Fresh AppArmor is available for further development. The end result should be fully automatic confinement configuration for all services configured using nixos options without extraConfig and such, a feature which would be unique to NixOS.
Currently, AppArmor ships with a single profile which confines ping. If you comment out a line or two of the profile, ping will fail and apparmor will complain to dmesg. What needs to be done: * Fix systemd unit. archlinux ships apparmor as wantedBy = ["basic.target "], but it doesn't exist in NixOS * Test and possibly fix profile loading/unloading on nixos-rebuild switch * Check if any of abstractions that AppArmor ships need NixOS-specific customization * Create profiles for common SUID binaries, since they are often used in privelege escalation attacks. * Create profiles for common proprietary nasties like skype and steam, because we can't trust them. * Create a profile for FireFox with an option to have dedicated upload/download dir. Bonus points for packaging a confined TorBrowser(a fork of FireFox) * Create profiles for network-facing services, especially web servers since these often host webapps which tend to be full of holes. To enable AppArmor, add security.apparmor.enable = true to your config and use linux_3_2_apparmor kernel(or build another version in a similar way). Have fun! _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev