From aa24c4e95b54acb8bcd526ee04afb5492808457c Mon Sep 17 00:00:00 2001
From: Joachim Fasting <joachifm@fastmail.fm>
Date: Sun, 28 Apr 2019 15:12:37 +0200
Subject: nixos/apparmor: allow reloading profiles without losing confinement

Define ExecReload, otherwise reload implies stop followed by start, which
leaves existing processes in unconfined state [1].

[1]: https://gitlab.com/apparmor/apparmor/wikis/AppArmorInSystemd
---
 nixos/modules/security/apparmor.nix | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'nixos/modules/security')

diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
index fdff85774a2f..4512a7a80f6d 100644
--- a/nixos/modules/security/apparmor.nix
+++ b/nixos/modules/security/apparmor.nix
@@ -48,6 +48,9 @@ in
          ExecStop = map (p:
            ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"''
          ) cfg.profiles;
+         ExecReload = map (p:
+           ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"''
+         ) cfg.profiles;
        };
      };
    };
-- 
cgit v1.2.3