+10

maintainers/team-list.nix

reviewed

··· 68 68 ]; 69 69 }; 70 70 71 71 + apparmor = { 72 72 + scope = "AppArmor-related modules, userspace tool packages and profiles"; 73 73 + shortName = "apparmor"; 74 74 + members = [ 75 75 + julm 76 76 + thoughtpolice 77 77 + grimmauld 78 78 + ]; 79 79 + }; 80 80 + 71 81 bazel = { 72 82 members = [ 73 83 mboes

+2 -5

nixos/modules/security/apparmor.nix

reviewed

··· 172 172 logfiles = /dev/stdin 173 173 174 174 parser = ${pkgs.apparmor-parser}/bin/apparmor_parser 175 175 - ldd = ${pkgs.glibc.bin}/bin/ldd 175 175 + ldd = ${lib.getExe' pkgs.stdenv.cc.libc "ldd"} 176 176 logger = ${pkgs.util-linux}/bin/logger 177 177 178 178 # customize how file ownership permissions are presented ··· 275 275 }; 276 276 }; 277 277 278 278 - meta.maintainers = with lib.maintainers; [ 279 279 - julm 280 280 - grimmauld 281 281 - ]; 278 278 + meta.maintainers = lib.teams.apparmor.members; 282 279 }

+53

pkgs/by-name/ap/apparmor-bin-utils/package.nix

reviewed

··· 1 1 + { 2 2 + lib, 3 3 + stdenv, 4 4 + pkg-config, 5 5 + which, 6 6 + buildPackages, 7 7 + 8 8 + # apparmor deps 9 9 + libapparmor, 10 10 + 11 11 + # testing 12 12 + perl, 13 13 + }: 14 14 + stdenv.mkDerivation { 15 15 + pname = "apparmor-bin-utils"; 16 16 + inherit (libapparmor) 17 17 + version 18 18 + src 19 19 + ; 20 20 + 21 21 + sourceRoot = "${libapparmor.src.name}/binutils"; 22 22 + 23 23 + nativeBuildInputs = [ 24 24 + pkg-config 25 25 + libapparmor 26 26 + which 27 27 + ]; 28 28 + 29 29 + buildInputs = [ 30 30 + libapparmor 31 31 + ]; 32 32 + 33 33 + makeFlags = [ 34 34 + "LANGS=" 35 35 + "USE_SYSTEM=1" 36 36 + "POD2MAN=${lib.getExe' buildPackages.perl "pod2man"}" 37 37 + "POD2HTML=${lib.getExe' buildPackages.perl "pod2html"}" 38 38 + "MANDIR=share/man" 39 39 + ]; 40 40 + 41 41 + doCheck = true; 42 42 + checkInputs = [ perl ]; 43 43 + 44 44 + installFlags = [ 45 45 + "DESTDIR=$(out)" 46 46 + "BINDIR=$(out)/bin" 47 47 + "SBINDIR=$(out)/bin" 48 48 + ]; 49 49 + 50 50 + meta = libapparmor.meta // { 51 51 + description = "Mandatory access control system - binary user-land utilities"; 52 52 + }; 53 53 + }

+40

pkgs/by-name/ap/apparmor-pam/package.nix

reviewed

··· 1 1 + { 2 2 + stdenv, 3 3 + pkg-config, 4 4 + which, 5 5 + pam, 6 6 + 7 7 + # apparmor deps 8 8 + libapparmor, 9 9 + }: 10 10 + stdenv.mkDerivation { 11 11 + pname = "apparmor-pam"; 12 12 + inherit (libapparmor) 13 13 + version 14 14 + src 15 15 + ; 16 16 + 17 17 + postPatch = '' 18 18 + substituteInPlace Makefile \ 19 19 + --replace-fail "pkg-config" "$PKG_CONFIG" 20 20 + ''; 21 21 + 22 22 + nativeBuildInputs = [ 23 23 + pkg-config 24 24 + which 25 25 + ]; 26 26 + 27 27 + buildInputs = [ 28 28 + libapparmor 29 29 + pam 30 30 + ]; 31 31 + 32 32 + sourceRoot = "${libapparmor.src.name}/changehat/pam_apparmor"; 33 33 + 34 34 + makeFlags = [ "USE_SYSTEM=1" ]; 35 35 + installFlags = [ "DESTDIR=$(out)" ]; 36 36 + 37 37 + meta = libapparmor.meta // { 38 38 + description = "Mandatory access control system - PAM service"; 39 39 + }; 40 40 + }

+75

pkgs/by-name/ap/apparmor-parser/package.nix

reviewed

··· 1 1 + { 2 2 + lib, 3 3 + stdenv, 4 4 + which, 5 5 + flex, 6 6 + bison, 7 7 + linuxHeaders ? stdenv.cc.libc.linuxHeaders, 8 8 + buildPackages, 9 9 + 10 10 + # apparmor deps 11 11 + libapparmor, 12 12 + 13 13 + # testing 14 14 + perl, 15 15 + python3, 16 16 + bashInteractive, 17 17 + }: 18 18 + stdenv.mkDerivation (finalAttrs: { 19 19 + pname = "apparmor-parser"; 20 20 + inherit (libapparmor) version src; 21 21 + 22 22 + postPatch = '' 23 23 + patchShebangs . 24 24 + cd parser 25 25 + 26 26 + substituteInPlace Makefile \ 27 27 + --replace-fail "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" 28 28 + substituteInPlace rc.apparmor.functions \ 29 29 + --replace-fail "/sbin/apparmor_parser" "$out/bin/apparmor_parser" # FIXME 30 30 + substituteInPlace rc.apparmor.functions \ 31 31 + --replace-fail "/usr/sbin/aa-status" '$(which aa-status)' 32 32 + sed -i rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}' 33 33 + ''; 34 34 + 35 35 + nativeBuildInputs = [ 36 36 + bison 37 37 + flex 38 38 + which 39 39 + ]; 40 40 + 41 41 + buildInputs = [ libapparmor ]; 42 42 + 43 43 + makeFlags = [ 44 44 + "LANGS=" 45 45 + "USE_SYSTEM=1" 46 46 + "INCLUDEDIR=${libapparmor}/include" 47 47 + "AR=${stdenv.cc.bintools.targetPrefix}ar" 48 48 + "POD2MAN=${lib.getExe' buildPackages.perl "pod2man"}" 49 49 + "POD2HTML=${lib.getExe' buildPackages.perl "pod2html"}" 50 50 + "MANDIR=share/man" 51 51 + ] ++ lib.optional finalAttrs.doCheck "PROVE=${lib.getExe' perl "prove"}"; 52 52 + 53 53 + installFlags = [ 54 54 + "DESTDIR=$(out)" 55 55 + "DISTRO=unknown" 56 56 + ]; 57 57 + 58 58 + preCheck = "pushd ./tst"; 59 59 + 60 60 + checkTarget = "tests"; 61 61 + 62 62 + postCheck = "popd"; 63 63 + 64 64 + doCheck = stdenv.hostPlatform == stdenv.buildPlatform && !stdenv.hostPlatform.isMusl; 65 65 + checkInputs = [ 66 66 + bashInteractive 67 67 + perl 68 68 + python3 69 69 + ]; 70 70 + 71 71 + meta = libapparmor.meta // { 72 72 + description = "Mandatory access control system - core library"; 73 73 + mainProgram = "apparmor_parser"; 74 74 + }; 75 75 + })

+42

pkgs/by-name/ap/apparmor-profiles/package.nix

reviewed

··· 1 1 + { 2 2 + stdenv, 3 3 + which, 4 4 + callPackage, 5 5 + 6 6 + # apparmor deps 7 7 + libapparmor, 8 8 + apparmor-parser, 9 9 + apparmor-utils, 10 10 + }: 11 11 + stdenv.mkDerivation { 12 12 + pname = "apparmor-profiles"; 13 13 + inherit (libapparmor) version src; 14 14 + 15 15 + sourceRoot = "${libapparmor.src.name}/profiles"; 16 16 + 17 17 + nativeBuildInputs = [ which ]; 18 18 + 19 19 + installFlags = [ 20 20 + "DESTDIR=$(out)" 21 21 + "EXTRAS_DEST=$(out)/share/apparmor/extra-profiles" 22 22 + ]; 23 23 + 24 24 + checkTarget = "check"; 25 25 + 26 26 + checkInputs = [ 27 27 + apparmor-parser 28 28 + apparmor-utils 29 29 + ]; 30 30 + 31 31 + preCheck = '' 32 32 + export USE_SYSTEM=1 33 33 + export LOGPROF="aa-logprof --configdir ${callPackage ./test_config.nix { }} --no-check-mountpoint" 34 34 + ''; 35 35 + 36 36 + doCheck = true; 37 37 + 38 38 + meta = libapparmor.meta // { 39 39 + description = "Mandatory access control system - profiles"; 40 40 + mainProgram = "apparmor_parser"; 41 41 + }; 42 42 + }

+47

pkgs/by-name/ap/apparmor-profiles/test_config.nix

reviewed

··· 1 1 + { 2 2 + lib, 3 3 + runCommand, 4 4 + util-linux, 5 5 + stdenv, 6 6 + runtimeShell, 7 7 + bashInteractive, 8 8 + 9 9 + # apparmor deps 10 10 + libapparmor, 11 11 + apparmor-parser, 12 12 + }: 13 13 + (runCommand "logprof_conf" 14 14 + { 15 15 + header = '' 16 16 + [settings] 17 17 + # /etc/apparmor.d/ is read-only on NixOS 18 18 + profiledir = /var/cache/apparmor/logprof 19 19 + inactive_profiledir = /etc/apparmor.d/disable 20 20 + # Use: journalctl -b --since today --grep audit: | aa-logprof 21 21 + logfiles = /dev/stdin 22 22 + 23 23 + parser = ${lib.getExe apparmor-parser} 24 24 + ldd = ${lib.getExe' stdenv.cc.libc "ldd"} 25 25 + logger = ${util-linux}/bin/logger 26 26 + 27 27 + # customize how file ownership permissions are presented 28 28 + # 0 - off 29 29 + # 1 - default of what ever mode the log reported 30 30 + # 2 - force the new permissions to be user 31 31 + # 3 - force all perms on the rule to be user 32 32 + default_owner_prompt = 1 33 33 + 34 34 + [qualifiers] 35 35 + ${runtimeShell} = icnu 36 36 + ${bashInteractive}/bin/sh = icnu 37 37 + ${bashInteractive}/bin/bash = icnu 38 38 + ''; 39 39 + passAsFile = [ "header" ]; 40 40 + } 41 41 + '' 42 42 + mkdir $out 43 43 + cp $headerPath $out/logprof.conf 44 44 + ln -s ${libapparmor.src}/utils/severity.db $out/severity.db 45 45 + sed '1,/\[qualifiers\]/d' ${libapparmor.src}/utils/logprof.conf >> $out/logprof.conf 46 46 + '' 47 47 + )

+33

pkgs/by-name/ap/apparmor-teardown/package.nix

reviewed

··· 1 1 + { 2 2 + writeShellApplication, 3 3 + coreutils, 4 4 + gnused, 5 5 + gnugrep, 6 6 + which, 7 7 + 8 8 + # apparmor deps 9 9 + apparmor-parser, 10 10 + apparmor-bin-utils, 11 11 + libapparmor, 12 12 + }: 13 13 + writeShellApplication { 14 14 + name = "apparmor-teardown"; 15 15 + runtimeInputs = [ 16 16 + apparmor-parser 17 17 + apparmor-bin-utils 18 18 + coreutils 19 19 + gnused 20 20 + gnugrep 21 21 + which 22 22 + ]; 23 23 + 24 24 + text = '' 25 25 + set +e # the imported script tries to `read` an empty line 26 26 + # shellcheck source=/dev/null 27 27 + . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions 28 28 + remove_profiles 29 29 + exit 0 30 30 + ''; 31 31 + 32 32 + inherit (libapparmor) meta; 33 33 + }

+86

pkgs/by-name/ap/apparmor-utils/package.nix

reviewed

··· 1 1 + { 2 2 + lib, 3 3 + makeWrapper, 4 4 + gawk, 5 5 + perl, 6 6 + bash, 7 7 + stdenv, 8 8 + which, 9 9 + linuxHeaders ? stdenv.cc.libc.linuxHeaders, 10 10 + python3Packages, 11 11 + bashNonInteractive, 12 12 + buildPackages, 13 13 + 14 14 + # apparmor deps 15 15 + libapparmor, 16 16 + apparmor-parser, 17 17 + apparmor-teardown, 18 18 + }: 19 19 + python3Packages.buildPythonApplication { 20 20 + pname = "apparmor-utils"; 21 21 + inherit (libapparmor) version src; 22 22 + 23 23 + postPatch = 24 24 + '' 25 25 + patchShebangs . 26 26 + cd utils 27 27 + 28 28 + substituteInPlace aa-remove-unknown \ 29 29 + --replace-fail "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" 30 30 + substituteInPlace Makefile \ 31 31 + --replace-fail "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" 32 32 + sed -i -E 's/^(DESTDIR|BINDIR|PYPREFIX)=.*//g' Makefile 33 33 + sed -i aa-unconfined -e "/my_env\['PATH'\]/d" 34 34 + '' 35 35 + + (lib.optionalString stdenv.hostPlatform.isMusl '' 36 36 + sed -i Makefile -e "/\<vim\>/d" 37 37 + ''); 38 38 + 39 39 + format = "other"; 40 40 + strictDeps = true; 41 41 + 42 42 + doCheck = true; 43 43 + 44 44 + nativeBuildInputs = [ 45 45 + makeWrapper 46 46 + which 47 47 + bashNonInteractive 48 48 + python3Packages.setuptools 49 49 + ]; 50 50 + 51 51 + buildInputs = [ 52 52 + bash 53 53 + perl 54 54 + ]; 55 55 + 56 56 + pythonPath = [ 57 57 + python3Packages.notify2 58 58 + python3Packages.psutil 59 59 + libapparmor 60 60 + ]; 61 61 + 62 62 + makeFlags = [ 63 63 + "LANGS=" 64 64 + "POD2MAN=${lib.getExe' buildPackages.perl "pod2man"}" 65 65 + "POD2HTML=${lib.getExe' buildPackages.perl "pod2html"}" 66 66 + "MANDIR=share/man" 67 67 + ]; 68 68 + 69 69 + installFlags = [ 70 70 + "DESTDIR=$(out)" 71 71 + "BINDIR=$(out)/bin" 72 72 + "VIM_INSTALL_PATH=$(out)/share" 73 73 + "PYPREFIX=" 74 74 + ]; 75 75 + 76 76 + postInstall = '' 77 77 + wrapProgram $out/bin/aa-remove-unknown \ 78 78 + --prefix PATH : ${lib.makeBinPath [ gawk ]} 79 79 + 80 80 + ln -s ${lib.getExe apparmor-teardown} $out/bin/aa-teardown 81 81 + ''; 82 82 + 83 83 + meta = libapparmor.meta // { 84 84 + description = "Mandatory access control system - script user-land utilities"; 85 85 + }; 86 86 + }

+35

pkgs/by-name/li/libapparmor/apparmorRulesFromClosure.nix

reviewed

··· 1 1 + { 2 2 + runCommand, 3 3 + closureInfo, 4 4 + lib, 5 5 + }: 6 6 + { 7 7 + # The store path of the derivation is given in $path 8 8 + additionalRules ? [ ], 9 9 + # TODO: factorize here some other common paths 10 10 + # that may emerge from use cases. 11 11 + baseRules ? [ 12 12 + "r $path" 13 13 + "r $path/etc/**" 14 14 + "mr $path/share/**" 15 15 + # Note that not all libraries are prefixed with "lib", 16 16 + # eg. glibc-2.30/lib/ld-2.30.so 17 17 + "mr $path/lib/**.so*" 18 18 + "mr $path/lib64/**.so*" 19 19 + # eg. glibc-2.30/lib/gconv/gconv-modules 20 20 + "r $path/lib/**" 21 21 + "r $path/lib64/**" 22 22 + # Internal executables 23 23 + "ixr $path/libexec/**" 24 24 + ], 25 25 + name ? "", 26 26 + }: 27 27 + rootPaths: 28 28 + runCommand ("apparmor-closure-rules" + lib.optionalString (name != "") "-${name}") { } '' 29 29 + touch $out 30 30 + while read -r path 31 31 + do printf >>$out "%s,\n" ${ 32 32 + lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules) 33 33 + } 34 34 + done <${closureInfo { inherit rootPaths; }}/store-paths 35 35 + ''

+104

pkgs/by-name/li/libapparmor/package.nix

reviewed

··· 1 1 + { 2 2 + stdenv, 3 3 + lib, 4 4 + fetchFromGitLab, 5 5 + autoreconfHook, 6 6 + autoconf-archive, 7 7 + pkg-config, 8 8 + which, 9 9 + flex, 10 10 + bison, 11 11 + withPerl ? 12 12 + stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform perl, 13 13 + perl, 14 14 + withPython ? lib.meta.availableOn stdenv.hostPlatform python3Packages.python, 15 15 + python3Packages, 16 16 + swig, 17 17 + ncurses, 18 18 + libxcrypt, 19 19 + 20 20 + # test 21 21 + dejagnu, 22 22 + 23 23 + # passthru 24 24 + nix-update-script, 25 25 + nixosTests, 26 26 + callPackage, 27 27 + }: 28 28 + stdenv.mkDerivation (finalAttrs: { 29 29 + pname = "libapparmor"; 30 30 + version = "4.1.0"; 31 31 + 32 32 + src = fetchFromGitLab { 33 33 + owner = "apparmor"; 34 34 + repo = "apparmor"; 35 35 + tag = "v${finalAttrs.version}"; 36 36 + hash = "sha256-oj6mGw/gvoRGpJqw72Lk6LJuurg8efjiV1pvZYbXz6A="; 37 37 + }; 38 38 + sourceRoot = "${finalAttrs.src.name}/libraries/libapparmor"; 39 39 + 40 40 + postPatch = '' 41 41 + substituteInPlace swig/perl/Makefile.am \ 42 42 + --replace-fail install_vendor install_site 43 43 + ''; 44 44 + 45 45 + strictDeps = true; 46 46 + 47 47 + nativeBuildInputs = 48 48 + [ 49 49 + autoconf-archive 50 50 + autoreconfHook 51 51 + bison 52 52 + flex 53 53 + pkg-config 54 54 + swig 55 55 + ncurses 56 56 + which 57 57 + dejagnu 58 58 + ] 59 59 + ++ lib.optionals withPython [ 60 60 + python3Packages.setuptools 61 61 + ]; 62 62 + 63 63 + nativeCheckInputs = [ 64 64 + python3Packages.pythonImportsCheckHook 65 65 + perl 66 66 + ]; 67 67 + 68 68 + buildInputs = 69 69 + [ libxcrypt ] ++ (lib.optional withPerl perl) ++ (lib.optional withPython python3Packages.python); 70 70 + 71 71 + # required to build apparmor-parser 72 72 + dontDisableStatic = true; 73 73 + 74 74 + # https://gitlab.com/apparmor/apparmor/issues/1 75 75 + configureFlags = [ 76 76 + (lib.withFeature withPerl "perl") 77 77 + (lib.withFeature withPython "python") 78 78 + ]; 79 79 + 80 80 + doCheck = withPerl && withPython; 81 81 + 82 82 + checkInputs = [ dejagnu ]; 83 83 + 84 84 + pythonImportsCheck = [ 85 85 + "LibAppArmor" 86 86 + ]; 87 87 + 88 88 + passthru = { 89 89 + updateScript = nix-update-script { }; 90 90 + tests.nixos = nixosTests.apparmor; 91 91 + apparmorRulesFromClosure = callPackage ./apparmorRulesFromClosure.nix { }; 92 92 + }; 93 93 + 94 94 + meta = { 95 95 + homepage = "https://apparmor.net/"; 96 96 + description = "Mandatory access control system - core library"; 97 97 + license = with lib.licenses; [ 98 98 + gpl2Only 99 99 + lgpl21Only 100 100 + ]; 101 101 + maintainers = lib.teams.apparmor.members; 102 102 + platforms = lib.platforms.linux; 103 103 + }; 104 104 + })

-30

pkgs/os-specific/linux/apparmor/0001-aa-remove-unknown_empty-ruleset.patch

reviewed

··· 1 1 - commit 166afaf144d6473464975438353257359dd51708 2 2 - Author: Andreas Wiese <andreas.wiese@kernkonzept.com> 3 3 - Date: Thu Feb 1 11:35:02 2024 +0100 4 4 - 5 5 - aa-remove-unknown: fix readability check 6 6 - 7 7 - This check is intended for ensuring that the profiles file can actually 8 8 - be opened. The *actual* check is performed by the shell, not the read 9 9 - utility, which won't even be executed if the input redirection (and 10 10 - hence the test) fails. 11 11 - 12 12 - If the test succeeds, though, using `read` here might actually 13 13 - jeopardize the test result if there are no profiles loaded and the file 14 14 - is empty. 15 15 - 16 16 - This commit fixes that case by simply using `true` instead of `read`. 17 17 - 18 18 - diff --git a/utils/aa-remove-unknown b/utils/aa-remove-unknown 19 19 - index 0e00d6a0..3351feef 100755 20 20 - --- a/utils/aa-remove-unknown 21 21 - +++ b/utils/aa-remove-unknown 22 22 - @@ -63,7 +63,7 @@ fi 23 23 - # We have to do this check because error checking awk's getline() below is 24 24 - # tricky and, as is, results in an infinite loop when apparmorfs returns an 25 25 - # error from open(). 26 26 - -if ! IFS= read -r _ < "$PROFILES" ; then 27 27 - +if ! true < "$PROFILES" ; then 28 28 - echo "ERROR: Unable to read apparmorfs profiles file" 1>&2 29 29 - exit 1 30 30 - elif [ ! -w "$REMOVE" ] ; then

-435

pkgs/os-specific/linux/apparmor/default.nix

reviewed

··· 1 1 - { 2 2 - stdenv, 3 3 - lib, 4 4 - fetchFromGitLab, 5 5 - fetchpatch, 6 6 - makeWrapper, 7 7 - autoreconfHook, 8 8 - autoconf-archive, 9 9 - pkg-config, 10 10 - which, 11 11 - flex, 12 12 - bison, 13 13 - linuxHeaders ? stdenv.cc.libc.linuxHeaders, 14 14 - gawk, 15 15 - withPerl ? 16 16 - stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform perl, 17 17 - perl, 18 18 - withPython ? 19 19 - stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform python3, 20 20 - python3, 21 21 - swig, 22 22 - ncurses, 23 23 - pam, 24 24 - libnotify, 25 25 - buildPackages, 26 26 - coreutils, 27 27 - bash, 28 28 - gnugrep, 29 29 - gnused, 30 30 - kmod, 31 31 - writeShellScript, 32 32 - closureInfo, 33 33 - runCommand, 34 34 - libxcrypt, 35 35 - }: 36 36 - 37 37 - let 38 38 - apparmor-version = "4.0.3"; 39 39 - 40 40 - apparmor-meta = 41 41 - component: with lib; { 42 42 - homepage = "https://apparmor.net/"; 43 43 - description = "Mandatory access control system - ${component}"; 44 44 - license = with licenses; [ 45 45 - gpl2Only 46 46 - lgpl21Only 47 47 - ]; 48 48 - maintainers = with maintainers; [ 49 49 - julm 50 50 - thoughtpolice 51 51 - grimmauld 52 52 - ]; 53 53 - platforms = platforms.linux; 54 54 - }; 55 55 - 56 56 - apparmor-sources = fetchFromGitLab { 57 57 - owner = "apparmor"; 58 58 - repo = "apparmor"; 59 59 - rev = "v${apparmor-version}"; 60 60 - hash = "sha256-6RMttvlXepxUyqdZeDujjVGOwuXl/nXnjii4sA/ppc4="; 61 61 - }; 62 62 - 63 63 - aa-teardown = writeShellScript "aa-teardown" '' 64 64 - PATH="${ 65 65 - lib.makeBinPath [ 66 66 - coreutils 67 67 - gnused 68 68 - gnugrep 69 69 - ] 70 70 - }:$PATH" 71 71 - . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions 72 72 - remove_profiles 73 73 - ''; 74 74 - 75 75 - prePatchCommon = '' 76 76 - chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh 77 77 - patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh 78 78 - substituteInPlace ./common/Make.rules \ 79 79 - --replace "/usr/bin/pod2man" "${buildPackages.perl}/bin/pod2man" \ 80 80 - --replace "/usr/bin/pod2html" "${buildPackages.perl}/bin/pod2html" \ 81 81 - --replace "/usr/share/man" "share/man" 82 82 - substituteInPlace ./utils/Makefile \ 83 83 - --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" 84 84 - ''; 85 85 - 86 86 - patches = 87 87 - [ 88 88 - ./0001-aa-remove-unknown_empty-ruleset.patch 89 89 - 90 90 - (fetchpatch { 91 91 - name = "basename.patch"; 92 92 - url = "https://gitlab.com/apparmor/apparmor/-/commit/7fb040bde69ebdfce48cf1a01c1a62fd4f8eef0a.patch"; 93 93 - hash = "sha256-RZ04nfcV8hTd2CO3mYcfOGCLke8+FhV7DPfmDqSSdWk="; 94 94 - }) 95 95 - ] 96 96 - ++ lib.optionals stdenv.hostPlatform.isMusl [ 97 97 - (fetchpatch { 98 98 - url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0003-Added-missing-typedef-definitions-on-parser.patch?id=74b8427cc21f04e32030d047ae92caa618105b53"; 99 99 - name = "0003-Added-missing-typedef-definitions-on-parser.patch"; 100 100 - sha256 = "0yyaqz8jlmn1bm37arggprqz0njb4lhjni2d9c8qfqj0kll0bam0"; 101 101 - }) 102 102 - ]; 103 103 - 104 104 - python = python3.withPackages (ps: with ps; [ setuptools ]); 105 105 - 106 106 - # Set to `true` after the next FIXME gets fixed or this gets some 107 107 - # common derivation infra. Too much copy-paste to fix one by one. 108 108 - doCheck = false; 109 109 - 110 110 - # FIXME: convert these to a single multiple-outputs package? 111 111 - 112 112 - libapparmor = stdenv.mkDerivation { 113 113 - pname = "libapparmor"; 114 114 - version = apparmor-version; 115 115 - 116 116 - src = apparmor-sources; 117 117 - 118 118 - # checking whether python bindings are enabled... yes 119 119 - # checking for python3... no 120 120 - # configure: error: python is required when enabling python bindings 121 121 - strictDeps = false; 122 122 - 123 123 - nativeBuildInputs = [ 124 124 - autoconf-archive 125 125 - autoreconfHook 126 126 - bison 127 127 - flex 128 128 - pkg-config 129 129 - swig 130 130 - ncurses 131 131 - which 132 132 - perl 133 133 - ] ++ lib.optional withPython python; 134 134 - 135 135 - buildInputs = [ libxcrypt ] ++ lib.optional withPerl perl ++ lib.optional withPython python; 136 136 - 137 137 - # required to build apparmor-parser 138 138 - dontDisableStatic = true; 139 139 - 140 140 - prePatch = 141 141 - prePatchCommon 142 142 - + '' 143 143 - substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.am --replace install_vendor install_site 144 144 - ''; 145 145 - inherit patches; 146 146 - 147 147 - postPatch = '' 148 148 - cd ./libraries/libapparmor 149 149 - ''; 150 150 - 151 151 - # https://gitlab.com/apparmor/apparmor/issues/1 152 152 - configureFlags = [ 153 153 - (lib.withFeature withPerl "perl") 154 154 - (lib.withFeature withPython "python") 155 155 - ]; 156 156 - 157 157 - outputs = [ "out" ] ++ lib.optional withPython "python"; 158 158 - 159 159 - postInstall = lib.optionalString withPython '' 160 160 - mkdir -p $python/lib 161 161 - mv $out/lib/python* $python/lib/ 162 162 - ''; 163 163 - 164 164 - inherit doCheck; 165 165 - 166 166 - meta = apparmor-meta "library"; 167 167 - }; 168 168 - 169 169 - apparmor-utils = python.pkgs.buildPythonApplication { 170 170 - pname = "apparmor-utils"; 171 171 - version = apparmor-version; 172 172 - format = "other"; 173 173 - 174 174 - src = apparmor-sources; 175 175 - 176 176 - strictDeps = true; 177 177 - 178 178 - nativeBuildInputs = [ 179 179 - makeWrapper 180 180 - which 181 181 - python 182 182 - ]; 183 183 - 184 184 - buildInputs = [ 185 185 - bash 186 186 - perl 187 187 - python 188 188 - libapparmor 189 189 - (libapparmor.python or null) 190 190 - ]; 191 191 - 192 192 - propagatedBuildInputs = [ 193 193 - (libapparmor.python or null) 194 194 - 195 195 - # Used by aa-notify 196 196 - python.pkgs.notify2 197 197 - python.pkgs.psutil 198 198 - ]; 199 199 - 200 200 - prePatch = 201 201 - prePatchCommon 202 202 - + 203 203 - # Do not build vim file 204 204 - lib.optionalString stdenv.hostPlatform.isMusl '' 205 205 - sed -i ./utils/Makefile -e "/\<vim\>/d" 206 206 - '' 207 207 - + '' 208 208 - sed -i -E 's/^(DESTDIR|BINDIR|PYPREFIX)=.*//g' ./utils/Makefile 209 209 - 210 210 - sed -i utils/aa-unconfined -e "/my_env\['PATH'\]/d" 211 211 - 212 212 - substituteInPlace utils/aa-remove-unknown \ 213 213 - --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" 214 214 - ''; 215 215 - inherit patches; 216 216 - postPatch = "cd ./utils"; 217 217 - makeFlags = [ "LANGS=" ]; 218 218 - installFlags = [ 219 219 - "DESTDIR=$(out)" 220 220 - "BINDIR=$(out)/bin" 221 221 - "VIM_INSTALL_PATH=$(out)/share" 222 222 - "PYPREFIX=" 223 223 - ]; 224 224 - 225 225 - postInstall = '' 226 226 - wrapProgram $out/bin/aa-remove-unknown \ 227 227 - --prefix PATH : ${lib.makeBinPath [ gawk ]} 228 228 - 229 229 - ln -s ${aa-teardown} $out/bin/aa-teardown 230 230 - ''; 231 231 - 232 232 - inherit doCheck; 233 233 - 234 234 - meta = apparmor-meta "user-land utilities" // { 235 235 - broken = !(withPython && withPerl); 236 236 - }; 237 237 - }; 238 238 - 239 239 - apparmor-bin-utils = stdenv.mkDerivation { 240 240 - pname = "apparmor-bin-utils"; 241 241 - version = apparmor-version; 242 242 - 243 243 - src = apparmor-sources; 244 244 - 245 245 - nativeBuildInputs = [ 246 246 - pkg-config 247 247 - libapparmor 248 248 - which 249 249 - ]; 250 250 - 251 251 - buildInputs = [ 252 252 - libapparmor 253 253 - ]; 254 254 - 255 255 - prePatch = prePatchCommon; 256 256 - postPatch = '' 257 257 - cd ./binutils 258 258 - ''; 259 259 - makeFlags = [ 260 260 - "LANGS=" 261 261 - "USE_SYSTEM=1" 262 262 - ]; 263 263 - installFlags = [ 264 264 - "DESTDIR=$(out)" 265 265 - "BINDIR=$(out)/bin" 266 266 - "SBINDIR=$(out)/bin" 267 267 - ]; 268 268 - 269 269 - inherit doCheck; 270 270 - 271 271 - meta = apparmor-meta "binary user-land utilities"; 272 272 - }; 273 273 - 274 274 - apparmor-parser = stdenv.mkDerivation { 275 275 - pname = "apparmor-parser"; 276 276 - version = apparmor-version; 277 277 - 278 278 - src = apparmor-sources; 279 279 - 280 280 - nativeBuildInputs = [ 281 281 - bison 282 282 - flex 283 283 - which 284 284 - ]; 285 285 - 286 286 - buildInputs = [ libapparmor ]; 287 287 - 288 288 - prePatch = 289 289 - prePatchCommon 290 290 - + '' 291 291 - ## techdoc.pdf still doesn't build ... 292 292 - substituteInPlace ./parser/Makefile \ 293 293 - --replace "/usr/bin/bison" "${bison}/bin/bison" \ 294 294 - --replace "/usr/bin/flex" "${flex}/bin/flex" \ 295 295 - --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" \ 296 296 - --replace "manpages htmlmanpages pdf" "manpages htmlmanpages" 297 297 - substituteInPlace parser/rc.apparmor.functions \ 298 298 - --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser" 299 299 - sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}' 300 300 - ''; 301 301 - inherit patches; 302 302 - postPatch = '' 303 303 - cd ./parser 304 304 - ''; 305 305 - makeFlags = [ 306 306 - "LANGS=" 307 307 - "USE_SYSTEM=1" 308 308 - "INCLUDEDIR=${libapparmor}/include" 309 309 - "AR=${stdenv.cc.bintools.targetPrefix}ar" 310 310 - ]; 311 311 - installFlags = [ 312 312 - "DESTDIR=$(out)" 313 313 - "DISTRO=unknown" 314 314 - ]; 315 315 - 316 316 - inherit doCheck; 317 317 - 318 318 - meta = apparmor-meta "rule parser"; 319 319 - }; 320 320 - 321 321 - apparmor-pam = stdenv.mkDerivation { 322 322 - pname = "apparmor-pam"; 323 323 - version = apparmor-version; 324 324 - 325 325 - src = apparmor-sources; 326 326 - 327 327 - nativeBuildInputs = [ 328 328 - pkg-config 329 329 - which 330 330 - ]; 331 331 - 332 332 - buildInputs = [ 333 333 - libapparmor 334 334 - pam 335 335 - ]; 336 336 - 337 337 - postPatch = '' 338 338 - cd ./changehat/pam_apparmor 339 339 - ''; 340 340 - makeFlags = [ "USE_SYSTEM=1" ]; 341 341 - installFlags = [ "DESTDIR=$(out)" ]; 342 342 - 343 343 - inherit doCheck; 344 344 - 345 345 - meta = apparmor-meta "PAM service"; 346 346 - }; 347 347 - 348 348 - apparmor-profiles = stdenv.mkDerivation { 349 349 - pname = "apparmor-profiles"; 350 350 - version = apparmor-version; 351 351 - 352 352 - src = apparmor-sources; 353 353 - 354 354 - nativeBuildInputs = [ which ]; 355 355 - 356 356 - postPatch = '' 357 357 - cd ./profiles 358 358 - ''; 359 359 - 360 360 - installFlags = [ 361 361 - "DESTDIR=$(out)" 362 362 - "EXTRAS_DEST=$(out)/share/apparmor/extra-profiles" 363 363 - ]; 364 364 - 365 365 - inherit doCheck; 366 366 - 367 367 - meta = apparmor-meta "profiles"; 368 368 - }; 369 369 - 370 370 - apparmor-kernel-patches = stdenv.mkDerivation { 371 371 - pname = "apparmor-kernel-patches"; 372 372 - version = apparmor-version; 373 373 - 374 374 - src = apparmor-sources; 375 375 - 376 376 - dontBuild = true; 377 377 - 378 378 - installPhase = '' 379 379 - mkdir "$out" 380 380 - cp -R ./kernel-patches/* "$out" 381 381 - ''; 382 382 - 383 383 - inherit doCheck; 384 384 - 385 385 - meta = apparmor-meta "kernel patches"; 386 386 - }; 387 387 - 388 388 - # Generate generic AppArmor rules in a file, from the closure of given 389 389 - # rootPaths. To be included in an AppArmor profile like so: 390 390 - # 391 391 - # include "${apparmorRulesFromClosure { } [ pkgs.hello ]}" 392 392 - apparmorRulesFromClosure = 393 393 - { 394 394 - # The store path of the derivation is given in $path 395 395 - additionalRules ? [ ], 396 396 - # TODO: factorize here some other common paths 397 397 - # that may emerge from use cases. 398 398 - baseRules ? [ 399 399 - "r $path" 400 400 - "r $path/etc/**" 401 401 - "mr $path/share/**" 402 402 - # Note that not all libraries are prefixed with "lib", 403 403 - # eg. glibc-2.30/lib/ld-2.30.so 404 404 - "mr $path/lib/**.so*" 405 405 - "mr $path/lib64/**.so*" 406 406 - # eg. glibc-2.30/lib/gconv/gconv-modules 407 407 - "r $path/lib/**" 408 408 - "r $path/lib64/**" 409 409 - # Internal executables 410 410 - "ixr $path/libexec/**" 411 411 - ], 412 412 - name ? "", 413 413 - }: 414 414 - rootPaths: 415 415 - runCommand ("apparmor-closure-rules" + lib.optionalString (name != "") "-${name}") { } '' 416 416 - touch $out 417 417 - while read -r path 418 418 - do printf >>$out "%s,\n" ${ 419 419 - lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules) 420 420 - } 421 421 - done <${closureInfo { inherit rootPaths; }}/store-paths 422 422 - ''; 423 423 - in 424 424 - { 425 425 - inherit 426 426 - libapparmor 427 427 - apparmor-utils 428 428 - apparmor-bin-utils 429 429 - apparmor-parser 430 430 - apparmor-pam 431 431 - apparmor-profiles 432 432 - apparmor-kernel-patches 433 433 - apparmorRulesFromClosure 434 434 - ; 435 435 - }

pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh pkgs/by-name/ap/apparmor-parser/fix-rc.apparmor.functions.sh

reviewed

+1

pkgs/top-level/aliases.nix

reviewed

··· 290 290 apacheKafka_3_6 = throw "apacheKafka_2_8 through _3_6 have been removed from nixpkgs as outdated"; # Added 2024-11-27 291 291 antimicroX = throw "'antimicroX' has been renamed to/replaced by 'antimicrox'"; # Converted to throw 2024-10-17 292 292 apacheAnt = ant; # Added 2024-11-28 293 293 + apparmor-kernel-patches = throw "'apparmor-kernel-patches' has been removed as they were unmaintained, irrelevant and effectively broken"; # Added 2025-04-20 293 294 appimagekit = throw "'appimagekit' has been removed as it was broken in nixpkgs and archived upstream"; # Added 2025-04-19 294 295 apple-sdk_10_12 = throw "apple-sdk_10_12 was removed as Nixpkgs no longer supports macOS 10.12; see the 25.05 release notes"; # Added 2024-10-27 295 296 apple-sdk_10_13 = throw "apple-sdk_10_13 was removed as Nixpkgs no longer supports macOS 10.13; see the 25.05 release notes"; # Added 2024-10-27

+1 -10

pkgs/top-level/all-packages.nix

reviewed

··· 11657 11657 armTrustedFirmwareS905 11658 11658 ; 11659 11659 11660 11660 - inherit (callPackages ../os-specific/linux/apparmor { }) 11661 11661 - libapparmor 11662 11662 - apparmor-utils 11663 11663 - apparmor-bin-utils 11664 11664 - apparmor-parser 11665 11665 - apparmor-pam 11666 11666 - apparmor-profiles 11667 11667 - apparmor-kernel-patches 11668 11668 - apparmorRulesFromClosure 11669 11669 - ; 11660 11660 + inherit (libapparmor.passthru) apparmorRulesFromClosure; 11670 11661 11671 11662 ath9k-htc-blobless-firmware = callPackage ../os-specific/linux/firmware/ath9k { }; 11672 11663 ath9k-htc-blobless-firmware-unstable = callPackage ../os-specific/linux/firmware/ath9k {