etc: Add AppArmor profile for the guix command.

* etc/apparmor.d/guix: New file. * Makefile.am (nodist_apparmor_profile_DATA): Add it. Change-Id: I3d61238203d7663ce582717f8e4eac4c6f679928 Signed-off-by: Rutherther <rutherther@ditigal.xyz>
2026-04-06 21:20:33 +02:00 · 2025-12-15 01:03:36 +01:00
parent 587fd2dad4
commit 60782c20d4
2 changed files with 13 additions and 0 deletions
--- a/etc/apparmor.d/guix
+++ b/etc/apparmor.d/guix
@@ -0,0 +1,12 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+include <tunables/guix>
+
+# There’s no point in confining the guix executable, since it can run
+# any user code and so everything is expected.  We just need to
+# explicitely enable userns for systems with the
+# kernel.apparmor_restrict_unprivileged_userns sysctl.
+profile guix @{guix_storedir}/{*-guix-command,*-guix-*/bin/guix} flags=(unconfined) {
+  userns,
+}