Merge branch 'feat/lsm-option' into expidus

RossComputerGuy · RossComputerGuy · commit 09e351ed7fa7 · 2025-04-07T22:05:24.000-07:00
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
@@ -367,6 +367,7 @@
   ./security/auditd.nix
   ./security/ca.nix
   ./security/chromium-suid-sandbox.nix
+  ./security/default.nix
   ./security/dhparams.nix
   ./security/doas.nix
   ./security/duosec.nix
diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
@@ -200,10 +200,7 @@ in
           sed '1,/\[qualifiers\]/d' $footer >> $out
         '';
 
-    boot.kernelParams = [
-      "apparmor=1"
-      "security=apparmor"
-    ];
+    security.lsm = [ "apparmor" ];
 
     systemd.services.apparmor = {
       after = [
diff --git a/nixos/modules/security/default.nix b/nixos/modules/security/default.nix
@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+let
+  cfg = config.security;
+in
+{
+  options = {
+    security.lsm = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = ''
+        A list of the LSMs to initialize.
+      '';
+    };
+  };
+
+  config = lib.mkIf (lib.lists.length cfg.lsm > 0) {
+    boot.kernelParams = [
+      "lsm=${lib.concatStringsSep "," cfg.lsm}"
+    ];
+  };
+}
