apparmor: add apparmor_parser config file

If the config does not exist, then apparmor_parser will throw a warning. To avoid that and make the parser configurable, we now add a new option to it. Signed-off-by: Sascha Grunert <sgrunert@suse.com>
author: Sascha Grunert <sgrunert@suse.com> 2020-08-22 22:59:26 +0200
committer: Sascha Grunert <sgrunert@suse.com> 2020-08-22 22:59:26 +0200
commit: 2259fbdf4b703ca823ff390f63a39d6b80163e56 (patch)
tree: e54e17ea035c22eafb9d7dfb839bb34fe1c2ae95 /nixos/modules/security/apparmor.nix
parent: 6a7b11055c6ceb2b224cd99a33fcd93b4ed66749 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index cfc65b347bc69..2ee10454fd26b 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -23,11 +23,17 @@ in
          default = [];
          description = "List of packages to be added to apparmor's include path";
        };
+       parserConfig = mkOption {
+         type = types.str;
+         default = "";
+         description = "AppArmor parser configuration file content";
+       };
      };
    };
 
    config = mkIf cfg.enable {
      environment.systemPackages = [ pkgs.apparmor-utils ];
+     environment.etc."apparmor/parser.conf".text = cfg.parserConfig;
 
      boot.kernelParams = [ "apparmor=1" "security=apparmor" ];
author	Sascha Grunert <sgrunert@suse.com>	2020-08-22 22:59:26 +0200
committer	Sascha Grunert <sgrunert@suse.com>	2020-08-22 22:59:26 +0200
commit	2259fbdf4b703ca823ff390f63a39d6b80163e56 (patch)
tree	e54e17ea035c22eafb9d7dfb839bb34fe1c2ae95 /nixos/modules/security/apparmor.nix
parent	6a7b11055c6ceb2b224cd99a33fcd93b4ed66749 (diff)