commit 05d334cfe265f021b16c41375e3e5a4c4a07fc74 · pyrox.dev/nixpkgs

+1 -1

maintainers/maintainer-list.nix

···

       4937
       4937
        
           name = "Julien Dehos";

     

       4938
       4938
        
         };

     

       4939
       4939
        
         julm = {

     

       4940
       4940
       -
           email = "julm+nix@sourcephile.fr";

     

       4940
       4940
       +
           email = "julm+nixpkgs@sourcephile.fr";

     

       4941
       4941
        
           github = "ju1m";

     

       4942
       4942
        
           githubId = 21160136;

     

       4943
       4943
        
           name = "Julien Moutinho";

+18

nixos/doc/manual/release-notes/rl-2009.xml

···

       1515
       1515
        
          </listitem>

     

       1516
       1516
        
          <listitem>

     

       1517
       1517
        
           <para>

     

       1518
       1518
       +
            The <literal>security.apparmor</literal> module,

     

       1519
       1519
       +
            for the <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link>

     

       1520
       1520
       +
            Mandatory Access Control system,

     

       1521
       1521
       +
            has been substantialy improved along with related tools,

     

       1522
       1522
       +
            so that module maintainers can now more easily write AppArmor profiles for NixOS.

     

       1523
       1523
       +
            The most notable change on the user-side is the new option <xref linkend="opt-security.apparmor.policies"/>,

     

       1524
       1524
       +
            replacing the previous <literal>profiles</literal> option

     

       1525
       1525
       +
            to provide a way to disable a profile

     

       1526
       1526
       +
            and to select whether to confine in enforce mode (default)

     

       1527
       1527
       +
            or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).

     

       1528
       1528
       +
            Before enabling this module, either directly

     

       1529
       1529
       +
            or by importing <literal>&lt;nixpkgs/nixos/modules/profiles/hardened.nix&gt;</literal>,

     

       1530
       1530
       +
            please be sure to read the documentation of <link linkend="opt-security.apparmor.enable">security.apparmor.enable</link>,

     

       1531
       1531
       +
            and especially the part about <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>.

     

       1532
       1532
       +
           </para>

     

       1533
       1533
       +
          </listitem>

     

       1534
       1534
       +
          <listitem>

     

       1535
       1535
       +
           <para>

     

       1518
       1536
        
            With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>)

     

       1519
       1537
        
            has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over

     

       1520
       1538
        
            socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual)

+34

nixos/modules/config/fonts/fontconfig.nix

···

       448
       448
        
           (mkIf cfg.enable {

     

       449
       449
        
             environment.systemPackages    = [ pkgs.fontconfig ];

     

       450
       450
        
             environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";

     

       451
       451
       +
             security.apparmor.includes."abstractions/fonts" = ''

     

       452
       452
       +
               # fonts.conf

     

       453
       453
       +
               r ${pkg.out}/etc/fonts/fonts.conf,

     

       454
       454
       +
       

     

       455
       455
       +
               # fontconfig default config files

     

       456
       456
       +
               r ${pkg.out}/etc/fonts/conf.d/*.conf,

     

       457
       457
       +
       

     

       458
       458
       +
               # 00-nixos-cache.conf

     

       459
       459
       +
               r ${cacheConf},

     

       460
       460
       +
       

     

       461
       461
       +
               # 10-nixos-rendering.conf

     

       462
       462
       +
               r ${renderConf},

     

       463
       463
       +
       

     

       464
       464
       +
               # 50-user.conf

     

       465
       465
       +
               ${optionalString cfg.includeUserConf ''

     

       466
       466
       +
               r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf,

     

       467
       467
       +
               ''}

     

       468
       468
       +
       

     

       469
       469
       +
               # local.conf (indirect priority 51)

     

       470
       470
       +
               ${optionalString (cfg.localConf != "") ''

     

       471
       471
       +
               r ${localConf},

     

       472
       472
       +
               ''}

     

       473
       473
       +
       

     

       474
       474
       +
               # 52-nixos-default-fonts.conf

     

       475
       475
       +
               r ${defaultFontsConf},

     

       476
       476
       +
       

     

       477
       477
       +
               # 53-no-bitmaps.conf

     

       478
       478
       +
               r ${rejectBitmaps},

     

       479
       479
       +
       

     

       480
       480
       +
               ${optionalString (!cfg.allowType1) ''

     

       481
       481
       +
               # 53-nixos-reject-type1.conf

     

       482
       482
       +
               r ${rejectType1},

     

       483
       483
       +
               ''}

     

       484
       484
       +
             '';

     

       451
       485
        
           })

     

       452
       486
        
           (mkIf cfg.enable {

     

       453
       487
        
             fonts.fontconfig.confPackages = [ confPkg ];

nixos/modules/config/malloc.nix

···

       87
       87
        
           environment.etc."ld-nix.so.preload".text = ''

     

       88
       88
        
             ${providerLibPath}

     

       89
       89
        
           '';

     

       90
       90
       +
           security.apparmor.includes = {

     

       91
       91
       +
             "abstractions/base" = ''

     

       92
       92
       +
               r /etc/ld-nix.so.preload,

     

       93
       93
       +
               r ${config.environment.etc."ld-nix.so.preload".source},

     

       94
       94
       +
               mr ${providerLibPath},

     

       95
       95
       +
             '';

     

       96
       96
       +
           };

     

       90
       97
        
         };

     

       91
       98
        
       }

-1

nixos/modules/module-list.nix

···

       205
       205
        
         ./rename.nix

     

       206
       206
        
         ./security/acme.nix

     

       207
       207
        
         ./security/apparmor.nix

     

       208
       208
       -
         ./security/apparmor-suid.nix

     

       209
       208
        
         ./security/audit.nix

     

       210
       209
        
         ./security/auditd.nix

     

       211
       210
        
         ./security/ca.nix

-49

nixos/modules/security/apparmor-suid.nix

···

       1
       1
       -
       { config, lib, pkgs, ... }:

     

       2
       2
       -
       let

     

       3
       3
       -
         cfg = config.security.apparmor;

     

       4
       4
       -
       in

     

       5
       5
       -
       with lib;

     

       6
       6
       -
       {

     

       7
       7
       -
         imports = [

     

       8
       8
       -
           (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])

     

       9
       9
       -
         ];

     

       10
       10
       -
       

     

       11
       11
       -
         options.security.apparmor.confineSUIDApplications = mkOption {

     

       12
       12
       -
           type = types.bool;

     

       13
       13
       -
           default = true;

     

       14
       14
       -
           description = ''

     

       15
       15
       -
             Install AppArmor profiles for commonly-used SUID application

     

       16
       16
       -
             to mitigate potential privilege escalation attacks due to bugs

     

       17
       17
       -
             in such applications.

     

       18
       18
       -
       

     

       19
       19
       -
             Currently available profiles: ping

     

       20
       20
       -
           '';

     

       21
       21
       -
         };

     

       22
       22
       -
       

     

       23
       23
       -
         config = mkIf (cfg.confineSUIDApplications) {

     

       24
       24
       -
           security.apparmor.profiles = [ (pkgs.writeText "ping" ''

     

       25
       25
       -
             #include <tunables/global>

     

       26
       26
       -
             /run/wrappers/bin/ping {

     

       27
       27
       -
               #include <abstractions/base>

     

       28
       28
       -
               #include <abstractions/consoles>

     

       29
       29
       -
               #include <abstractions/nameservice>

     

       30
       30
       -
       

     

       31
       31
       -
               capability net_raw,

     

       32
       32
       -
               capability setuid,

     

       33
       33
       -
               network inet raw,

     

       34
       34
       -
       

     

       35
       35
       -
               ${pkgs.stdenv.cc.libc.out}/lib/*.so mr,

     

       36
       36
       -
               ${pkgs.libcap.lib}/lib/libcap.so* mr,

     

       37
       37
       -
               ${pkgs.attr.out}/lib/libattr.so* mr,

     

       38
       38
       -
       

     

       39
       39
       -
               ${pkgs.iputils}/bin/ping mixr,

     

       40
       40
       -
       

     

       41
       41
       -
               #/etc/modules.conf r,

     

       42
       42
       -
       

     

       43
       43
       -
               ## Site-specific additions and overrides. See local/README for details.

     

       44
       44
       -
               ##include <local/bin.ping>

     

       45
       45
       -
             }

     

       46
       46
       -
           '') ];

     

       47
       47
       -
         };

     

       48
       48
       -
       

     

       49
       49
       -
       }

+187 -48

nixos/modules/security/apparmor.nix

···

       1
       1
        
       { config, lib, pkgs, ... }:

     

       2
       2
        
       

     

       3
       3
        
       let

     

       4
       4
       -
         inherit (lib) mkIf mkOption types concatMapStrings;

     

       4
       4
       +
         inherit (builtins) attrNames head map match readFile;

     

       5
       5
       +
         inherit (lib) types;

     

       6
       6
       +
         inherit (config.environment) etc;

     

       5
       7
        
         cfg = config.security.apparmor;

     

       8
       8
       +
         mkDisableOption = name: lib.mkEnableOption name // {

     

       9
       9
       +
           default = true;

     

       10
       10
       +
           example = false;

     

       11
       11
       +
         };

     

       12
       12
       +
         enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies;

     

       6
       13
        
       in

     

       7
       14
        
       

     

       8
       15
        
       {

     

       9
       9
       -
          options = {

     

       10
       10
       -
            security.apparmor = {

     

       11
       11
       -
              enable = mkOption {

     

       12
       12
       -
                type = types.bool;

     

       13
       13
       -
                default = false;

     

       14
       14
       -
                description = "Enable the AppArmor Mandatory Access Control system.";

     

       15
       15
       -
              };

     

       16
       16
       -
              profiles = mkOption {

     

       17
       17
       -
                type = types.listOf types.path;

     

       18
       18
       -
                default = [];

     

       19
       19
       -
                description = "List of files containing AppArmor profiles.";

     

       20
       20
       -
              };

     

       21
       21
       -
              packages = mkOption {

     

       22
       22
       -
                type = types.listOf types.package;

     

       23
       23
       -
                default = [];

     

       24
       24
       -
                description = "List of packages to be added to apparmor's include path";

     

       25
       25
       -
              };

     

       26
       26
       -
            };

     

       27
       27
       -
          };

     

       16
       16
       +
         imports = [

     

       17
       17
       +
           (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ])

     

       18
       18
       +
           (lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")

     

       19
       19
       +
           (lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")

     

       20
       20
       +
           apparmor/includes.nix

     

       21
       21
       +
           apparmor/profiles.nix

     

       22
       22
       +
         ];

     

       23
       23
       +
       

     

       24
       24
       +
         options = {

     

       25
       25
       +
           security.apparmor = {

     

       26
       26
       +
             enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system.

     

       27
       27
       +
       

     

       28
       28
       +
               If you're enabling this module on a running system,

     

       29
       29
       +
               note that a reboot will be required to activate AppArmor in the kernel.

     

       30
       30
       +
       

     

       31
       31
       +
               Also, beware that enabling this module will by default

     

       32
       32
       +
               try to kill unconfined but confinable running processes,

     

       33
       33
       +
               in order to obtain a confinement matching what is declared in the NixOS configuration.

     

       34
       34
       +
               This will happen when upgrading to a NixOS revision

     

       35
       35
       +
               introducing an AppArmor profile for the executable of a running process.

     

       36
       36
       +
               This is because enabling an AppArmor profile for an executable

     

       37
       37
       +
               can only confine new or already confined processes of that executable,

     

       38
       38
       +
               but leaves already running processes unconfined.

     

       39
       39
       +
               Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link>

     

       40
       40
       +
               to <literal>false</literal> if you prefer to leave those processes running'';

     

       41
       41
       +
             policies = lib.mkOption {

     

       42
       42
       +
               description = ''

     

       43
       43
       +
                 AppArmor policies.

     

       44
       44
       +
               '';

     

       45
       45
       +
               type = types.attrsOf (types.submodule ({ name, config, ... }: {

     

       46
       46
       +
                 options = {

     

       47
       47
       +
                   enable = mkDisableOption "loading of the profile into the kernel";

     

       48
       48
       +
                   enforce = mkDisableOption "enforcing of the policy or only complain in the logs";

     

       49
       49
       +
                   profile = lib.mkOption {

     

       50
       50
       +
                     description = "The policy of the profile.";

     

       51
       51
       +
                     type = types.lines;

     

       52
       52
       +
                     apply = pkgs.writeText name;

     

       53
       53
       +
                   };

     

       54
       54
       +
                 };

     

       55
       55
       +
               }));

     

       56
       56
       +
               default = {};

     

       57
       57
       +
             };

     

       58
       58
       +
             includes = lib.mkOption {

     

       59
       59
       +
               type = types.attrsOf types.lines;

     

       60
       60
       +
               default = {};

     

       61
       61
       +
               description = ''

     

       62
       62
       +
                 List of paths to be added to AppArmor's searched paths

     

       63
       63
       +
                 when resolving <literal>include</literal> directives.

     

       64
       64
       +
               '';

     

       65
       65
       +
               apply = lib.mapAttrs pkgs.writeText;

     

       66
       66
       +
             };

     

       67
       67
       +
             packages = lib.mkOption {

     

       68
       68
       +
               type = types.listOf types.package;

     

       69
       69
       +
               default = [];

     

       70
       70
       +
               description = "List of packages to be added to AppArmor's include path";

     

       71
       71
       +
             };

     

       72
       72
       +
             enableCache = lib.mkEnableOption ''caching of AppArmor policies

     

       73
       73
       +
               in <literal>/var/cache/apparmor/</literal>.

     

       74
       74
       +
       

     

       75
       75
       +
               Beware that AppArmor policies almost always contain Nix store paths,

     

       76
       76
       +
               and thus produce at each change of these paths

     

       77
       77
       +
               a new cached version accumulating in the cache'';

     

       78
       78
       +
             killUnconfinedConfinables = mkDisableOption ''killing of processes

     

       79
       79
       +
               which have an AppArmor profile enabled

     

       80
       80
       +
               (in <link linkend="opt-security.apparmor.policies">policies</link>)

     

       81
       81
       +
               but are not confined (because AppArmor can only confine new processes).

     

       82
       82
       +
               Beware that due to a current limitation of AppArmor,

     

       83
       83
       +
               only profiles with exact paths (and no name) can enable such kills'';

     

       84
       84
       +
           };

     

       85
       85
       +
         };

     

       86
       86
       +
       

     

       87
       87
       +
         config = lib.mkIf cfg.enable {

     

       88
       88
       +
           assertions = map (policy:

     

       89
       89
       +
             { assertion = match ".*/.*" policy == null;

     

       90
       90
       +
               message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";

     

       91
       91
       +
               # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions

     

       92
       92
       +
               # which does not recurse into sub-directories.

     

       93
       93
       +
             }

     

       94
       94
       +
           ) (attrNames cfg.policies);

     

       95
       95
       +
       

     

       96
       96
       +
           environment.systemPackages = [ pkgs.apparmor-utils ];

     

       97
       97
       +
           environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (

     

       98
       98
       +
             # It's important to put only enabledPolicies here and not all cfg.policies

     

       99
       99
       +
             # because aa-remove-unknown reads profiles from all /etc/apparmor.d/*

     

       100
       100
       +
             lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++

     

       101
       101
       +
             lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes

     

       102
       102
       +
           );

     

       103
       103
       +
           environment.etc."apparmor/parser.conf".text = ''

     

       104
       104
       +
             ${if cfg.enableCache then "write-cache" else "skip-cache"}

     

       105
       105
       +
             cache-loc /var/cache/apparmor

     

       106
       106
       +
             Include /etc/apparmor.d

     

       107
       107
       +
           '' +

     

       108
       108
       +
           lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;

     

       109
       109
       +
           # For aa-logprof

     

       110
       110
       +
           environment.etc."apparmor/apparmor.conf".text = ''

     

       111
       111
       +
           '';

     

       112
       112
       +
           # For aa-logprof

     

       113
       113
       +
           environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db";

     

       114
       114
       +
           environment.etc."apparmor/logprof.conf".text = ''

     

       115
       115
       +
             [settings]

     

       116
       116
       +
               # /etc/apparmor.d/ is read-only on NixOS

     

       117
       117
       +
               profiledir = /var/cache/apparmor/logprof

     

       118
       118
       +
               inactive_profiledir = /etc/apparmor.d/disable

     

       119
       119
       +
               # Use: journalctl -b --since today --grep audit: | aa-logprof

     

       120
       120
       +
               logfiles = /dev/stdin

     

       121
       121
       +
       

     

       122
       122
       +
               parser = ${pkgs.apparmor-parser}/bin/apparmor_parser

     

       123
       123
       +
               ldd = ${pkgs.glibc.bin}/bin/ldd

     

       124
       124
       +
               logger = ${pkgs.utillinux}/bin/logger

     

       125
       125
       +
       

     

       126
       126
       +
               # customize how file ownership permissions are presented

     

       127
       127
       +
               # 0 - off

     

       128
       128
       +
               # 1 - default of what ever mode the log reported

     

       129
       129
       +
               # 2 - force the new permissions to be user

     

       130
       130
       +
               # 3 - force all perms on the rule to be user

     

       131
       131
       +
               default_owner_prompt = 1

     

       132
       132
       +
       

     

       133
       133
       +
               custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}

     

       134
       134
       +
       

     

       135
       135
       +
             [qualifiers]

     

       136
       136
       +
               ${pkgs.runtimeShell} = icnu

     

       137
       137
       +
               ${pkgs.bashInteractive}/bin/sh = icnu

     

       138
       138
       +
               ${pkgs.bashInteractive}/bin/bash = icnu

     

       139
       139
       +
           '' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section.

     

       140
       140
       +
                            (readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"));

     

       28
       141
        
       

     

       29
       29
       -
          config = mkIf cfg.enable {

     

       30
       30
       -
            environment.systemPackages = [ pkgs.apparmor-utils ];

     

       142
       142
       +
           boot.kernelParams = [ "apparmor=1" "security=apparmor" ];

     

       31
       143
        
       

     

       32
       32
       -
            boot.kernelParams = [ "apparmor=1" "security=apparmor" ];

     

       144
       144
       +
           systemd.services.apparmor = {

     

       145
       145
       +
             after = [

     

       146
       146
       +
               "local-fs.target"

     

       147
       147
       +
               "systemd-journald-audit.socket"

     

       148
       148
       +
             ];

     

       149
       149
       +
             before = [ "sysinit.target" ];

     

       150
       150
       +
             wantedBy = [ "multi-user.target" ];

     

       151
       151
       +
             unitConfig = {

     

       152
       152
       +
               Description="Load AppArmor policies";

     

       153
       153
       +
               DefaultDependencies = "no";

     

       154
       154
       +
               ConditionSecurity = "apparmor";

     

       155
       155
       +
             };

     

       156
       156
       +
             # Reloading instead of restarting enables to load new AppArmor profiles

     

       157
       157
       +
             # without necessarily restarting all services which have Requires=apparmor.service

     

       158
       158
       +
             reloadIfChanged = true;

     

       159
       159
       +
             restartTriggers = [

     

       160
       160
       +
               etc."apparmor/parser.conf".source

     

       161
       161
       +
               etc."apparmor.d".source

     

       162
       162
       +
             ];

     

       163
       163
       +
             serviceConfig = let

     

       164
       164
       +
               killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" ''

     

       165
       165
       +
                 set -eu

     

       166
       166
       +
                 ${pkgs.apparmor-utils}/bin/aa-status --json |

     

       167
       167
       +
                 ${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' |

     

       168
       168
       +
                 xargs --verbose --no-run-if-empty --delimiter='\n' \

     

       169
       169
       +
                 kill

     

       170
       170
       +
               '';

     

       171
       171
       +
               commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}";

     

       172
       172
       +
               in {

     

       173
       173
       +
               Type = "oneshot";

     

       174
       174
       +
               RemainAfterExit = "yes";

     

       175
       175
       +
               ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";

     

       176
       176
       +
               ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;

     

       177
       177
       +
               ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;

     

       178
       178
       +
               ExecReload =

     

       179
       179
       +
                 # Add or replace into the kernel profiles in enabledPolicies

     

       180
       180
       +
                 # (because AppArmor can do that without stopping the processes already confined).

     

       181
       181
       +
                 lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++

     

       182
       182
       +
                 # Remove from the kernel any profile whose name is not

     

       183
       183
       +
                 # one of the names within the content of the profiles in enabledPolicies

     

       184
       184
       +
                 # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).

     

       185
       185
       +
                 # Note that this does not remove profiles dynamically generated by libvirt.

     

       186
       186
       +
                 [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++

     

       187
       187
       +
                 # Optionaly kill the processes which are unconfined but now have a profile loaded

     

       188
       188
       +
                 # (because AppArmor can only start to confine new processes).

     

       189
       189
       +
                 lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;

     

       190
       190
       +
               ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";

     

       191
       191
       +
               CacheDirectory = [ "apparmor" "apparmor/logprof" ];

     

       192
       192
       +
               CacheDirectoryMode = "0700";

     

       193
       193
       +
             };

     

       194
       194
       +
           };

     

       195
       195
       +
         };

     

       33
       196
        
       

     

       34
       34
       -
            systemd.services.apparmor = let

     

       35
       35
       -
              paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d")

     

       36
       36
       -
                ([ pkgs.apparmor-profiles ] ++ cfg.packages);

     

       37
       37
       -
            in {

     

       38
       38
       -
              after = [ "local-fs.target" ];

     

       39
       39
       -
              before = [ "sysinit.target" ];

     

       40
       40
       -
              wantedBy = [ "multi-user.target" ];

     

       41
       41
       -
              unitConfig = {

     

       42
       42
       -
                DefaultDependencies = "no";

     

       43
       43
       -
              };

     

       44
       44
       -
              serviceConfig = {

     

       45
       45
       -
                Type = "oneshot";

     

       46
       46
       -
                RemainAfterExit = "yes";

     

       47
       47
       -
                ExecStart = map (p:

     

       48
       48
       -
                  ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"''

     

       49
       49
       -
                ) cfg.profiles;

     

       50
       50
       -
                ExecStop = map (p:

     

       51
       51
       -
                  ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"''

     

       52
       52
       -
                ) cfg.profiles;

     

       53
       53
       -
                ExecReload = map (p:

     

       54
       54
       -
                  ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"''

     

       55
       55
       -
                ) cfg.profiles;

     

       56
       56
       -
              };

     

       57
       57
       -
            };

     

       58
       58
       -
          };

     

       197
       197
       +
         meta.maintainers = with lib.maintainers; [ julm ];

     

       59
       198
        
       }

+301

nixos/modules/security/apparmor/includes.nix

···

       1
       1
       +
       { config, lib, pkgs, ... }:

     

       2
       2
       +
       let

     

       3
       3
       +
         inherit (builtins) attrNames hasAttr isAttrs;

     

       4
       4
       +
         inherit (lib) getLib;

     

       5
       5
       +
         inherit (config.environment) etc;

     

       6
       6
       +
         etcRule = arg:

     

       7
       7
       +
           let go = {path ? null, mode ? "r", trail ? ""}:

     

       8
       8
       +
             lib.optionalString (hasAttr path etc)

     

       9
       9
       +
               "${mode} ${config.environment.etc.${path}.source}${trail},";

     

       10
       10
       +
           in if isAttrs arg

     

       11
       11
       +
           then go arg

     

       12
       12
       +
           else go {path=arg;};

     

       13
       13
       +
       in

     

       14
       14
       +
       {

     

       15
       15
       +
       # FIXME: most of the etcRule calls below have been

     

       16
       16
       +
       # written systematically by converting from apparmor-profiles's profiles

     

       17
       17
       +
       # without testing nor deep understanding of their uses,

     

       18
       18
       +
       # and thus may need more rules or can have less rules;

     

       19
       19
       +
       # this remains to be determined case by case,

     

       20
       20
       +
       # some may even be completely useless.

     

       21
       21
       +
       config.security.apparmor.includes = {

     

       22
       22
       +
         # This one is included by <tunables/global>

     

       23
       23
       +
         # which is usualy included before any profile.

     

       24
       24
       +
         "abstractions/tunables/alias" = ''

     

       25
       25
       +
           alias /bin -> /run/current-system/sw/bin,

     

       26
       26
       +
           alias /lib/modules -> /run/current-system/kernel/lib/modules,

     

       27
       27
       +
           alias /sbin -> /run/current-system/sw/sbin,

     

       28
       28
       +
           alias /usr -> /run/current-system/sw,

     

       29
       29
       +
         '';

     

       30
       30
       +
         "abstractions/audio" = ''

     

       31
       31
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio"

     

       32
       32
       +
           ${etcRule "asound.conf"}

     

       33
       33
       +
           ${etcRule "esound/esd.conf"}

     

       34
       34
       +
           ${etcRule "libao.conf"}

     

       35
       35
       +
           ${etcRule {path="pulse"; trail="/";}}

     

       36
       36
       +
           ${etcRule {path="pulse"; trail="/**";}}

     

       37
       37
       +
           ${etcRule {path="sound"; trail="/";}}

     

       38
       38
       +
           ${etcRule {path="sound"; trail="/**";}}

     

       39
       39
       +
           ${etcRule {path="alsa/conf.d"; trail="/";}}

     

       40
       40
       +
           ${etcRule {path="alsa/conf.d"; trail="/*";}}

     

       41
       41
       +
           ${etcRule "openal/alsoft.conf"}

     

       42
       42
       +
           ${etcRule "wildmidi/wildmidi.conf"}

     

       43
       43
       +
         '';

     

       44
       44
       +
         "abstractions/authentication" = ''

     

       45
       45
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication"

     

       46
       46
       +
           # Defined in security.pam

     

       47
       47
       +
           include <abstractions/pam>

     

       48
       48
       +
           ${etcRule "nologin"}

     

       49
       49
       +
           ${etcRule "securetty"}

     

       50
       50
       +
           ${etcRule {path="security"; trail="/*";}}

     

       51
       51
       +
           ${etcRule "shadow"}

     

       52
       52
       +
           ${etcRule "gshadow"}

     

       53
       53
       +
           ${etcRule "pwdb.conf"}

     

       54
       54
       +
           ${etcRule "default/passwd"}

     

       55
       55
       +
           ${etcRule "login.defs"}

     

       56
       56
       +
         '';

     

       57
       57
       +
         "abstractions/base" = ''

     

       58
       58
       +
            include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"

     

       59
       59
       +
            r ${pkgs.stdenv.cc.libc}/share/locale/**,

     

       60
       60
       +
            r ${pkgs.stdenv.cc.libc}/share/locale.alias,

     

       61
       61
       +
            ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"}

     

       62
       62
       +
            ${etcRule "localtime"}

     

       63
       63
       +
            r ${pkgs.tzdata}/share/zoneinfo/**,

     

       64
       64
       +
            r ${pkgs.stdenv.cc.libc}/share/i18n/**,

     

       65
       65
       +
         '';

     

       66
       66
       +
         "abstractions/bash" = ''

     

       67
       67
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash"

     

       68
       68
       +
           # system-wide bash configuration

     

       69
       69
       +
           ${etcRule "profile.dos"}

     

       70
       70
       +
           ${etcRule "profile"}

     

       71
       71
       +
           ${etcRule "profile.d"}

     

       72
       72
       +
           ${etcRule {path="profile.d"; trail="/*";}}

     

       73
       73
       +
           ${etcRule "bashrc"}

     

       74
       74
       +
           ${etcRule "bash.bashrc"}

     

       75
       75
       +
           ${etcRule "bash.bashrc.local"}

     

       76
       76
       +
           ${etcRule "bash_completion"}

     

       77
       77
       +
           ${etcRule "bash_completion.d"}

     

       78
       78
       +
           ${etcRule {path="bash_completion.d"; trail="/*";}}

     

       79
       79
       +
           # bash relies on system-wide readline configuration

     

       80
       80
       +
           ${etcRule "inputrc"}

     

       81
       81
       +
           # bash inspects filesystems at startup

     

       82
       82
       +
           # and /etc/mtab is linked to /proc/mounts

     

       83
       83
       +
           @{PROC}/mounts

     

       84
       84
       +
       

     

       85
       85
       +
           # run out of /etc/bash.bashrc

     

       86
       86
       +
           ${etcRule "DIR_COLORS"}

     

       87
       87
       +
         '';

     

       88
       88
       +
         "abstractions/cups-client" = ''

     

       89
       89
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client"

     

       90
       90
       +
           ${etcRule "cups/cups-client.conf"}

     

       91
       91
       +
         '';

     

       92
       92
       +
         "abstractions/consoles" = ''

     

       93
       93
       +
            include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles"

     

       94
       94
       +
         '';

     

       95
       95
       +
         "abstractions/dbus-session-strict" = ''

     

       96
       96
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict"

     

       97
       97
       +
           ${etcRule "machine-id"}

     

       98
       98
       +
         '';

     

       99
       99
       +
         "abstractions/dconf" = ''

     

       100
       100
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf"

     

       101
       101
       +
           ${etcRule {path="dconf"; trail="/**";}}

     

       102
       102
       +
         '';

     

       103
       103
       +
         "abstractions/dri-common" = ''

     

       104
       104
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common"

     

       105
       105
       +
           ${etcRule "drirc"}

     

       106
       106
       +
         '';

     

       107
       107
       +
         # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/

     

       108
       108
       +
         # by symlinking them but without exporting them outside of its NixOS module,

     

       109
       109
       +
         # those are therefore added there to this "abstractions/fonts".

     

       110
       110
       +
         "abstractions/fonts" = ''

     

       111
       111
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts"

     

       112
       112
       +
           ${etcRule {path="fonts"; trail="/**";}}

     

       113
       113
       +
         '';

     

       114
       114
       +
         "abstractions/gnome" = ''

     

       115
       115
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome"

     

       116
       116
       +
           ${etcRule {path="gnome"; trail="/gtkrc*";}}

     

       117
       117
       +
           ${etcRule {path="gtk"; trail="/*";}}

     

       118
       118
       +
           ${etcRule {path="gtk-2.0"; trail="/*";}}

     

       119
       119
       +
           ${etcRule {path="gtk-3.0"; trail="/*";}}

     

       120
       120
       +
           ${etcRule "orbitrc"}

     

       121
       121
       +
           include <abstractions/fonts>

     

       122
       122
       +
           ${etcRule {path="pango"; trail="/*";}}

     

       123
       123
       +
           ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}}

     

       124
       124
       +
           ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}}

     

       125
       125
       +
           ${etcRule "papersize"}

     

       126
       126
       +
           ${etcRule {path="cups"; trail="/lpoptions";}}

     

       127
       127
       +
           ${etcRule {path="gnome"; trail="/defaults.list";}}

     

       128
       128
       +
           ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}}

     

       129
       129
       +
           ${etcRule "xdg/mimeapps.list"}

     

       130
       130
       +
         '';

     

       131
       131
       +
         "abstractions/kde" = ''

     

       132
       132
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde"

     

       133
       133
       +
           ${etcRule {path="qt3"; trail="/kstylerc";}}

     

       134
       134
       +
           ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}}

     

       135
       135
       +
           ${etcRule {path="qt3"; trail="/qtrc";}}

     

       136
       136
       +
           ${etcRule "kderc"}

     

       137
       137
       +
           ${etcRule {path="kde3"; trail="/*";}}

     

       138
       138
       +
           ${etcRule "kde4rc"}

     

       139
       139
       +
           ${etcRule {path="xdg"; trail="/kdeglobals";}}

     

       140
       140
       +
           ${etcRule {path="xdg"; trail="/Trolltech.conf";}}

     

       141
       141
       +
         '';

     

       142
       142
       +
         "abstractions/kerberosclient" = ''

     

       143
       143
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient"

     

       144
       144
       +
           ${etcRule {path="krb5.keytab"; mode="rk";}}

     

       145
       145
       +
           ${etcRule "krb5.conf"}

     

       146
       146
       +
           ${etcRule "krb5.conf.d"}

     

       147
       147
       +
           ${etcRule {path="krb5.conf.d"; trail="/*";}}

     

       148
       148
       +
       

     

       149
       149
       +
           # config files found via strings on libs

     

       150
       150
       +
           ${etcRule "krb.conf"}

     

       151
       151
       +
           ${etcRule "krb.realms"}

     

       152
       152
       +
           ${etcRule "srvtab"}

     

       153
       153
       +
         '';

     

       154
       154
       +
         "abstractions/ldapclient" = ''

     

       155
       155
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient"

     

       156
       156
       +
           ${etcRule "ldap.conf"}

     

       157
       157
       +
           ${etcRule "ldap.secret"}

     

       158
       158
       +
           ${etcRule {path="openldap"; trail="/*";}}

     

       159
       159
       +
           ${etcRule {path="openldap"; trail="/cacerts/*";}}

     

       160
       160
       +
           ${etcRule {path="sasl2"; trail="/*";}}

     

       161
       161
       +
         '';

     

       162
       162
       +
         "abstractions/likewise" = ''

     

       163
       163
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise"

     

       164
       164
       +
         '';

     

       165
       165
       +
         "abstractions/mdns" = ''

     

       166
       166
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns"

     

       167
       167
       +
            ${etcRule "nss_mdns.conf"}

     

       168
       168
       +
         '';

     

       169
       169
       +
         "abstractions/nameservice" = ''

     

       170
       170
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice"

     

       171
       171
       +
       

     

       172
       172
       +
           # Many programs wish to perform nameservice-like operations, such as

     

       173
       173
       +
           # looking up users by name or id, groups by name or id, hosts by name

     

       174
       174
       +
           # or IP, etc. These operations may be performed through files, dns,

     

       175
       175
       +
           # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here.

     

       176
       176
       +
           ${etcRule "group"}

     

       177
       177
       +
           ${etcRule "host.conf"}

     

       178
       178
       +
           ${etcRule "hosts"}

     

       179
       179
       +
           ${etcRule "nsswitch.conf"}

     

       180
       180
       +
           ${etcRule "gai.conf"}

     

       181
       181
       +
           ${etcRule "passwd"}

     

       182
       182
       +
           ${etcRule "protocols"}

     

       183
       183
       +
       

     

       184
       184
       +
           # libtirpc (used for NIS/YP login) needs this

     

       185
       185
       +
           ${etcRule "netconfig"}

     

       186
       186
       +
       

     

       187
       187
       +
           ${etcRule "resolv.conf"}

     

       188
       188
       +
       

     

       189
       189
       +
           ${etcRule {path="samba"; trail="/lmhosts";}}

     

       190
       190
       +
           ${etcRule "services"}

     

       191
       191
       +
       

     

       192
       192
       +
           ${etcRule "default/nss"}

     

       193
       193
       +
       

     

       194
       194
       +
           # libnl-3-200 via libnss-gw-name

     

       195
       195
       +
           ${etcRule {path="libnl"; trail="/classid";}}

     

       196
       196
       +
           ${etcRule {path="libnl-3"; trail="/classid";}}

     

       197
       197
       +
       

     

       198
       198
       +
           mr ${getLib pkgs.nss}/lib/libnss_*.so*,

     

       199
       199
       +
           mr ${getLib pkgs.nss}/lib64/libnss_*.so*,

     

       200
       200
       +
         '';

     

       201
       201
       +
         "abstractions/nis" = ''

     

       202
       202
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis"

     

       203
       203
       +
         '';

     

       204
       204
       +
         "abstractions/nvidia" = ''

     

       205
       205
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia"

     

       206
       206
       +
           ${etcRule "vdpau_wrapper.cfg"}

     

       207
       207
       +
         '';

     

       208
       208
       +
         "abstractions/opencl-common" = ''

     

       209
       209
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common"

     

       210
       210
       +
           ${etcRule {path="OpenCL"; trail="/**";}}

     

       211
       211
       +
         '';

     

       212
       212
       +
         "abstractions/opencl-mesa" = ''

     

       213
       213
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa"

     

       214
       214
       +
           ${etcRule "default/drirc"}

     

       215
       215
       +
         '';

     

       216
       216
       +
         "abstractions/openssl" = ''

     

       217
       217
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl"

     

       218
       218
       +
           ${etcRule {path="ssl"; trail="/openssl.cnf";}}

     

       219
       219
       +
         '';

     

       220
       220
       +
         "abstractions/p11-kit" = ''

     

       221
       221
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit"

     

       222
       222
       +
           ${etcRule {path="pkcs11"; trail="/";}}

     

       223
       223
       +
           ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}}

     

       224
       224
       +
           ${etcRule {path="pkcs11"; trail="/modules/";}}

     

       225
       225
       +
           ${etcRule {path="pkcs11"; trail="/modules/*";}}

     

       226
       226
       +
         '';

     

       227
       227
       +
         "abstractions/perl" = ''

     

       228
       228
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl"

     

       229
       229
       +
           ${etcRule {path="perl"; trail="/**";}}

     

       230
       230
       +
         '';

     

       231
       231
       +
         "abstractions/php" = ''

     

       232
       232
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php"

     

       233
       233
       +
           ${etcRule {path="php"; trail="/**/";}}

     

       234
       234
       +
           ${etcRule {path="php5"; trail="/**/";}}

     

       235
       235
       +
           ${etcRule {path="php7"; trail="/**/";}}

     

       236
       236
       +
           ${etcRule {path="php"; trail="/**.ini";}}

     

       237
       237
       +
           ${etcRule {path="php5"; trail="/**.ini";}}

     

       238
       238
       +
           ${etcRule {path="php7"; trail="/**.ini";}}

     

       239
       239
       +
         '';

     

       240
       240
       +
         "abstractions/postfix-common" = ''

     

       241
       241
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common"

     

       242
       242
       +
           ${etcRule "mailname"}

     

       243
       243
       +
           ${etcRule {path="postfix"; trail="/*.cf";}}

     

       244
       244
       +
           ${etcRule "postfix/main.cf"}

     

       245
       245
       +
           ${etcRule "postfix/master.cf"}

     

       246
       246
       +
         '';

     

       247
       247
       +
         "abstractions/python" = ''

     

       248
       248
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python"

     

       249
       249
       +
         '';

     

       250
       250
       +
         "abstractions/qt5" = ''

     

       251
       251
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5"

     

       252
       252
       +
           ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}}

     

       253
       253
       +
           ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}}

     

       254
       254
       +
           ${etcRule "xdg/QtProject/qtlogging.ini"}

     

       255
       255
       +
         '';

     

       256
       256
       +
         "abstractions/samba" = ''

     

       257
       257
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba"

     

       258
       258
       +
           ${etcRule {path="samba"; trail="/*";}}

     

       259
       259
       +
         '';

     

       260
       260
       +
         "abstractions/ssl_certs" = ''

     

       261
       261
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs"

     

       262
       262
       +
           ${etcRule "ssl/certs/ca-certificates.crt"}

     

       263
       263
       +
           ${etcRule "ssl/certs/ca-bundle.crt"}

     

       264
       264
       +
           ${etcRule "pki/tls/certs/ca-bundle.crt"}

     

       265
       265
       +
       

     

       266
       266
       +
           ${etcRule {path="ssl/trust"; trail="/";}}

     

       267
       267
       +
           ${etcRule {path="ssl/trust"; trail="/*";}}

     

       268
       268
       +
           ${etcRule {path="ssl/trust/anchors"; trail="/";}}

     

       269
       269
       +
           ${etcRule {path="ssl/trust/anchors"; trail="/**";}}

     

       270
       270
       +
           ${etcRule {path="pki/trust"; trail="/";}}

     

       271
       271
       +
           ${etcRule {path="pki/trust"; trail="/*";}}

     

       272
       272
       +
           ${etcRule {path="pki/trust/anchors"; trail="/";}}

     

       273
       273
       +
           ${etcRule {path="pki/trust/anchors"; trail="/**";}}

     

       274
       274
       +
       

     

       275
       275
       +
           # security.acme NixOS module

     

       276
       276
       +
           r /var/lib/acme/*/cert.pem,

     

       277
       277
       +
           r /var/lib/acme/*/chain.pem,

     

       278
       278
       +
           r /var/lib/acme/*/fullchain.pem,

     

       279
       279
       +
         '';

     

       280
       280
       +
         "abstractions/ssl_keys" = ''

     

       281
       281
       +
           # security.acme NixOS module

     

       282
       282
       +
           r /var/lib/acme/*/full.pem,

     

       283
       283
       +
           r /var/lib/acme/*/key.pem,

     

       284
       284
       +
         '';

     

       285
       285
       +
         "abstractions/vulkan" = ''

     

       286
       286
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan"

     

       287
       287
       +
           ${etcRule {path="vulkan/icd.d"; trail="/";}}

     

       288
       288
       +
           ${etcRule {path="vulkan/icd.d"; trail="/*.json";}}

     

       289
       289
       +
         '';

     

       290
       290
       +
         "abstractions/winbind" = ''

     

       291
       291
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind"

     

       292
       292
       +
           ${etcRule {path="samba"; trail="/smb.conf";}}

     

       293
       293
       +
           ${etcRule {path="samba"; trail="/dhcp.conf";}}

     

       294
       294
       +
         '';

     

       295
       295
       +
         "abstractions/X" = ''

     

       296
       296
       +
           include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X"

     

       297
       297
       +
           ${etcRule {path="X11/cursors"; trail="/";}}

     

       298
       298
       +
           ${etcRule {path="X11/cursors"; trail="/**";}}

     

       299
       299
       +
         '';

     

       300
       300
       +
       };

     

       301
       301
       +
       }

+11

nixos/modules/security/apparmor/profiles.nix

···

       1
       1
       +
       { config, lib, pkgs, ... }:

     

       2
       2
       +
       let apparmor = config.security.apparmor; in

     

       3
       3
       +
       {

     

       4
       4
       +
       config.security.apparmor.packages = [ pkgs.apparmor-profiles ];

     

       5
       5
       +
       config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable ''

     

       6
       6
       +
         include "${pkgs.iputils.apparmor}/bin.ping"

     

       7
       7
       +
         include "${pkgs.inetutils.apparmor}/bin.ping"

     

       8
       8
       +
         # Note that including those two profiles in the same profile

     

       9
       9
       +
         # would not work if the second one were to re-include <tunables/global>.

     

       10
       10
       +
       '';

     

       11
       11
       +
       }

+55

nixos/modules/security/pam.nix

···

       895
       895
        
               runuser-l = { rootOK = true; unixAuth = false; };

     

       896
       896
        
             };

     

       897
       897
        
       

     

       898
       898
       +
           security.apparmor.includes."abstractions/pam" = let

     

       899
       899
       +
             isEnabled = test: fold or false (map test (attrValues config.security.pam.services));

     

       900
       900
       +
             in ''

     

       901
       901
       +
             ${lib.concatMapStringsSep "\n"

     

       902
       902
       +
                (name: "r ${config.environment.etc."pam.d/${name}".source},")

     

       903
       903
       +
                (attrNames config.security.pam.services)}

     

       904
       904
       +
             mr ${getLib pkgs.pam}/lib/security/pam_filter/*,

     

       905
       905
       +
             mr ${getLib pkgs.pam}/lib/security/pam_*.so,

     

       906
       906
       +
             r ${getLib pkgs.pam}/lib/security/,

     

       907
       907
       +
             ${optionalString use_ldap

     

       908
       908
       +
               "mr ${pam_ldap}/lib/security/pam_ldap.so,"}

     

       909
       909
       +
             ${optionalString config.services.sssd.enable

     

       910
       910
       +
               "mr ${pkgs.sssd}/lib/security/pam_sss.so,"}

     

       911
       911
       +
             ${optionalString config.krb5.enable ''

     

       912
       912
       +
               mr ${pam_krb5}/lib/security/pam_krb5.so,

     

       913
       913
       +
               mr ${pam_ccreds}/lib/security/pam_ccreds.so,

     

       914
       914
       +
             ''}

     

       915
       915
       +
             ${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''

     

       916
       916
       +
               mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,

     

       917
       917
       +
               mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so,

     

       918
       918
       +
             ''}

     

       919
       919
       +
             ${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication))

     

       920
       920
       +
               "mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"}

     

       921
       921
       +
             ${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth))

     

       922
       922
       +
               "mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"}

     

       923
       923
       +
             ${optionalString (isEnabled (cfg: cfg.fprintAuth))

     

       924
       924
       +
               "mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"}

     

       925
       925
       +
             ${optionalString (isEnabled (cfg: cfg.u2fAuth))

     

       926
       926
       +
               "mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"}

     

       927
       927
       +
             ${optionalString (isEnabled (cfg: cfg.usbAuth))

     

       928
       928
       +
               "mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"}

     

       929
       929
       +
             ${optionalString (isEnabled (cfg: cfg.oathAuth))

     

       930
       930
       +
               "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"}

     

       931
       931
       +
             ${optionalString (isEnabled (cfg: cfg.yubicoAuth))

     

       932
       932
       +
               "mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"}

     

       933
       933
       +
             ${optionalString (isEnabled (cfg: cfg.duoSecurity.enable))

     

       934
       934
       +
               "mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"}

     

       935
       935
       +
             ${optionalString (isEnabled (cfg: cfg.otpwAuth))

     

       936
       936
       +
               "mr ${pkgs.otpw}/lib/security/pam_otpw.so,"}

     

       937
       937
       +
             ${optionalString config.security.pam.enableEcryptfs

     

       938
       938
       +
               "mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"}

     

       939
       939
       +
             ${optionalString (isEnabled (cfg: cfg.pamMount))

     

       940
       940
       +
               "mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"}

     

       941
       941
       +
             ${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring))

     

       942
       942
       +
               "mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"}

     

       943
       943
       +
             ${optionalString (isEnabled (cfg: cfg.startSession))

     

       944
       944
       +
               "mr ${pkgs.systemd}/lib/security/pam_systemd.so,"}

     

       945
       945
       +
             ${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable)

     

       946
       946
       +
               "mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"}

     

       947
       947
       +
             ${optionalString (isEnabled (cfg: cfg.enableKwallet))

     

       948
       948
       +
               "mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"}

     

       949
       949
       +
             ${optionalString config.virtualisation.lxc.lxcfs.enable

     

       950
       950
       +
               "mr ${pkgs.lxc}/lib/security/pam_cgfs.so"}

     

       951
       951
       +
           '';

     

       952
       952
       +
       

     

       898
       953
        
         };

     

       899
       954
        
       

     

       900
       955
        
       }

nixos/modules/security/wrappers/default.nix

···

       171
       171
        
             export PATH="${wrapperDir}:$PATH"

     

       172
       172
        
           '';

     

       173
       173
        
       

     

       174
       174
       +
           security.apparmor.includes."nixos/security.wrappers" = ''

     

       175
       175
       +
             include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [

     

       176
       176
       +
               securityWrapper

     

       177
       177
       +
               pkgs.stdenv.cc.cc

     

       178
       178
       +
               pkgs.stdenv.cc.libc

     

       179
       179
       +
             ]}"

     

       180
       180
       +
           '';

     

       181
       181
       +
       

     

       174
       182
        
           ###### setcap activation script

     

       175
       183
        
           system.activationScripts.wrappers =

     

       176
       184
        
             lib.stringAfter [ "specialfs" "users" ]

+12 -51

nixos/modules/services/torrent/transmission.nix

···

       5
       5
        
       let

     

       6
       6
        
         cfg = config.services.transmission;

     

       7
       7
        
         inherit (config.environment) etc;

     

       8
       8
       -
         apparmor = config.security.apparmor.enable;

     

       8
       8
       +
         apparmor = config.security.apparmor;

     

       9
       9
        
         rootDir = "/run/transmission";

     

       10
       10
        
         homeDir = "/var/lib/transmission";

     

       11
       11
        
         settingsDir = ".config/transmission-daemon";

     
···

       184
       184
        
       

     

       185
       185
        
           systemd.services.transmission = {

     

       186
       186
        
             description = "Transmission BitTorrent Service";

     

       187
       187
       -
             after = [ "network.target" ] ++ optional apparmor "apparmor.service";

     

       188
       188
       -
             requires = optional apparmor "apparmor.service";

     

       187
       187
       +
             after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service";

     

       188
       188
       +
             requires = optional apparmor.enable "apparmor.service";

     

       189
       189
        
             wantedBy = [ "multi-user.target" ];

     

       190
       190
        
             environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source;

     

       191
       191
        
       

     
···

       358
       358
        
             })

     

       359
       359
        
           ];

     

       360
       360
        
       

     

       361
       361
       -
           security.apparmor.profiles = mkIf apparmor [

     

       362
       362
       -
             (pkgs.writeText "apparmor-transmission-daemon" ''

     

       361
       361
       +
           security.apparmor.policies."bin.transmission-daemon".profile = ''

     

       363
       362
        
               include <tunables/global>

     

       364
       364
       -
       

     

       365
       363
        
               ${pkgs.transmission}/bin/transmission-daemon {

     

       366
       364
        
                 include <abstractions/base>

     

       367
       365
        
                 include <abstractions/nameservice>

     

       368
       368
       -
       

     

       369
       369
       -
                 # NOTE: https://github.com/NixOS/nixpkgs/pull/93457

     

       370
       370
       -
                 # will remove the need for these by fixing <abstractions/base>

     

       371
       371
       -
                 r ${etc."hosts".source},

     

       372
       372
       -
                 r /etc/ld-nix.so.preload,

     

       373
       373
       -
                 ${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) ''

     

       374
       374
       -
                   r ${etc."ld-nix.so.preload".source},

     

       375
       375
       -
                   ${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n"))

     

       376
       376
       -
                     (splitString "\n" config.environment.etc."ld-nix.so.preload".text)}

     

       377
       377
       -
                 ''}

     

       378
       378
       -
                 r ${etc."ssl/certs/ca-certificates.crt".source},

     

       379
       379
       -
                 r ${pkgs.tzdata}/share/zoneinfo/**,

     

       380
       380
       -
                 r ${pkgs.stdenv.cc.libc}/share/i18n/**,

     

       381
       381
       -
                 r ${pkgs.stdenv.cc.libc}/share/locale/**,

     

       382
       382
       -
       

     

       383
       383
       -
                 mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*,

     

       384
       384
       -
                 mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*,

     

       385
       385
       -
                 mr ${getLib pkgs.attr}/lib/libattr*.so*,

     

       386
       386
       -
                 mr ${getLib pkgs.c-ares}/lib/libcares*.so*,

     

       387
       387
       -
                 mr ${getLib pkgs.curl}/lib/libcurl*.so*,

     

       388
       388
       -
                 mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*,

     

       389
       389
       -
                 mr ${getLib pkgs.libcap}/lib/libcap*.so*,

     

       390
       390
       -
                 mr ${getLib pkgs.libevent}/lib/libevent*.so*,

     

       391
       391
       -
                 mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*,

     

       392
       392
       -
                 mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*,

     

       393
       393
       -
                 mr ${getLib pkgs.libkrb5}/lib/lib*.so*,

     

       394
       394
       -
                 mr ${getLib pkgs.libssh2}/lib/libssh2*.so*,

     

       395
       395
       -
                 mr ${getLib pkgs.lz4}/lib/liblz4*.so*,

     

       396
       396
       -
                 mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*,

     

       397
       397
       -
                 mr ${getLib pkgs.openssl}/lib/libcrypto*.so*,

     

       398
       398
       -
                 mr ${getLib pkgs.openssl}/lib/libssl*.so*,

     

       399
       399
       -
                 mr ${getLib pkgs.systemd}/lib/libsystemd*.so*,

     

       400
       400
       -
                 mr ${getLib pkgs.util-linuxMinimal.out}/lib/libblkid.so*,

     

       401
       401
       -
                 mr ${getLib pkgs.util-linuxMinimal.out}/lib/libmount.so*,

     

       402
       402
       -
                 mr ${getLib pkgs.util-linuxMinimal.out}/lib/libuuid.so*,

     

       403
       403
       -
                 mr ${getLib pkgs.xz}/lib/liblzma*.so*,

     

       404
       404
       -
                 mr ${getLib pkgs.zlib}/lib/libz*.so*,

     

       366
       366
       +
                 include <abstractions/ssl_certs>

     

       367
       367
       +
                 include "${pkgs.apparmorRulesFromClosure

     

       368
       368
       +
                   { name = "transmission-daemon"; }

     

       369
       369
       +
                   [ pkgs.transmission ]}"

     

       370
       370
       +
                 include <local/bin.transmission-daemon>

     

       405
       371
        
       

     

       406
       372
        
                 r @{PROC}/sys/kernel/random/uuid,

     

       407
       373
        
                 r @{PROC}/sys/vm/overcommit_memory,

     

       408
       408
       -
                 # @{pid} is not a kernel variable yet but a regexp

     

       409
       409
       -
                 #r @{PROC}/@{pid}/environ,

     

       374
       374
       +
                 r @{PROC}/@{pid}/environ,

     

       410
       375
        
                 r @{PROC}/@{pid}/mounts,

     

       411
       376
        
                 rwk /tmp/tr_session_id_*,

     

       412
       377
        
                 r /run/systemd/resolve/stub-resolv.conf,

     

       413
       378
        
       

     

       414
       379
        
                 r ${pkgs.openssl.out}/etc/**,

     

       415
       380
        
                 r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE},

     

       416
       416
       -
                 r ${pkgs.transmission}/share/transmission/**,

     

       417
       381
        
       

     

       418
       382
        
                 owner rw ${cfg.home}/${settingsDir}/**,

     

       419
       383
        
                 rw ${cfg.settings.download-dir}/**,

     
···

       441
       405
        
                   # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs

     

       442
       406
        
                   px ${cfg.settings.script-torrent-done-filename} -> &@{dirs},

     

       443
       407
        
                 ''}

     

       444
       444
       -
       

     

       445
       445
       -
                 # FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457

     

       446
       446
       -
                 # include <local/transmission-daemon>

     

       447
       408
        
               }

     

       448
       448
       -
             '')

     

       449
       449
       -
           ];

     

       409
       409
       +
           '';

     

       410
       410
       +
           security.apparmor.includes."local/bin.transmission-daemon" = "";

     

       450
       411
        
         };

     

       451
       412
        
       

     

       452
       413
        
         meta.maintainers = with lib.maintainers; [ julm ];

+15

nixos/modules/tasks/network-interfaces.nix

···

       1111
       1111
        
           } else {

     

       1112
       1112
        
             ping.source = "${pkgs.iputils.out}/bin/ping";

     

       1113
       1113
        
           };

     

       1114
       1114
       +
           security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter ''

     

       1115
       1115
       +
             /run/wrappers/bin/ping {

     

       1116
       1116
       +
               include <abstractions/base>

     

       1117
       1117
       +
               include <nixos/security.wrappers>

     

       1118
       1118
       +
               rpx /run/wrappers/wrappers.*/ping,

     

       1119
       1119
       +
             }

     

       1120
       1120
       +
             /run/wrappers/wrappers.*/ping {

     

       1121
       1121
       +
               include <abstractions/base>

     

       1122
       1122
       +
               include <nixos/security.wrappers>

     

       1123
       1123
       +
               r /run/wrappers/wrappers.*/ping.real,

     

       1124
       1124
       +
               mrpx ${config.security.wrappers.ping.source},

     

       1125
       1125
       +
               capability net_raw,

     

       1126
       1126
       +
               capability setpcap,

     

       1127
       1127
       +
             }

     

       1128
       1128
       +
           '');

     

       1114
       1129
        
       

     

       1115
       1130
        
           # Set the host and domain names in the activation script.  Don't

     

       1116
       1131
        
           # clear it if it's not configured in the NixOS configuration,

+8 -4

nixos/modules/virtualisation/lxc.nix

···

       74
       74
        
           systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];

     

       75
       75
        
       

     

       76
       76
        
           security.apparmor.packages = [ pkgs.lxc ];

     

       77
       77
       -
           security.apparmor.profiles = [

     

       78
       78
       -
             "${pkgs.lxc}/etc/apparmor.d/lxc-containers"

     

       79
       79
       -
             "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start"

     

       80
       80
       -
           ];

     

       77
       77
       +
           security.apparmor.policies = {

     

       78
       78
       +
             "bin.lxc-start".profile = ''

     

       79
       79
       +
               include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start

     

       80
       80
       +
             '';

     

       81
       81
       +
             "lxc-containers".profile = ''

     

       82
       82
       +
               include ${pkgs.lxc}/etc/apparmor.d/lxc-containers

     

       83
       83
       +
             '';

     

       84
       84
       +
           };

     

       81
       85
        
         };

     

       82
       86
        
       }

+11 -5

nixos/modules/virtualisation/lxd.nix

···

       97
       97
        
           # does a bunch of unrelated things.

     

       98
       98
        
           systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ];

     

       99
       99
        
       

     

       100
       100
       -
           security.apparmor.packages = [ cfg.lxcPackage ];

     

       101
       101
       -
           security.apparmor.profiles = [

     

       102
       102
       -
             "${cfg.lxcPackage}/etc/apparmor.d/lxc-containers"

     

       103
       103
       -
             "${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start"

     

       104
       104
       -
           ];

     

       100
       100
       +
           security.apparmor = {

     

       101
       101
       +
             packages = [ cfg.lxcPackage ];

     

       102
       102
       +
             policies = {

     

       103
       103
       +
               "bin.lxc-start".profile = ''

     

       104
       104
       +
                 include ${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start

     

       105
       105
       +
               '';

     

       106
       106
       +
               "lxc-containers".profile = ''

     

       107
       107
       +
                 include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers

     

       108
       108
       +
               '';

     

       109
       109
       +
             };

     

       110
       110
       +
           };

     

       105
       111
        
       

     

       106
       112
        
           # TODO: remove once LXD gets proper support for cgroupsv2

     

       107
       113
        
           # (currently most of the e.g. CPU accounting stuff doesn't work)

+61 -3

pkgs/os-specific/linux/apparmor/default.nix

···

       10
       10
        
       , pam

     

       11
       11
        
       , libnotify

     

       12
       12
        
       , buildPackages

     

       13
       13
       +
       , coreutils

     

       14
       14
       +
       , gnugrep

     

       15
       15
       +
       , gnused

     

       16
       16
       +
       , kmod

     

       17
       17
       +
       , writeShellScript

     

       18
       18
       +
       , closureInfo

     

       19
       19
       +
       , runCommand

     

       13
       20
        
       }:

     

       14
       21
        
       

     

       15
       22
        
       let

     
···

       29
       36
        
           url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";

     

       30
       37
        
           sha256 = "13xshy7905d9q9n8d8i0jmdi9m36wr525g4wlsp8k21n7yvvh9j4";

     

       31
       38
        
         };

     

       39
       39
       +
       

     

       40
       40
       +
         aa-teardown = writeShellScript "aa-teardown" ''

     

       41
       41
       +
           PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH"

     

       42
       42
       +
           . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions

     

       43
       43
       +
           remove_profiles

     

       44
       44
       +
         '';

     

       32
       45
        
       

     

       33
       46
        
         prePatchCommon = ''

     

       34
       47
        
           chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh

     
···

       121
       134
        
             libapparmor.python

     

       122
       135
        
           ];

     

       123
       136
        
       

     

       124
       124
       -
           prePatch = prePatchCommon + ''

     

       137
       137
       +
           prePatch = prePatchCommon +

     

       138
       138
       +
             # Do not build vim file

     

       139
       139
       +
             lib.optionalString stdenv.hostPlatform.isMusl ''

     

       140
       140
       +
               sed -i ./utils/Makefile -e "/\<vim\>/d"

     

       141
       141
       +
             '' + ''

     

       125
       142
        
             substituteInPlace ./utils/apparmor/easyprof.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"

     

       126
       143
        
             substituteInPlace ./utils/apparmor/aa.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"

     

       127
       144
        
             substituteInPlace ./utils/logprof.conf --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"

     
···

       132
       149
        
           installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ];

     

       133
       150
        
       

     

       134
       151
        
           postInstall = ''

     

       152
       152
       +
             sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d"

     

       135
       153
        
             for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-status aa-unconfined ; do

     

       136
       154
        
               wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.libPrefix}/site-packages:$PYTHONPATH"

     

       137
       155
        
             done

     
···

       139
       157
        
             substituteInPlace $out/bin/aa-notify \

     

       140
       158
        
               --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \

     

       141
       159
        
               --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}"

     

       160
       160
       +
       

     

       161
       161
       +
             substituteInPlace $out/bin/aa-remove-unknown \

     

       162
       162
       +
              --replace "/usr/bin/aa-status" "$out/bin/aa-status" \

     

       163
       163
       +
              --replace "/sbin/modprobe" "${kmod}/bin/modprobe" \

     

       164
       164
       +
              --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions"

     

       165
       165
       +
             wrapProgram $out/bin/aa-remove-unknown \

     

       166
       166
       +
              --prefix PATH : ${lib.makeBinPath [gawk]}

     

       167
       167
       +
       

     

       168
       168
       +
             ln -s ${aa-teardown} $out/bin/aa-teardown

     

       142
       169
        
           '';

     

       143
       170
        
       

     

       144
       171
        
           inherit doCheck;

     
···

       187
       214
        
             substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"

     

       188
       215
        
             ## techdoc.pdf still doesn't build ...

     

       189
       216
        
             substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"

     

       217
       217
       +
             substituteInPlace parser/rc.apparmor.functions \

     

       218
       218
       +
              --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser"

     

       219
       219
       +
             sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'

     

       190
       220
        
           '';

     

       191
       221
        
           inherit patches;

     

       192
       222
        
           postPatch = "cd ./parser";

     
···

       248
       278
        
           meta = apparmor-meta "kernel patches";

     

       249
       279
        
         };

     

       250
       280
        
       

     

       281
       281
       +
         # Generate generic AppArmor rules in a file,

     

       282
       282
       +
         # from the closure of given rootPaths.

     

       283
       283
       +
         # To be included in an AppArmor profile like so:

     

       284
       284
       +
         # include "$(apparmorRulesFromClosure {} [pkgs.hello]}"

     

       285
       285
       +
         apparmorRulesFromClosure =

     

       286
       286
       +
           { # The store path of the derivation is given in $path

     

       287
       287
       +
             additionalRules ? []

     

       288
       288
       +
             # TODO: factorize here some other common paths

     

       289
       289
       +
             # that may emerge from use cases.

     

       290
       290
       +
           , baseRules ? [

     

       291
       291
       +
               "r $path"

     

       292
       292
       +
               "r $path/etc/**"

     

       293
       293
       +
               "r $path/share/**"

     

       294
       294
       +
               # Note that not all libraries are prefixed with "lib",

     

       295
       295
       +
               # eg. glibc-2.30/lib/ld-2.30.so

     

       296
       296
       +
               "mr $path/lib/**.so*"

     

       297
       297
       +
               # eg. glibc-2.30/lib/gconv/gconv-modules

     

       298
       298
       +
               "r $path/lib/**"

     

       299
       299
       +
             ]

     

       300
       300
       +
           , name ? ""

     

       301
       301
       +
           }: rootPaths: runCommand

     

       302
       302
       +
             ( "apparmor-closure-rules"

     

       303
       303
       +
             + lib.optionalString (name != "") "-${name}") {} ''

     

       304
       304
       +
           touch $out

     

       305
       305
       +
           while read -r path

     

       306
       306
       +
           do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}

     

       307
       307
       +
           done <${closureInfo {inherit rootPaths;}}/store-paths

     

       308
       308
       +
         '';

     

       251
       309
        
       in

     

       252
       252
       -
       

     

       253
       310
        
       {

     

       254
       311
        
         inherit

     

       255
       312
        
           libapparmor

     
···

       258
       315
        
           apparmor-parser

     

       259
       316
        
           apparmor-pam

     

       260
       317
        
           apparmor-profiles

     

       261
       261
       -
           apparmor-kernel-patches;

     

       318
       318
       +
           apparmor-kernel-patches

     

       319
       319
       +
           apparmorRulesFromClosure;

     

       262
       320
        
       }

+32

pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh

···

       1
       1
       +
       aa_action() {

     

       2
       2
       +
         STRING=$1

     

       3
       3
       +
         shift

     

       4
       4
       +
         $*

     

       5
       5
       +
         rc=$?

     

       6
       6
       +
         if [ $rc -eq 0 ] ; then

     

       7
       7
       +
           aa_log_success_msg $"$STRING "

     

       8
       8
       +
         else

     

       9
       9
       +
           aa_log_failure_msg $"$STRING "

     

       10
       10
       +
         fi

     

       11
       11
       +
         return $rc

     

       12
       12
       +
       }

     

       13
       13
       +
       

     

       14
       14
       +
       aa_log_success_msg() {

     

       15
       15
       +
          [ -n "$1" ] && echo -n $1

     

       16
       16
       +
          echo ": done."

     

       17
       17
       +
       }

     

       18
       18
       +
       

     

       19
       19
       +
       aa_log_warning_msg() {

     

       20
       20
       +
          [ -n "$1" ] && echo -n $1

     

       21
       21
       +
          echo ": Warning."

     

       22
       22
       +
       }

     

       23
       23
       +
       

     

       24
       24
       +
       aa_log_failure_msg() {

     

       25
       25
       +
          [ -n "$1" ] && echo -n $1

     

       26
       26
       +
          echo ": Failed."

     

       27
       27
       +
       }

     

       28
       28
       +
       

     

       29
       29
       +
       aa_log_skipped_msg() {

     

       30
       30
       +
          [ -n "$1" ] && echo -n $1

     

       31
       31
       +
          echo ": Skipped."

     

       32
       32
       +
       }

+22

pkgs/os-specific/linux/iputils/default.nix

···

       1
       1
        
       { lib, stdenv, fetchFromGitHub

     

       2
       2
        
       , meson, ninja, pkg-config, gettext, libxslt, docbook_xsl_ns

     

       3
       3
        
       , libcap, libidn2

     

       4
       4
       +
       , apparmorRulesFromClosure

     

       4
       5
        
       }:

     

       5
       6
        
       

     

       6
       7
        
       let

     
···

       19
       20
        
           rev = version;

     

       20
       21
        
           sha256 = "08j2hfgnfh31vv9rn1ml7090j2lsvm9wdpdz13rz60rmyzrx9dq3";

     

       21
       22
        
         };

     

       23
       23
       +
       

     

       24
       24
       +
         outputs = ["out" "apparmor"];

     

       22
       25
        
       

     

       23
       26
        
         mesonFlags = [

     

       24
       27
        
           "-DBUILD_RARPD=true"

     
···

       34
       37
        
         nativeBuildInputs = [ meson ninja pkg-config gettext libxslt.bin docbook_xsl_ns ];

     

       35
       38
        
         buildInputs = [ libcap ]

     

       36
       39
        
           ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2;

     

       40
       40
       +
         postInstall = ''

     

       41
       41
       +
           install -D -m 644 /dev/stdin $apparmor/bin.ping <<EOF

     

       42
       42
       +
           include <tunables/global>

     

       43
       43
       +
           $out/bin/ping {

     

       44
       44
       +
             include <abstractions/base>

     

       45
       45
       +
             include <abstractions/consoles>

     

       46
       46
       +
             include <abstractions/nameservice>

     

       47
       47
       +
             include "${apparmorRulesFromClosure { name = "ping"; }

     

       48
       48
       +
              ([libcap] ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2)}"

     

       49
       49
       +
             include <local/bin.ping>

     

       50
       50
       +
             capability net_raw,

     

       51
       51
       +
             network inet raw,

     

       52
       52
       +
             network inet6 raw,

     

       53
       53
       +
             mr $out/bin/ping,

     

       54
       54
       +
             r $out/share/locale/**,

     

       55
       55
       +
             r @{PROC}/@{pid}/environ,

     

       56
       56
       +
           }

     

       57
       57
       +
           EOF

     

       58
       58
       +
         '';

     

       37
       59
        
       

     

       38
       60
        
         meta = with lib; {

     

       39
       61
        
           description = "A set of small useful utilities for Linux networking";

+21 -1

pkgs/tools/networking/inetutils/default.nix

···

       1
       1
       -
       { stdenv, lib, fetchurl, ncurses, perl, help2man }:

     

       1
       1
       +
       { stdenv, lib, fetchurl, ncurses, perl, help2man

     

       2
       2
       +
       , apparmorRulesFromClosure

     

       3
       3
       +
       }:

     

       2
       4
        
       

     

       3
       5
        
       stdenv.mkDerivation rec {

     

       4
       6
        
         name = "inetutils-1.9.4";

     
···

       7
       9
        
           url = "mirror://gnu/inetutils/${name}.tar.gz";

     

       8
       10
        
           sha256 = "05n65k4ixl85dc6rxc51b1b732gnmm8xnqi424dy9f1nz7ppb3xy";

     

       9
       11
        
         };

     

       12
       12
       +
       

     

       13
       13
       +
         outputs = ["out" "apparmor"];

     

       10
       14
        
       

     

       11
       15
        
         patches = [

     

       12
       16
        
           ./whois-Update-Canadian-TLD-server.patch

     
···

       40
       44
        
         doCheck = false;

     

       41
       45
        
       

     

       42
       46
        
         installFlags = [ "SUIDMODE=" ];

     

       47
       47
       +
       

     

       48
       48
       +
         postInstall = ''

     

       49
       49
       +
           install -D -m 644 /dev/stdin $apparmor/bin.ping <<EOF

     

       50
       50
       +
           $out/bin/ping {

     

       51
       51
       +
             include <abstractions/base>

     

       52
       52
       +
             include <abstractions/consoles>

     

       53
       53
       +
             include <abstractions/nameservice>

     

       54
       54
       +
             include "${apparmorRulesFromClosure { name = "ping"; } [stdenv.cc.libc]}"

     

       55
       55
       +
             include <local/bin.ping>

     

       56
       56
       +
             capability net_raw,

     

       57
       57
       +
             network inet raw,

     

       58
       58
       +
             network inet6 raw,

     

       59
       59
       +
             mr $out/bin/ping,

     

       60
       60
       +
           }

     

       61
       61
       +
           EOF

     

       62
       62
       +
         '';

     

       43
       63
        
       

     

       44
       64
        
         meta = with lib; {

     

       45
       65
        
           description = "Collection of common network programs";

+1 -1

pkgs/top-level/all-packages.nix

···

       19482
       19482
        
       

     

       19483
       19483
        
         inherit (callPackages ../os-specific/linux/apparmor { python = python3; })

     

       19484
       19484
        
           libapparmor apparmor-utils apparmor-bin-utils apparmor-parser apparmor-pam

     

       19485
       19485
       -
           apparmor-profiles apparmor-kernel-patches;

     

       19485
       19485
       +
           apparmor-profiles apparmor-kernel-patches apparmorRulesFromClosure;

     

       19486
       19486
        
       

     

       19487
       19487
        
         aseq2json = callPackage ../os-specific/linux/aseq2json {};

     

       19488
       19488