diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2019-04-28 15:12:37 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2019-04-28 17:38:12 +0200 |
commit | aa24c4e95b54acb8bcd526ee04afb5492808457c (patch) | |
tree | 46e634b3edc748f15835042430367fc063a8ce37 /nixos/modules | |
parent | f824dad19aa3605d0178a3121bfcba9bda8a4ddb (diff) |
nixos/apparmor: allow reloading profiles without losing confinement
Define ExecReload, otherwise reload implies stop followed by start, which
leaves existing processes in unconfined state [1].
[1]: https://gitlab.com/apparmor/apparmor/wikis/AppArmorInSystemd
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/security/apparmor.nix | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index fdff85774a2f..4512a7a80f6d 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -48,6 +48,9 @@ in ExecStop = map (p: ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' ) cfg.profiles; + ExecReload = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' + ) cfg.profiles; }; }; }; |