconfinedConfinables = mkDisableOption ''
|
killUnconfinedConfinables = mkEnableOption ''
|
||||||
killing of processes which have an AppArmor profile enabled
|
killing of processes which have an AppArmor profile enabled
|
||||||
(in <link linkend="opt-security.apparmor.policies">policies</link>)
|
(in <xref linkend="opt-security.apparmor.policies"/>)
|
||||||
but are not confined (because AppArmor can only confine new processes).
|
but are not confined (because AppArmor can only confine new processes).
|
||||||
|
|
||||||
|
This is only sending a gracious <literal>SIGTERM</literal> signal to the processes,
|
||||||
|
not a <literal>SIGKILL</literal>.
|
||||||
|
|
||||||
Beware that due to a current limitation of AppArmor,
|
Beware that due to a current limitation of AppArmor,
|
||||||
only profiles with exact paths (and no name) can enable such kills'';
|
only profiles with exact paths (and no name) can enable such kills'';
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue
Block a user