~ruther/guix-local: etc: Add AppArmor profile for the guix command.

60782c20d4bf52585a440d859440835c433a3deb — Noé Lopez 2 months ago 587fd2d

etc: Add AppArmor profile for the guix command.

* etc/apparmor.d/guix: New file.
* Makefile.am (nodist_apparmor_profile_DATA): Add it.

Change-Id: I3d61238203d7663ce582717f8e4eac4c6f679928
Signed-off-by: Rutherther <rutherther@ditigal.xyz>

patch browse .tar.gz

2 files changed, 13 insertions(+), 0 deletions(-)

M Makefile.am
A etc/apparmor.d/guix

M Makefile.am => Makefile.am +1 -0

@@ 748,6 748,7 @@ nodist_selinux_policy_DATA = etc/guix-daemon.cil
 
 # AppArmor profiles.
 nodist_apparmor_profile_DATA =	\
+  etc/apparmor.d/guix		\
   etc/apparmor.d/guix-daemon
 
 nodist_apparmor_profile_tunables_DATA = \

A etc/apparmor.d/guix => etc/apparmor.d/guix +12 -0

@@ 0,0 1,12 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+include <tunables/guix>
+
+# There’s no point in confining the guix executable, since it can run
+# any user code and so everything is expected.  We just need to
+# explicitely enable userns for systems with the
+# kernel.apparmor_restrict_unprivileged_userns sysctl.
+profile guix @{guix_storedir}/{*-guix-command,*-guix-*/bin/guix} flags=(unconfined) {
+  userns,
+}<
\ No newline at end of file