AppArmor profiles for SUID binaries. At this moment only for ping.

modules/module-list.nix

@@ -47,6 +47,7 @@
   ./programs/wvdial.nix
   ./rename.nix
   ./security/apparmor.nix
+  ./security/apparmor-suid.nix
   ./security/ca.nix
   ./security/pam.nix
   ./security/pam_usb.nix

modules/security/apparmor-suid.nix

@@ -0,0 +1,42 @@
+{pkgs, config, ...}:
+let
+  cfg = config.security.apparmor;
+in
+with pkgs.lib;
+{
+
+  options.security.apparmor.confineSUIDApplications = mkOption {
+    default = true;
+    description = ''
+      Install AppArmor profiles for commonly-used SUID application
+      to mitigate potential privilege escalation attacks due to bugs
+      in such applications.
+
+      Currently available profiles: ping
+    '';
+  };
+
+  config = mkIf (cfg.confineSUIDApplications) {
+    security.apparmor.profiles = [ (pkgs.writeText "ping" ''
+      #include <tunables/global>
+      /var/setuid-wrappers/ping {
+	#include <abstractions/base>
+	#include <abstractions/consoles>
+	#include <abstractions/nameservice>
+
+	capability net_raw,
+	capability setuid,
+	network inet raw,
+
+	${pkgs.glibc}/lib/*.so mr,
+	/var/setuid-wrappers/ping.real mixr,
+	${pkgs.iputils}/sbin/ping mixr,
+	#/etc/modules.conf r,
+
+	## Site-specific additions and overrides. See local/README for details.
+	##include <local/bin.ping>
+      }
+    '') ];
+  };
+
+}