bartronx7/guix
1
0
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2026-01-25 03:55:08 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

etc: Add AppArmor profile for the guix command.

Browse source 
* etc/apparmor.d/guix: New file.
* Makefile.am (nodist_apparmor_profile_DATA): Add it.

Change-Id: I3d61238203d7663ce582717f8e4eac4c6f679928
Signed-off-by: Rutherther <rutherther@ditigal.xyz>
This commit is contained in:
Noé Lopez 2025-12-15 01:03:36 +01:00 committed by Rutherther
parent 587fd2dad4
commit 60782c20d4
No known key found for this signature in database
GPG key ID: 0322798269E471C3
2 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
Makefile.am
View file

@ -748,6 +748,7 @@ nodist_selinux_policy_DATA = etc/guix-daemon.cil
# AppArmor profiles.
nodist_apparmor_profile_DATA = \
etc/apparmor.d/guix \
etc/apparmor.d/guix-daemon
nodist_apparmor_profile_tunables_DATA = \

12
etc/apparmor.d/guix Normal file
View file

@ -0,0 +1,12 @@
abi <abi/4.0>,
include <tunables/global>
include <tunables/guix>
# Theres no point in confining the guix executable, since it can run
# any user code and so everything is expected. We just need to
# explicitely enable userns for systems with the
# kernel.apparmor_restrict_unprivileged_userns sysctl.
profile guix @{guix_storedir}/{*-guix-command,*-guix-*/bin/guix} flags=(unconfined) {
userns,
}