nixos/apparmor: allow reloading profiles without losing confinement

Define ExecReload, otherwise reload implies stop followed by start, which leaves existing processes in unconfined state [1]. [1]: https://gitlab.com/apparmor/apparmor/wikis/AppArmorInSystemd
author: Joachim Fasting <joachifm@fastmail.fm> 2019-04-28 15:12:37 +0200
committer: Joachim Fasting <joachifm@fastmail.fm> 2019-04-28 17:38:12 +0200
commit: aa24c4e95b54acb8bcd526ee04afb5492808457c (patch)
tree: 46e634b3edc748f15835042430367fc063a8ce37 /nixos/modules/security
parent: f824dad19aa3605d0178a3121bfcba9bda8a4ddb (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index fdff85774a2f..4512a7a80f6d 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -48,6 +48,9 @@ in
          ExecStop = map (p:
            ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"''
          ) cfg.profiles;
+         ExecReload = map (p:
+           ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"''
+         ) cfg.profiles;
        };
      };
    };
author	Joachim Fasting <joachifm@fastmail.fm>	2019-04-28 15:12:37 +0200
committer	Joachim Fasting <joachifm@fastmail.fm>	2019-04-28 17:38:12 +0200
commit	aa24c4e95b54acb8bcd526ee04afb5492808457c (patch)
tree	46e634b3edc748f15835042430367fc063a8ce37 /nixos/modules/security
parent	f824dad19aa3605d0178a3121bfcba9bda8a4ddb (diff)