+1 -1

maintainers/maintainer-list.nix

··· 4937 4937 name = "Julien Dehos"; 4938 4938 }; 4939 4939 julm = { 4940 4940 - email = "julm+nix@sourcephile.fr"; 4940 4940 + email = "julm+nixpkgs@sourcephile.fr"; 4941 4941 github = "ju1m"; 4942 4942 githubId = 21160136; 4943 4943 name = "Julien Moutinho";

+18

nixos/doc/manual/release-notes/rl-2009.xml

··· 1515 1515 </listitem> 1516 1516 <listitem> 1517 1517 <para> 1518 1518 + The <literal>security.apparmor</literal> module, 1519 1519 + for the <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link> 1520 1520 + Mandatory Access Control system, 1521 1521 + has been substantialy improved along with related tools, 1522 1522 + so that module maintainers can now more easily write AppArmor profiles for NixOS. 1523 1523 + The most notable change on the user-side is the new option <xref linkend="opt-security.apparmor.policies"/>, 1524 1524 + replacing the previous <literal>profiles</literal> option 1525 1525 + to provide a way to disable a profile 1526 1526 + and to select whether to confine in enforce mode (default) 1527 1527 + or in complain mode (see <literal>journalctl -b --grep apparmor</literal>). 1528 1528 + Before enabling this module, either directly 1529 1529 + or by importing <literal>&lt;nixpkgs/nixos/modules/profiles/hardened.nix&gt;</literal>, 1530 1530 + please be sure to read the documentation of <link linkend="opt-security.apparmor.enable">security.apparmor.enable</link>, 1531 1531 + and especially the part about <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>. 1532 1532 + </para> 1533 1533 + </listitem> 1534 1534 + <listitem> 1535 1535 + <para> 1518 1536 With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>) 1519 1537 has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over 1520 1538 socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual)

+34

nixos/modules/config/fonts/fontconfig.nix

··· 448 448 (mkIf cfg.enable { 449 449 environment.systemPackages = [ pkgs.fontconfig ]; 450 450 environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/"; 451 451 + security.apparmor.includes."abstractions/fonts" = '' 452 452 + # fonts.conf 453 453 + r ${pkg.out}/etc/fonts/fonts.conf, 454 454 + 455 455 + # fontconfig default config files 456 456 + r ${pkg.out}/etc/fonts/conf.d/*.conf, 457 457 + 458 458 + # 00-nixos-cache.conf 459 459 + r ${cacheConf}, 460 460 + 461 461 + # 10-nixos-rendering.conf 462 462 + r ${renderConf}, 463 463 + 464 464 + # 50-user.conf 465 465 + ${optionalString cfg.includeUserConf '' 466 466 + r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf, 467 467 + ''} 468 468 + 469 469 + # local.conf (indirect priority 51) 470 470 + ${optionalString (cfg.localConf != "") '' 471 471 + r ${localConf}, 472 472 + ''} 473 473 + 474 474 + # 52-nixos-default-fonts.conf 475 475 + r ${defaultFontsConf}, 476 476 + 477 477 + # 53-no-bitmaps.conf 478 478 + r ${rejectBitmaps}, 479 479 + 480 480 + ${optionalString (!cfg.allowType1) '' 481 481 + # 53-nixos-reject-type1.conf 482 482 + r ${rejectType1}, 483 483 + ''} 484 484 + ''; 451 485 }) 452 486 (mkIf cfg.enable { 453 487 fonts.fontconfig.confPackages = [ confPkg ];

+7

nixos/modules/config/malloc.nix

··· 87 87 environment.etc."ld-nix.so.preload".text = '' 88 88 ${providerLibPath} 89 89 ''; 90 90 + security.apparmor.includes = { 91 91 + "abstractions/base" = '' 92 92 + r /etc/ld-nix.so.preload, 93 93 + r ${config.environment.etc."ld-nix.so.preload".source}, 94 94 + mr ${providerLibPath}, 95 95 + ''; 96 96 + }; 90 97 }; 91 98 }

-1

nixos/modules/module-list.nix

··· 205 205 ./rename.nix 206 206 ./security/acme.nix 207 207 ./security/apparmor.nix 208 208 - ./security/apparmor-suid.nix 209 208 ./security/audit.nix 210 209 ./security/auditd.nix 211 210 ./security/ca.nix

-49

nixos/modules/security/apparmor-suid.nix

··· 1 1 - { config, lib, pkgs, ... }: 2 2 - let 3 3 - cfg = config.security.apparmor; 4 4 - in 5 5 - with lib; 6 6 - { 7 7 - imports = [ 8 8 - (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) 9 9 - ]; 10 10 - 11 11 - options.security.apparmor.confineSUIDApplications = mkOption { 12 12 - type = types.bool; 13 13 - default = true; 14 14 - description = '' 15 15 - Install AppArmor profiles for commonly-used SUID application 16 16 - to mitigate potential privilege escalation attacks due to bugs 17 17 - in such applications. 18 18 - 19 19 - Currently available profiles: ping 20 20 - ''; 21 21 - }; 22 22 - 23 23 - config = mkIf (cfg.confineSUIDApplications) { 24 24 - security.apparmor.profiles = [ (pkgs.writeText "ping" '' 25 25 - #include <tunables/global> 26 26 - /run/wrappers/bin/ping { 27 27 - #include <abstractions/base> 28 28 - #include <abstractions/consoles> 29 29 - #include <abstractions/nameservice> 30 30 - 31 31 - capability net_raw, 32 32 - capability setuid, 33 33 - network inet raw, 34 34 - 35 35 - ${pkgs.stdenv.cc.libc.out}/lib/*.so mr, 36 36 - ${pkgs.libcap.lib}/lib/libcap.so* mr, 37 37 - ${pkgs.attr.out}/lib/libattr.so* mr, 38 38 - 39 39 - ${pkgs.iputils}/bin/ping mixr, 40 40 - 41 41 - #/etc/modules.conf r, 42 42 - 43 43 - ## Site-specific additions and overrides. See local/README for details. 44 44 - ##include <local/bin.ping> 45 45 - } 46 46 - '') ]; 47 47 - }; 48 48 - 49 49 - }

+187 -48

nixos/modules/security/apparmor.nix

··· 1 1 { config, lib, pkgs, ... }: 2 2 3 3 let 4 4 - inherit (lib) mkIf mkOption types concatMapStrings; 4 4 + inherit (builtins) attrNames head map match readFile; 5 5 + inherit (lib) types; 6 6 + inherit (config.environment) etc; 5 7 cfg = config.security.apparmor; 8 8 + mkDisableOption = name: lib.mkEnableOption name // { 9 9 + default = true; 10 10 + example = false; 11 11 + }; 12 12 + enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies; 6 13 in 7 14 8 15 { 9 9 - options = { 10 10 - security.apparmor = { 11 11 - enable = mkOption { 12 12 - type = types.bool; 13 13 - default = false; 14 14 - description = "Enable the AppArmor Mandatory Access Control system."; 15 15 - }; 16 16 - profiles = mkOption { 17 17 - type = types.listOf types.path; 18 18 - default = []; 19 19 - description = "List of files containing AppArmor profiles."; 20 20 - }; 21 21 - packages = mkOption { 22 22 - type = types.listOf types.package; 23 23 - default = []; 24 24 - description = "List of packages to be added to apparmor's include path"; 25 25 - }; 26 26 - }; 27 27 - }; 16 16 + imports = [ 17 17 + (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) 18 18 + (lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.") 19 19 + (lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") 20 20 + apparmor/includes.nix 21 21 + apparmor/profiles.nix 22 22 + ]; 23 23 + 24 24 + options = { 25 25 + security.apparmor = { 26 26 + enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system. 27 27 + 28 28 + If you're enabling this module on a running system, 29 29 + note that a reboot will be required to activate AppArmor in the kernel. 30 30 + 31 31 + Also, beware that enabling this module will by default 32 32 + try to kill unconfined but confinable running processes, 33 33 + in order to obtain a confinement matching what is declared in the NixOS configuration. 34 34 + This will happen when upgrading to a NixOS revision 35 35 + introducing an AppArmor profile for the executable of a running process. 36 36 + This is because enabling an AppArmor profile for an executable 37 37 + can only confine new or already confined processes of that executable, 38 38 + but leaves already running processes unconfined. 39 39 + Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link> 40 40 + to <literal>false</literal> if you prefer to leave those processes running''; 41 41 + policies = lib.mkOption { 42 42 + description = '' 43 43 + AppArmor policies. 44 44 + ''; 45 45 + type = types.attrsOf (types.submodule ({ name, config, ... }: { 46 46 + options = { 47 47 + enable = mkDisableOption "loading of the profile into the kernel"; 48 48 + enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; 49 49 + profile = lib.mkOption { 50 50 + description = "The policy of the profile."; 51 51 + type = types.lines; 52 52 + apply = pkgs.writeText name; 53 53 + }; 54 54 + }; 55 55 + })); 56 56 + default = {}; 57 57 + }; 58 58 + includes = lib.mkOption { 59 59 + type = types.attrsOf types.lines; 60 60 + default = {}; 61 61 + description = '' 62 62 + List of paths to be added to AppArmor's searched paths 63 63 + when resolving <literal>include</literal> directives. 64 64 + ''; 65 65 + apply = lib.mapAttrs pkgs.writeText; 66 66 + }; 67 67 + packages = lib.mkOption { 68 68 + type = types.listOf types.package; 69 69 + default = []; 70 70 + description = "List of packages to be added to AppArmor's include path"; 71 71 + }; 72 72 + enableCache = lib.mkEnableOption ''caching of AppArmor policies 73 73 + in <literal>/var/cache/apparmor/</literal>. 74 74 + 75 75 + Beware that AppArmor policies almost always contain Nix store paths, 76 76 + and thus produce at each change of these paths 77 77 + a new cached version accumulating in the cache''; 78 78 + killUnconfinedConfinables = mkDisableOption ''killing of processes 79 79 + which have an AppArmor profile enabled 80 80 + (in <link linkend="opt-security.apparmor.policies">policies</link>) 81 81 + but are not confined (because AppArmor can only confine new processes). 82 82 + Beware that due to a current limitation of AppArmor, 83 83 + only profiles with exact paths (and no name) can enable such kills''; 84 84 + }; 85 85 + }; 86 86 + 87 87 + config = lib.mkIf cfg.enable { 88 88 + assertions = map (policy: 89 89 + { assertion = match ".*/.*" policy == null; 90 90 + message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; 91 91 + # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions 92 92 + # which does not recurse into sub-directories. 93 93 + } 94 94 + ) (attrNames cfg.policies); 95 95 + 96 96 + environment.systemPackages = [ pkgs.apparmor-utils ]; 97 97 + environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( 98 98 + # It's important to put only enabledPolicies here and not all cfg.policies 99 99 + # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* 100 100 + lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++ 101 101 + lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes 102 102 + ); 103 103 + environment.etc."apparmor/parser.conf".text = '' 104 104 + ${if cfg.enableCache then "write-cache" else "skip-cache"} 105 105 + cache-loc /var/cache/apparmor 106 106 + Include /etc/apparmor.d 107 107 + '' + 108 108 + lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; 109 109 + # For aa-logprof 110 110 + environment.etc."apparmor/apparmor.conf".text = '' 111 111 + ''; 112 112 + # For aa-logprof 113 113 + environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; 114 114 + environment.etc."apparmor/logprof.conf".text = '' 115 115 + [settings] 116 116 + # /etc/apparmor.d/ is read-only on NixOS 117 117 + profiledir = /var/cache/apparmor/logprof 118 118 + inactive_profiledir = /etc/apparmor.d/disable 119 119 + # Use: journalctl -b --since today --grep audit: | aa-logprof 120 120 + logfiles = /dev/stdin 121 121 + 122 122 + parser = ${pkgs.apparmor-parser}/bin/apparmor_parser 123 123 + ldd = ${pkgs.glibc.bin}/bin/ldd 124 124 + logger = ${pkgs.utillinux}/bin/logger 125 125 + 126 126 + # customize how file ownership permissions are presented 127 127 + # 0 - off 128 128 + # 1 - default of what ever mode the log reported 129 129 + # 2 - force the new permissions to be user 130 130 + # 3 - force all perms on the rule to be user 131 131 + default_owner_prompt = 1 132 132 + 133 133 + custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} 134 134 + 135 135 + [qualifiers] 136 136 + ${pkgs.runtimeShell} = icnu 137 137 + ${pkgs.bashInteractive}/bin/sh = icnu 138 138 + ${pkgs.bashInteractive}/bin/bash = icnu 139 139 + '' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section. 140 140 + (readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf")); 28 141 29 29 - config = mkIf cfg.enable { 30 30 - environment.systemPackages = [ pkgs.apparmor-utils ]; 142 142 + boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; 31 143 32 32 - boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; 144 144 + systemd.services.apparmor = { 145 145 + after = [ 146 146 + "local-fs.target" 147 147 + "systemd-journald-audit.socket" 148 148 + ]; 149 149 + before = [ "sysinit.target" ]; 150 150 + wantedBy = [ "multi-user.target" ]; 151 151 + unitConfig = { 152 152 + Description="Load AppArmor policies"; 153 153 + DefaultDependencies = "no"; 154 154 + ConditionSecurity = "apparmor"; 155 155 + }; 156 156 + # Reloading instead of restarting enables to load new AppArmor profiles 157 157 + # without necessarily restarting all services which have Requires=apparmor.service 158 158 + reloadIfChanged = true; 159 159 + restartTriggers = [ 160 160 + etc."apparmor/parser.conf".source 161 161 + etc."apparmor.d".source 162 162 + ]; 163 163 + serviceConfig = let 164 164 + killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" '' 165 165 + set -eu 166 166 + ${pkgs.apparmor-utils}/bin/aa-status --json | 167 167 + ${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' | 168 168 + xargs --verbose --no-run-if-empty --delimiter='\n' \ 169 169 + kill 170 170 + ''; 171 171 + commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}"; 172 172 + in { 173 173 + Type = "oneshot"; 174 174 + RemainAfterExit = "yes"; 175 175 + ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; 176 176 + ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; 177 177 + ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; 178 178 + ExecReload = 179 179 + # Add or replace into the kernel profiles in enabledPolicies 180 180 + # (because AppArmor can do that without stopping the processes already confined). 181 181 + lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ 182 182 + # Remove from the kernel any profile whose name is not 183 183 + # one of the names within the content of the profiles in enabledPolicies 184 184 + # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). 185 185 + # Note that this does not remove profiles dynamically generated by libvirt. 186 186 + [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ 187 187 + # Optionaly kill the processes which are unconfined but now have a profile loaded 188 188 + # (because AppArmor can only start to confine new processes). 189 189 + lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; 190 190 + ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; 191 191 + CacheDirectory = [ "apparmor" "apparmor/logprof" ]; 192 192 + CacheDirectoryMode = "0700"; 193 193 + }; 194 194 + }; 195 195 + }; 33 196 34 34 - systemd.services.apparmor = let 35 35 - paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") 36 36 - ([ pkgs.apparmor-profiles ] ++ cfg.packages); 37 37 - in { 38 38 - after = [ "local-fs.target" ]; 39 39 - before = [ "sysinit.target" ]; 40 40 - wantedBy = [ "multi-user.target" ]; 41 41 - unitConfig = { 42 42 - DefaultDependencies = "no"; 43 43 - }; 44 44 - serviceConfig = { 45 45 - Type = "oneshot"; 46 46 - RemainAfterExit = "yes"; 47 47 - ExecStart = map (p: 48 48 - ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"'' 49 49 - ) cfg.profiles; 50 50 - ExecStop = map (p: 51 51 - ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' 52 52 - ) cfg.profiles; 53 53 - ExecReload = map (p: 54 54 - ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' 55 55 - ) cfg.profiles; 56 56 - }; 57 57 - }; 58 58 - }; 197 197 + meta.maintainers = with lib.maintainers; [ julm ]; 59 198 }

+301

nixos/modules/security/apparmor/includes.nix

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + let 3 3 + inherit (builtins) attrNames hasAttr isAttrs; 4 4 + inherit (lib) getLib; 5 5 + inherit (config.environment) etc; 6 6 + etcRule = arg: 7 7 + let go = {path ? null, mode ? "r", trail ? ""}: 8 8 + lib.optionalString (hasAttr path etc) 9 9 + "${mode} ${config.environment.etc.${path}.source}${trail},"; 10 10 + in if isAttrs arg 11 11 + then go arg 12 12 + else go {path=arg;}; 13 13 + in 14 14 + { 15 15 + # FIXME: most of the etcRule calls below have been 16 16 + # written systematically by converting from apparmor-profiles's profiles 17 17 + # without testing nor deep understanding of their uses, 18 18 + # and thus may need more rules or can have less rules; 19 19 + # this remains to be determined case by case, 20 20 + # some may even be completely useless. 21 21 + config.security.apparmor.includes = { 22 22 + # This one is included by <tunables/global> 23 23 + # which is usualy included before any profile. 24 24 + "abstractions/tunables/alias" = '' 25 25 + alias /bin -> /run/current-system/sw/bin, 26 26 + alias /lib/modules -> /run/current-system/kernel/lib/modules, 27 27 + alias /sbin -> /run/current-system/sw/sbin, 28 28 + alias /usr -> /run/current-system/sw, 29 29 + ''; 30 30 + "abstractions/audio" = '' 31 31 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" 32 32 + ${etcRule "asound.conf"} 33 33 + ${etcRule "esound/esd.conf"} 34 34 + ${etcRule "libao.conf"} 35 35 + ${etcRule {path="pulse"; trail="/";}} 36 36 + ${etcRule {path="pulse"; trail="/**";}} 37 37 + ${etcRule {path="sound"; trail="/";}} 38 38 + ${etcRule {path="sound"; trail="/**";}} 39 39 + ${etcRule {path="alsa/conf.d"; trail="/";}} 40 40 + ${etcRule {path="alsa/conf.d"; trail="/*";}} 41 41 + ${etcRule "openal/alsoft.conf"} 42 42 + ${etcRule "wildmidi/wildmidi.conf"} 43 43 + ''; 44 44 + "abstractions/authentication" = '' 45 45 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" 46 46 + # Defined in security.pam 47 47 + include <abstractions/pam> 48 48 + ${etcRule "nologin"} 49 49 + ${etcRule "securetty"} 50 50 + ${etcRule {path="security"; trail="/*";}} 51 51 + ${etcRule "shadow"} 52 52 + ${etcRule "gshadow"} 53 53 + ${etcRule "pwdb.conf"} 54 54 + ${etcRule "default/passwd"} 55 55 + ${etcRule "login.defs"} 56 56 + ''; 57 57 + "abstractions/base" = '' 58 58 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" 59 59 + r ${pkgs.stdenv.cc.libc}/share/locale/**, 60 60 + r ${pkgs.stdenv.cc.libc}/share/locale.alias, 61 61 + ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} 62 62 + ${etcRule "localtime"} 63 63 + r ${pkgs.tzdata}/share/zoneinfo/**, 64 64 + r ${pkgs.stdenv.cc.libc}/share/i18n/**, 65 65 + ''; 66 66 + "abstractions/bash" = '' 67 67 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" 68 68 + # system-wide bash configuration 69 69 + ${etcRule "profile.dos"} 70 70 + ${etcRule "profile"} 71 71 + ${etcRule "profile.d"} 72 72 + ${etcRule {path="profile.d"; trail="/*";}} 73 73 + ${etcRule "bashrc"} 74 74 + ${etcRule "bash.bashrc"} 75 75 + ${etcRule "bash.bashrc.local"} 76 76 + ${etcRule "bash_completion"} 77 77 + ${etcRule "bash_completion.d"} 78 78 + ${etcRule {path="bash_completion.d"; trail="/*";}} 79 79 + # bash relies on system-wide readline configuration 80 80 + ${etcRule "inputrc"} 81 81 + # bash inspects filesystems at startup 82 82 + # and /etc/mtab is linked to /proc/mounts 83 83 + @{PROC}/mounts 84 84 + 85 85 + # run out of /etc/bash.bashrc 86 86 + ${etcRule "DIR_COLORS"} 87 87 + ''; 88 88 + "abstractions/cups-client" = '' 89 89 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client" 90 90 + ${etcRule "cups/cups-client.conf"} 91 91 + ''; 92 92 + "abstractions/consoles" = '' 93 93 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" 94 94 + ''; 95 95 + "abstractions/dbus-session-strict" = '' 96 96 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" 97 97 + ${etcRule "machine-id"} 98 98 + ''; 99 99 + "abstractions/dconf" = '' 100 100 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" 101 101 + ${etcRule {path="dconf"; trail="/**";}} 102 102 + ''; 103 103 + "abstractions/dri-common" = '' 104 104 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" 105 105 + ${etcRule "drirc"} 106 106 + ''; 107 107 + # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ 108 108 + # by symlinking them but without exporting them outside of its NixOS module, 109 109 + # those are therefore added there to this "abstractions/fonts". 110 110 + "abstractions/fonts" = '' 111 111 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" 112 112 + ${etcRule {path="fonts"; trail="/**";}} 113 113 + ''; 114 114 + "abstractions/gnome" = '' 115 115 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" 116 116 + ${etcRule {path="gnome"; trail="/gtkrc*";}} 117 117 + ${etcRule {path="gtk"; trail="/*";}} 118 118 + ${etcRule {path="gtk-2.0"; trail="/*";}} 119 119 + ${etcRule {path="gtk-3.0"; trail="/*";}} 120 120 + ${etcRule "orbitrc"} 121 121 + include <abstractions/fonts> 122 122 + ${etcRule {path="pango"; trail="/*";}} 123 123 + ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}} 124 124 + ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}} 125 125 + ${etcRule "papersize"} 126 126 + ${etcRule {path="cups"; trail="/lpoptions";}} 127 127 + ${etcRule {path="gnome"; trail="/defaults.list";}} 128 128 + ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}} 129 129 + ${etcRule "xdg/mimeapps.list"} 130 130 + ''; 131 131 + "abstractions/kde" = '' 132 132 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" 133 133 + ${etcRule {path="qt3"; trail="/kstylerc";}} 134 134 + ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}} 135 135 + ${etcRule {path="qt3"; trail="/qtrc";}} 136 136 + ${etcRule "kderc"} 137 137 + ${etcRule {path="kde3"; trail="/*";}} 138 138 + ${etcRule "kde4rc"} 139 139 + ${etcRule {path="xdg"; trail="/kdeglobals";}} 140 140 + ${etcRule {path="xdg"; trail="/Trolltech.conf";}} 141 141 + ''; 142 142 + "abstractions/kerberosclient" = '' 143 143 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" 144 144 + ${etcRule {path="krb5.keytab"; mode="rk";}} 145 145 + ${etcRule "krb5.conf"} 146 146 + ${etcRule "krb5.conf.d"} 147 147 + ${etcRule {path="krb5.conf.d"; trail="/*";}} 148 148 + 149 149 + # config files found via strings on libs 150 150 + ${etcRule "krb.conf"} 151 151 + ${etcRule "krb.realms"} 152 152 + ${etcRule "srvtab"} 153 153 + ''; 154 154 + "abstractions/ldapclient" = '' 155 155 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" 156 156 + ${etcRule "ldap.conf"} 157 157 + ${etcRule "ldap.secret"} 158 158 + ${etcRule {path="openldap"; trail="/*";}} 159 159 + ${etcRule {path="openldap"; trail="/cacerts/*";}} 160 160 + ${etcRule {path="sasl2"; trail="/*";}} 161 161 + ''; 162 162 + "abstractions/likewise" = '' 163 163 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" 164 164 + ''; 165 165 + "abstractions/mdns" = '' 166 166 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" 167 167 + ${etcRule "nss_mdns.conf"} 168 168 + ''; 169 169 + "abstractions/nameservice" = '' 170 170 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" 171 171 + 172 172 + # Many programs wish to perform nameservice-like operations, such as 173 173 + # looking up users by name or id, groups by name or id, hosts by name 174 174 + # or IP, etc. These operations may be performed through files, dns, 175 175 + # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. 176 176 + ${etcRule "group"} 177 177 + ${etcRule "host.conf"} 178 178 + ${etcRule "hosts"} 179 179 + ${etcRule "nsswitch.conf"} 180 180 + ${etcRule "gai.conf"} 181 181 + ${etcRule "passwd"} 182 182 + ${etcRule "protocols"} 183 183 + 184 184 + # libtirpc (used for NIS/YP login) needs this 185 185 + ${etcRule "netconfig"} 186 186 + 187 187 + ${etcRule "resolv.conf"} 188 188 + 189 189 + ${etcRule {path="samba"; trail="/lmhosts";}} 190 190 + ${etcRule "services"} 191 191 + 192 192 + ${etcRule "default/nss"} 193 193 + 194 194 + # libnl-3-200 via libnss-gw-name 195 195 + ${etcRule {path="libnl"; trail="/classid";}} 196 196 + ${etcRule {path="libnl-3"; trail="/classid";}} 197 197 + 198 198 + mr ${getLib pkgs.nss}/lib/libnss_*.so*, 199 199 + mr ${getLib pkgs.nss}/lib64/libnss_*.so*, 200 200 + ''; 201 201 + "abstractions/nis" = '' 202 202 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" 203 203 + ''; 204 204 + "abstractions/nvidia" = '' 205 205 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" 206 206 + ${etcRule "vdpau_wrapper.cfg"} 207 207 + ''; 208 208 + "abstractions/opencl-common" = '' 209 209 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" 210 210 + ${etcRule {path="OpenCL"; trail="/**";}} 211 211 + ''; 212 212 + "abstractions/opencl-mesa" = '' 213 213 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" 214 214 + ${etcRule "default/drirc"} 215 215 + ''; 216 216 + "abstractions/openssl" = '' 217 217 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" 218 218 + ${etcRule {path="ssl"; trail="/openssl.cnf";}} 219 219 + ''; 220 220 + "abstractions/p11-kit" = '' 221 221 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" 222 222 + ${etcRule {path="pkcs11"; trail="/";}} 223 223 + ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}} 224 224 + ${etcRule {path="pkcs11"; trail="/modules/";}} 225 225 + ${etcRule {path="pkcs11"; trail="/modules/*";}} 226 226 + ''; 227 227 + "abstractions/perl" = '' 228 228 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" 229 229 + ${etcRule {path="perl"; trail="/**";}} 230 230 + ''; 231 231 + "abstractions/php" = '' 232 232 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" 233 233 + ${etcRule {path="php"; trail="/**/";}} 234 234 + ${etcRule {path="php5"; trail="/**/";}} 235 235 + ${etcRule {path="php7"; trail="/**/";}} 236 236 + ${etcRule {path="php"; trail="/**.ini";}} 237 237 + ${etcRule {path="php5"; trail="/**.ini";}} 238 238 + ${etcRule {path="php7"; trail="/**.ini";}} 239 239 + ''; 240 240 + "abstractions/postfix-common" = '' 241 241 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" 242 242 + ${etcRule "mailname"} 243 243 + ${etcRule {path="postfix"; trail="/*.cf";}} 244 244 + ${etcRule "postfix/main.cf"} 245 245 + ${etcRule "postfix/master.cf"} 246 246 + ''; 247 247 + "abstractions/python" = '' 248 248 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" 249 249 + ''; 250 250 + "abstractions/qt5" = '' 251 251 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" 252 252 + ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}} 253 253 + ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}} 254 254 + ${etcRule "xdg/QtProject/qtlogging.ini"} 255 255 + ''; 256 256 + "abstractions/samba" = '' 257 257 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" 258 258 + ${etcRule {path="samba"; trail="/*";}} 259 259 + ''; 260 260 + "abstractions/ssl_certs" = '' 261 261 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" 262 262 + ${etcRule "ssl/certs/ca-certificates.crt"} 263 263 + ${etcRule "ssl/certs/ca-bundle.crt"} 264 264 + ${etcRule "pki/tls/certs/ca-bundle.crt"} 265 265 + 266 266 + ${etcRule {path="ssl/trust"; trail="/";}} 267 267 + ${etcRule {path="ssl/trust"; trail="/*";}} 268 268 + ${etcRule {path="ssl/trust/anchors"; trail="/";}} 269 269 + ${etcRule {path="ssl/trust/anchors"; trail="/**";}} 270 270 + ${etcRule {path="pki/trust"; trail="/";}} 271 271 + ${etcRule {path="pki/trust"; trail="/*";}} 272 272 + ${etcRule {path="pki/trust/anchors"; trail="/";}} 273 273 + ${etcRule {path="pki/trust/anchors"; trail="/**";}} 274 274 + 275 275 + # security.acme NixOS module 276 276 + r /var/lib/acme/*/cert.pem, 277 277 + r /var/lib/acme/*/chain.pem, 278 278 + r /var/lib/acme/*/fullchain.pem, 279 279 + ''; 280 280 + "abstractions/ssl_keys" = '' 281 281 + # security.acme NixOS module 282 282 + r /var/lib/acme/*/full.pem, 283 283 + r /var/lib/acme/*/key.pem, 284 284 + ''; 285 285 + "abstractions/vulkan" = '' 286 286 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" 287 287 + ${etcRule {path="vulkan/icd.d"; trail="/";}} 288 288 + ${etcRule {path="vulkan/icd.d"; trail="/*.json";}} 289 289 + ''; 290 290 + "abstractions/winbind" = '' 291 291 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" 292 292 + ${etcRule {path="samba"; trail="/smb.conf";}} 293 293 + ${etcRule {path="samba"; trail="/dhcp.conf";}} 294 294 + ''; 295 295 + "abstractions/X" = '' 296 296 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" 297 297 + ${etcRule {path="X11/cursors"; trail="/";}} 298 298 + ${etcRule {path="X11/cursors"; trail="/**";}} 299 299 + ''; 300 300 + }; 301 301 + }

+11

nixos/modules/security/apparmor/profiles.nix

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + let apparmor = config.security.apparmor; in 3 3 + { 4 4 + config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; 5 5 + config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' 6 6 + include "${pkgs.iputils.apparmor}/bin.ping" 7 7 + include "${pkgs.inetutils.apparmor}/bin.ping" 8 8 + # Note that including those two profiles in the same profile 9 9 + # would not work if the second one were to re-include <tunables/global>. 10 10 + ''; 11 11 + }

+55

nixos/modules/security/pam.nix

··· 895 895 runuser-l = { rootOK = true; unixAuth = false; }; 896 896 }; 897 897 898 898 + security.apparmor.includes."abstractions/pam" = let 899 899 + isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); 900 900 + in '' 901 901 + ${lib.concatMapStringsSep "\n" 902 902 + (name: "r ${config.environment.etc."pam.d/${name}".source},") 903 903 + (attrNames config.security.pam.services)} 904 904 + mr ${getLib pkgs.pam}/lib/security/pam_filter/*, 905 905 + mr ${getLib pkgs.pam}/lib/security/pam_*.so, 906 906 + r ${getLib pkgs.pam}/lib/security/, 907 907 + ${optionalString use_ldap 908 908 + "mr ${pam_ldap}/lib/security/pam_ldap.so,"} 909 909 + ${optionalString config.services.sssd.enable 910 910 + "mr ${pkgs.sssd}/lib/security/pam_sss.so,"} 911 911 + ${optionalString config.krb5.enable '' 912 912 + mr ${pam_krb5}/lib/security/pam_krb5.so, 913 913 + mr ${pam_ccreds}/lib/security/pam_ccreds.so, 914 914 + ''} 915 915 + ${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' 916 916 + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, 917 917 + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, 918 918 + ''} 919 919 + ${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) 920 920 + "mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"} 921 921 + ${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth)) 922 922 + "mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"} 923 923 + ${optionalString (isEnabled (cfg: cfg.fprintAuth)) 924 924 + "mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"} 925 925 + ${optionalString (isEnabled (cfg: cfg.u2fAuth)) 926 926 + "mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"} 927 927 + ${optionalString (isEnabled (cfg: cfg.usbAuth)) 928 928 + "mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"} 929 929 + ${optionalString (isEnabled (cfg: cfg.oathAuth)) 930 930 + "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"} 931 931 + ${optionalString (isEnabled (cfg: cfg.yubicoAuth)) 932 932 + "mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"} 933 933 + ${optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) 934 934 + "mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"} 935 935 + ${optionalString (isEnabled (cfg: cfg.otpwAuth)) 936 936 + "mr ${pkgs.otpw}/lib/security/pam_otpw.so,"} 937 937 + ${optionalString config.security.pam.enableEcryptfs 938 938 + "mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"} 939 939 + ${optionalString (isEnabled (cfg: cfg.pamMount)) 940 940 + "mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"} 941 941 + ${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) 942 942 + "mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"} 943 943 + ${optionalString (isEnabled (cfg: cfg.startSession)) 944 944 + "mr ${pkgs.systemd}/lib/security/pam_systemd.so,"} 945 945 + ${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable) 946 946 + "mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"} 947 947 + ${optionalString (isEnabled (cfg: cfg.enableKwallet)) 948 948 + "mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"} 949 949 + ${optionalString config.virtualisation.lxc.lxcfs.enable 950 950 + "mr ${pkgs.lxc}/lib/security/pam_cgfs.so"} 951 951 + ''; 952 952 + 898 953 }; 899 954 900 955 }

+8

nixos/modules/security/wrappers/default.nix

··· 171 171 export PATH="${wrapperDir}:$PATH" 172 172 ''; 173 173 174 174 + security.apparmor.includes."nixos/security.wrappers" = '' 175 175 + include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [ 176 176 + securityWrapper 177 177 + pkgs.stdenv.cc.cc 178 178 + pkgs.stdenv.cc.libc 179 179 + ]}" 180 180 + ''; 181 181 + 174 182 ###### setcap activation script 175 183 system.activationScripts.wrappers = 176 184 lib.stringAfter [ "specialfs" "users" ]

+12 -51

nixos/modules/services/torrent/transmission.nix

··· 5 5 let 6 6 cfg = config.services.transmission; 7 7 inherit (config.environment) etc; 8 8 - apparmor = config.security.apparmor.enable; 8 8 + apparmor = config.security.apparmor; 9 9 rootDir = "/run/transmission"; 10 10 homeDir = "/var/lib/transmission"; 11 11 settingsDir = ".config/transmission-daemon"; ··· 184 184 185 185 systemd.services.transmission = { 186 186 description = "Transmission BitTorrent Service"; 187 187 - after = [ "network.target" ] ++ optional apparmor "apparmor.service"; 188 188 - requires = optional apparmor "apparmor.service"; 187 187 + after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service"; 188 188 + requires = optional apparmor.enable "apparmor.service"; 189 189 wantedBy = [ "multi-user.target" ]; 190 190 environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; 191 191 ··· 358 358 }) 359 359 ]; 360 360 361 361 - security.apparmor.profiles = mkIf apparmor [ 362 362 - (pkgs.writeText "apparmor-transmission-daemon" '' 361 361 + security.apparmor.policies."bin.transmission-daemon".profile = '' 363 362 include <tunables/global> 364 364 - 365 363 ${pkgs.transmission}/bin/transmission-daemon { 366 364 include <abstractions/base> 367 365 include <abstractions/nameservice> 368 368 - 369 369 - # NOTE: https://github.com/NixOS/nixpkgs/pull/93457 370 370 - # will remove the need for these by fixing <abstractions/base> 371 371 - r ${etc."hosts".source}, 372 372 - r /etc/ld-nix.so.preload, 373 373 - ${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) '' 374 374 - r ${etc."ld-nix.so.preload".source}, 375 375 - ${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n")) 376 376 - (splitString "\n" config.environment.etc."ld-nix.so.preload".text)} 377 377 - ''} 378 378 - r ${etc."ssl/certs/ca-certificates.crt".source}, 379 379 - r ${pkgs.tzdata}/share/zoneinfo/**, 380 380 - r ${pkgs.stdenv.cc.libc}/share/i18n/**, 381 381 - r ${pkgs.stdenv.cc.libc}/share/locale/**, 382 382 - 383 383 - mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*, 384 384 - mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*, 385 385 - mr ${getLib pkgs.attr}/lib/libattr*.so*, 386 386 - mr ${getLib pkgs.c-ares}/lib/libcares*.so*, 387 387 - mr ${getLib pkgs.curl}/lib/libcurl*.so*, 388 388 - mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*, 389 389 - mr ${getLib pkgs.libcap}/lib/libcap*.so*, 390 390 - mr ${getLib pkgs.libevent}/lib/libevent*.so*, 391 391 - mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*, 392 392 - mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*, 393 393 - mr ${getLib pkgs.libkrb5}/lib/lib*.so*, 394 394 - mr ${getLib pkgs.libssh2}/lib/libssh2*.so*, 395 395 - mr ${getLib pkgs.lz4}/lib/liblz4*.so*, 396 396 - mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*, 397 397 - mr ${getLib pkgs.openssl}/lib/libcrypto*.so*, 398 398 - mr ${getLib pkgs.openssl}/lib/libssl*.so*, 399 399 - mr ${getLib pkgs.systemd}/lib/libsystemd*.so*, 400 400 - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libblkid.so*, 401 401 - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libmount.so*, 402 402 - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libuuid.so*, 403 403 - mr ${getLib pkgs.xz}/lib/liblzma*.so*, 404 404 - mr ${getLib pkgs.zlib}/lib/libz*.so*, 366 366 + include <abstractions/ssl_certs> 367 367 + include "${pkgs.apparmorRulesFromClosure 368 368 + { name = "transmission-daemon"; } 369 369 + [ pkgs.transmission ]}" 370 370 + include <local/bin.transmission-daemon> 405 371 406 372 r @{PROC}/sys/kernel/random/uuid, 407 373 r @{PROC}/sys/vm/overcommit_memory, 408 408 - # @{pid} is not a kernel variable yet but a regexp 409 409 - #r @{PROC}/@{pid}/environ, 374 374 + r @{PROC}/@{pid}/environ, 410 375 r @{PROC}/@{pid}/mounts, 411 376 rwk /tmp/tr_session_id_*, 412 377 r /run/systemd/resolve/stub-resolv.conf, 413 378 414 379 r ${pkgs.openssl.out}/etc/**, 415 380 r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, 416 416 - r ${pkgs.transmission}/share/transmission/**, 417 381 418 382 owner rw ${cfg.home}/${settingsDir}/**, 419 383 rw ${cfg.settings.download-dir}/**, ··· 441 405 # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs 442 406 px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, 443 407 ''} 444 444 - 445 445 - # FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457 446 446 - # include <local/transmission-daemon> 447 408 } 448 448 - '') 449 449 - ]; 409 409 + ''; 410 410 + security.apparmor.includes."local/bin.transmission-daemon" = ""; 450 411 }; 451 412 452 413 meta.maintainers = with lib.maintainers; [ julm ];

+15

nixos/modules/tasks/network-interfaces.nix

··· 1111 1111 } else { 1112 1112 ping.source = "${pkgs.iputils.out}/bin/ping"; 1113 1113 }; 1114 1114 + security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' 1115 1115 + /run/wrappers/bin/ping { 1116 1116 + include <abstractions/base> 1117 1117 + include <nixos/security.wrappers> 1118 1118 + rpx /run/wrappers/wrappers.*/ping, 1119 1119 + } 1120 1120 + /run/wrappers/wrappers.*/ping { 1121 1121 + include <abstractions/base> 1122 1122 + include <nixos/security.wrappers> 1123 1123 + r /run/wrappers/wrappers.*/ping.real, 1124 1124 + mrpx ${config.security.wrappers.ping.source}, 1125 1125 + capability net_raw, 1126 1126 + capability setpcap, 1127 1127 + } 1128 1128 + ''); 1114 1129 1115 1130 # Set the host and domain names in the activation script. Don't 1116 1131 # clear it if it's not configured in the NixOS configuration,

+8 -4

nixos/modules/virtualisation/lxc.nix

··· 74 74 systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; 75 75 76 76 security.apparmor.packages = [ pkgs.lxc ]; 77 77 - security.apparmor.profiles = [ 78 78 - "${pkgs.lxc}/etc/apparmor.d/lxc-containers" 79 79 - "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start" 80 80 - ]; 77 77 + security.apparmor.policies = { 78 78 + "bin.lxc-start".profile = '' 79 79 + include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start 80 80 + ''; 81 81 + "lxc-containers".profile = '' 82 82 + include ${pkgs.lxc}/etc/apparmor.d/lxc-containers 83 83 + ''; 84 84 + }; 81 85 }; 82 86 }

+11 -5

nixos/modules/virtualisation/lxd.nix

··· 97 97 # does a bunch of unrelated things. 98 98 systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; 99 99 100 100 - security.apparmor.packages = [ cfg.lxcPackage ]; 101 101 - security.apparmor.profiles = [ 102 102 - "${cfg.lxcPackage}/etc/apparmor.d/lxc-containers" 103 103 - "${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start" 104 104 - ]; 100 100 + security.apparmor = { 101 101 + packages = [ cfg.lxcPackage ]; 102 102 + policies = { 103 103 + "bin.lxc-start".profile = '' 104 104 + include ${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start 105 105 + ''; 106 106 + "lxc-containers".profile = '' 107 107 + include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers 108 108 + ''; 109 109 + }; 110 110 + }; 105 111 106 112 # TODO: remove once LXD gets proper support for cgroupsv2 107 113 # (currently most of the e.g. CPU accounting stuff doesn't work)

+61 -3

pkgs/os-specific/linux/apparmor/default.nix

··· 10 10 , pam 11 11 , libnotify 12 12 , buildPackages 13 13 + , coreutils 14 14 + , gnugrep 15 15 + , gnused 16 16 + , kmod 17 17 + , writeShellScript 18 18 + , closureInfo 19 19 + , runCommand 13 20 }: 14 21 15 22 let ··· 29 36 url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz"; 30 37 sha256 = "13xshy7905d9q9n8d8i0jmdi9m36wr525g4wlsp8k21n7yvvh9j4"; 31 38 }; 39 39 + 40 40 + aa-teardown = writeShellScript "aa-teardown" '' 41 41 + PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH" 42 42 + . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions 43 43 + remove_profiles 44 44 + ''; 32 45 33 46 prePatchCommon = '' 34 47 chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh ··· 121 134 libapparmor.python 122 135 ]; 123 136 124 124 - prePatch = prePatchCommon + '' 137 137 + prePatch = prePatchCommon + 138 138 + # Do not build vim file 139 139 + lib.optionalString stdenv.hostPlatform.isMusl '' 140 140 + sed -i ./utils/Makefile -e "/\<vim\>/d" 141 141 + '' + '' 125 142 substituteInPlace ./utils/apparmor/easyprof.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" 126 143 substituteInPlace ./utils/apparmor/aa.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" 127 144 substituteInPlace ./utils/logprof.conf --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" ··· 132 149 installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ]; 133 150 134 151 postInstall = '' 152 152 + sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d" 135 153 for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-status aa-unconfined ; do 136 154 wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.libPrefix}/site-packages:$PYTHONPATH" 137 155 done ··· 139 157 substituteInPlace $out/bin/aa-notify \ 140 158 --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \ 141 159 --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}" 160 160 + 161 161 + substituteInPlace $out/bin/aa-remove-unknown \ 162 162 + --replace "/usr/bin/aa-status" "$out/bin/aa-status" \ 163 163 + --replace "/sbin/modprobe" "${kmod}/bin/modprobe" \ 164 164 + --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" 165 165 + wrapProgram $out/bin/aa-remove-unknown \ 166 166 + --prefix PATH : ${lib.makeBinPath [gawk]} 167 167 + 168 168 + ln -s ${aa-teardown} $out/bin/aa-teardown 142 169 ''; 143 170 144 171 inherit doCheck; ··· 187 214 substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" 188 215 ## techdoc.pdf still doesn't build ... 189 216 substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages" 217 217 + substituteInPlace parser/rc.apparmor.functions \ 218 218 + --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser" 219 219 + sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}' 190 220 ''; 191 221 inherit patches; 192 222 postPatch = "cd ./parser"; ··· 248 278 meta = apparmor-meta "kernel patches"; 249 279 }; 250 280 281 281 + # Generate generic AppArmor rules in a file, 282 282 + # from the closure of given rootPaths. 283 283 + # To be included in an AppArmor profile like so: 284 284 + # include "$(apparmorRulesFromClosure {} [pkgs.hello]}" 285 285 + apparmorRulesFromClosure = 286 286 + { # The store path of the derivation is given in $path 287 287 + additionalRules ? [] 288 288 + # TODO: factorize here some other common paths 289 289 + # that may emerge from use cases. 290 290 + , baseRules ? [ 291 291 + "r $path" 292 292 + "r $path/etc/**" 293 293 + "r $path/share/**" 294 294 + # Note that not all libraries are prefixed with "lib", 295 295 + # eg. glibc-2.30/lib/ld-2.30.so 296 296 + "mr $path/lib/**.so*" 297 297 + # eg. glibc-2.30/lib/gconv/gconv-modules 298 298 + "r $path/lib/**" 299 299 + ] 300 300 + , name ? "" 301 301 + }: rootPaths: runCommand 302 302 + ( "apparmor-closure-rules" 303 303 + + lib.optionalString (name != "") "-${name}") {} '' 304 304 + touch $out 305 305 + while read -r path 306 306 + do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)} 307 307 + done <${closureInfo {inherit rootPaths;}}/store-paths 308 308 + ''; 251 309 in 252 252 - 253 310 { 254 311 inherit 255 312 libapparmor ··· 258 315 apparmor-parser 259 316 apparmor-pam 260 317 apparmor-profiles 261 261 - apparmor-kernel-patches; 318 318 + apparmor-kernel-patches 319 319 + apparmorRulesFromClosure; 262 320 }

+32

pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh

··· 1 1 + aa_action() { 2 2 + STRING=$1 3 3 + shift 4 4 + $* 5 5 + rc=$? 6 6 + if [ $rc -eq 0 ] ; then 7 7 + aa_log_success_msg $"$STRING " 8 8 + else 9 9 + aa_log_failure_msg $"$STRING " 10 10 + fi 11 11 + return $rc 12 12 + } 13 13 + 14 14 + aa_log_success_msg() { 15 15 + [ -n "$1" ] && echo -n $1 16 16 + echo ": done." 17 17 + } 18 18 + 19 19 + aa_log_warning_msg() { 20 20 + [ -n "$1" ] && echo -n $1 21 21 + echo ": Warning." 22 22 + } 23 23 + 24 24 + aa_log_failure_msg() { 25 25 + [ -n "$1" ] && echo -n $1 26 26 + echo ": Failed." 27 27 + } 28 28 + 29 29 + aa_log_skipped_msg() { 30 30 + [ -n "$1" ] && echo -n $1 31 31 + echo ": Skipped." 32 32 + }

+22

pkgs/os-specific/linux/iputils/default.nix

··· 1 1 { lib, stdenv, fetchFromGitHub 2 2 , meson, ninja, pkg-config, gettext, libxslt, docbook_xsl_ns 3 3 , libcap, libidn2 4 4 + , apparmorRulesFromClosure 4 5 }: 5 6 6 7 let ··· 19 20 rev = version; 20 21 sha256 = "08j2hfgnfh31vv9rn1ml7090j2lsvm9wdpdz13rz60rmyzrx9dq3"; 21 22 }; 23 23 + 24 24 + outputs = ["out" "apparmor"]; 22 25 23 26 mesonFlags = [ 24 27 "-DBUILD_RARPD=true" ··· 34 37 nativeBuildInputs = [ meson ninja pkg-config gettext libxslt.bin docbook_xsl_ns ]; 35 38 buildInputs = [ libcap ] 36 39 ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2; 40 40 + postInstall = '' 41 41 + install -D -m 644 /dev/stdin $apparmor/bin.ping <<EOF 42 42 + include <tunables/global> 43 43 + $out/bin/ping { 44 44 + include <abstractions/base> 45 45 + include <abstractions/consoles> 46 46 + include <abstractions/nameservice> 47 47 + include "${apparmorRulesFromClosure { name = "ping"; } 48 48 + ([libcap] ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2)}" 49 49 + include <local/bin.ping> 50 50 + capability net_raw, 51 51 + network inet raw, 52 52 + network inet6 raw, 53 53 + mr $out/bin/ping, 54 54 + r $out/share/locale/**, 55 55 + r @{PROC}/@{pid}/environ, 56 56 + } 57 57 + EOF 58 58 + ''; 37 59 38 60 meta = with lib; { 39 61 description = "A set of small useful utilities for Linux networking";

+21 -1

pkgs/tools/networking/inetutils/default.nix

··· 1 1 - { stdenv, lib, fetchurl, ncurses, perl, help2man }: 1 1 + { stdenv, lib, fetchurl, ncurses, perl, help2man 2 2 + , apparmorRulesFromClosure 3 3 + }: 2 4 3 5 stdenv.mkDerivation rec { 4 6 name = "inetutils-1.9.4"; ··· 7 9 url = "mirror://gnu/inetutils/${name}.tar.gz"; 8 10 sha256 = "05n65k4ixl85dc6rxc51b1b732gnmm8xnqi424dy9f1nz7ppb3xy"; 9 11 }; 12 12 + 13 13 + outputs = ["out" "apparmor"]; 10 14 11 15 patches = [ 12 16 ./whois-Update-Canadian-TLD-server.patch ··· 40 44 doCheck = false; 41 45 42 46 installFlags = [ "SUIDMODE=" ]; 47 47 + 48 48 + postInstall = '' 49 49 + install -D -m 644 /dev/stdin $apparmor/bin.ping <<EOF 50 50 + $out/bin/ping { 51 51 + include <abstractions/base> 52 52 + include <abstractions/consoles> 53 53 + include <abstractions/nameservice> 54 54 + include "${apparmorRulesFromClosure { name = "ping"; } [stdenv.cc.libc]}" 55 55 + include <local/bin.ping> 56 56 + capability net_raw, 57 57 + network inet raw, 58 58 + network inet6 raw, 59 59 + mr $out/bin/ping, 60 60 + } 61 61 + EOF 62 62 + ''; 43 63 44 64 meta = with lib; { 45 65 description = "Collection of common network programs";

+1 -1

pkgs/top-level/all-packages.nix

··· 19482 19482 19483 19483 inherit (callPackages ../os-specific/linux/apparmor { python = python3; }) 19484 19484 libapparmor apparmor-utils apparmor-bin-utils apparmor-parser apparmor-pam 19485 19485 - apparmor-profiles apparmor-kernel-patches; 19485 19485 + apparmor-profiles apparmor-kernel-patches apparmorRulesFromClosure; 19486 19486 19487 19487 aseq2json = callPackage ../os-specific/linux/aseq2json {}; 19488 19488