pyrox.dev / nixpkgs
lol
fork atom

nixos/apparmor: disable killUnconfinedConfinables by default

Julien Moutinho b42a0e20 76887d75

options
unified split
Changed files
+21 -16
nixos
doc
manual
release-notes
rl-2105.xml
modules
profiles
hardened.nix
security
apparmor.nix
+3 -4
nixos/doc/manual/release-notes/rl-2105.xml 
···

       
869

       
869

       
 

       
     to provide a way to disable a profile


     

       
870

       
870

       
 

       
     and to select whether to confine in enforce mode (default)


     

       
871

       
871

       
 

       
     or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).


     

       
872

       

       
-

       
     Before enabling this module, either directly


     

       
873

       

       
-

       
     or by importing <literal>&lt;nixpkgs/nixos/modules/profiles/hardened.nix&gt;</literal>,


     

       
874

       

       
-

       
     please be sure to read the documentation of <link linkend="opt-security.apparmor.enable">security.apparmor.enable</link>,


     

       
875

       

       
-

       
     and especially the part about <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>.


     

       

       
872

       
+

       
     Security-minded users may also want to enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>,


     

       

       
873

       
+

       
     at the cost of having some of their processes killed


     

       

       
874

       
+

       
     when updating to a NixOS version introducing new AppArmor profiles.


     

       
876

       
875

       
 

       
    </para>


     

       
877

       
876

       
 

       
   </listitem>


     

       
878

       
877

       
 

       
   <listitem>
+1
nixos/modules/profiles/hardened.nix 
···

       
36

       
36

       
 

       
  security.virtualisation.flushL1DataCache = mkDefault "always";


     

       
37

       
37

       
 

       



     

       
38

       
38

       
 

       
  security.apparmor.enable = mkDefault true;


     

       

       
39

       
+

       
  security.apparmor.killUnconfinedConfinables = mkDefault true;


     

       
39

       
40

       
 

       



     

       
40

       
41

       
 

       
  boot.kernelParams = [


     

       
41

       
42

       
 

       
    # Slab/slub sanity checks, redzoning, and poisoning
+17 -12
nixos/modules/security/apparmor.nix 
···

       
30

       
30

       
 

       
        If you're enabling this module on a running system,


     

       
31

       
31

       
 

       
        note that a reboot will be required to activate AppArmor in the kernel.


     

       
32

       
32

       
 

       



     

       
33

       

       
-

       
        Also, beware that enabling this module will by default


     

       
34

       

       
-

       
        try to kill unconfined but confinable running processes,


     

       
35

       

       
-

       
        in order to obtain a confinement matching what is declared in the NixOS configuration.


     

       
36

       

       
-

       
        This will happen when upgrading to a NixOS revision


     

       
37

       

       
-

       
        introducing an AppArmor profile for the executable of a running process.


     

       
38

       

       
-

       
        This is because enabling an AppArmor profile for an executable


     

       
39

       

       
-

       
        can only confine new or already confined processes of that executable,


     

       
40

       

       
-

       
        but leaves already running processes unconfined.


     

       
41

       

       
-

       
        Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link>


     

       
42

       

       
-

       
        to <literal>false</literal> if you prefer to leave those processes running'';


     

       

       
33

       
+

       
        Also, beware that enabling this module privileges stability over security


     

       

       
34

       
+

       
        by not trying to kill unconfined but newly confinable running processes by default,


     

       

       
35

       
+

       
        though it would be needed because AppArmor can only confine new


     

       

       
36

       
+

       
        or already confined processes of an executable.


     

       

       
37

       
+

       
        This killing would for instance be necessary when upgrading to a NixOS revision


     

       

       
38

       
+

       
        introducing for the first time an AppArmor profile for the executable


     

       

       
39

       
+

       
        of a running process.


     

       

       
40

       
+

       



     

       

       
41

       
+

       
        Enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>


     

       

       
42

       
+

       
        if you want this service to do such killing


     

       

       
43

       
+

       
        by sending a <literal>SIGTERM</literal> to those running processes'';


     

       
43

       
44

       
 

       
      policies = mkOption {


     

       
44

       
45

       
 

       
        description = ''


     

       
45

       
46

       
 

       
          AppArmor policies.


     
···

       
78

       
79

       
 

       
        Beware that AppArmor policies almost always contain Nix store paths,


     

       
79

       
80

       
 

       
        and thus produce at each change of these paths


     

       
80

       
81

       
 

       
        a new cached version accumulating in the cache'';


     

       
81

       

       
-

       
      killUnconfinedConfinables = mkDisableOption ''


     

       

       
82

       
+

       
      killUnconfinedConfinables = mkEnableOption ''


     

       
82

       
83

       
 

       
        killing of processes which have an AppArmor profile enabled


     

       
83

       

       
-

       
        (in <link linkend="opt-security.apparmor.policies">policies</link>)


     

       

       
84

       
+

       
        (in <xref linkend="opt-security.apparmor.policies"/>)


     

       
84

       
85

       
 

       
        but are not confined (because AppArmor can only confine new processes).


     

       

       
86

       
+

       



     

       

       
87

       
+

       
        This is only sending a gracious <literal>SIGTERM</literal> signal to the processes,


     

       

       
88

       
+

       
        not a <literal>SIGKILL</literal>.


     

       

       
89

       
+

       



     

       
85

       
90

       
 

       
        Beware that due to a current limitation of AppArmor,


     

       
86

       
91

       
 

       
        only profiles with exact paths (and no name) can enable such kills'';


     

       
87

       
92

       
 

       
    };