diff options
author | Michael Raskin <7c6f434c@mail.ru> | 2020-09-27 13:07:38 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-27 13:07:38 +0000 |
commit | 31a4e2e28bf29fc5ab1f70d28b5dbc2205a638a0 (patch) | |
tree | 5fd228150808cdc3915afe3a58690c0425f8000a /nixos/doc | |
parent | 862e6fe2c6b3f4f8aff53a9606eaafaaf3490d3d (diff) | |
parent | fb6d63f3fdd95a5468d43a0693c8ca7c1894363f (diff) |
Merge pull request #93457 from ju1m/apparmor
apparmor: fix and improve the service
Diffstat (limited to 'nixos/doc')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 511276bcaab3..0679a64651fb 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -981,6 +981,24 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; </listitem> <listitem> <para> + The <literal>security.apparmor</literal> module, + for the <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link> + Mandatory Access Control system, + has been substantialy improved along with related tools, + so that module maintainers can now more easily write AppArmor profiles for NixOS. + The most notable change on the user-side is the new option <xref linkend="opt-security.apparmor.policies"/>, + replacing the previous <literal>profiles</literal> option + to provide a way to disable a profile + and to select whether to confine in enforce mode (default) + or in complain mode (see <literal>journalctl -b --grep apparmor</literal>). + Before enabling this module, either directly + or by importing <literal><nixpkgs/nixos/modules/profiles/hardened.nix></literal>, + please be sure to read the documentation of <link linkend="opt-security.apparmor.enable">security.apparmor.enable</link>, + and especially the part about <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>. + </para> + </listitem> + <listitem> + <para> With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>) has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) |