Merge pull request #242538 from tnias/fix/apparmor

+7 -2

nixos/modules/security/apparmor/includes.nix

··· 62 62 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" 63 63 r ${pkgs.stdenv.cc.libc}/share/locale/**, 64 64 r ${pkgs.stdenv.cc.libc}/share/locale.alias, 65 - ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} 65 + r ${config.i18n.glibcLocales}/lib/locale/locale-archive, 66 66 ${etcRule "localtime"} 67 67 r ${pkgs.tzdata}/share/zoneinfo/**, 68 68 r ${pkgs.stdenv.cc.libc}/share/i18n/**, ··· 72 72 73 73 # bash inspects filesystems at startup 74 74 # and /etc/mtab is linked to /proc/mounts 75 - @{PROC}/mounts 75 + r @{PROC}/mounts, 76 76 77 77 # system-wide bash configuration 78 78 '' + lib.concatMapStringsSep "\n" etcRule [ ··· 211 211 "abstractions/nis" = '' 212 212 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" 213 213 ''; 214 + "abstractions/nss-systemd" = '' 215 + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nss-systemd" 216 + ''; 214 217 "abstractions/nvidia" = '' 215 218 include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" 216 219 ${etcRule "vdpau_wrapper.cfg"} ··· 278 281 r /var/lib/acme/*/cert.pem, 279 282 r /var/lib/acme/*/chain.pem, 280 283 r /var/lib/acme/*/fullchain.pem, 284 + 285 + r /etc/pki/tls/certs/, 281 286 282 287 '' + lib.concatMapStringsSep "\n" etcRule [ 283 288 "ssl/certs/ca-certificates.crt"

+32

nixos/modules/services/networking/murmur.nix

··· 355 355 ''; 356 356 destination = "/share/dbus-1/system.d/murmur.conf"; 357 357 })]; 358 + 359 + security.apparmor.policies."bin.mumble-server".profile = '' 360 + include <tunables/global> 361 + 362 + ${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} { 363 + include <abstractions/base> 364 + include <abstractions/nameservice> 365 + include <abstractions/ssl_certs> 366 + include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}" 367 + pix ${cfg.package}/bin/.mumble-server-wrapped, 368 + 369 + r ${config.environment.etc."os-release".source}, 370 + r ${config.environment.etc."lsb-release".source}, 371 + owner rwk /var/lib/murmur/murmur.sqlite, 372 + owner rw /var/lib/murmur/murmur.sqlite-journal, 373 + owner r /var/lib/murmur/, 374 + r /run/murmur/murmurd.pid, 375 + r /run/murmur/murmurd.ini, 376 + r ${configFile}, 377 + '' + optionalString (cfg.logFile != null) '' 378 + rw ${cfg.logFile}, 379 + '' + optionalString (cfg.sslCert != "") '' 380 + r ${cfg.sslCert}, 381 + '' + optionalString (cfg.sslKey != "") '' 382 + r ${cfg.sslKey}, 383 + '' + optionalString (cfg.sslCa != "") '' 384 + r ${cfg.sslCa}, 385 + '' + optionalString (cfg.dbus != null) '' 386 + dbus bus=${cfg.dbus} 387 + '' + '' 388 + } 389 + ''; 358 390 }; 359 391 }

+12

nixos/modules/services/web-apps/miniflux.nix

··· 130 130 environment = cfg.config; 131 131 }; 132 132 environment.systemPackages = [ cfg.package ]; 133 + 134 + security.apparmor.policies."bin.miniflux".profile = '' 135 + include <tunables/global> 136 + ${cfg.package}/bin/miniflux { 137 + include <abstractions/base> 138 + include <abstractions/nameservice> 139 + include <abstractions/ssl_certs> 140 + include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}" 141 + r ${cfg.package}/bin/miniflux, 142 + r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size, 143 + } 144 + ''; 133 145 }; 134 146 }

+6

nixos/tests/miniflux.nix

··· 25 25 default = 26 26 { ... }: 27 27 { 28 + security.apparmor.enable = true; 28 29 services.miniflux = { 29 30 enable = true; 30 31 inherit adminCredentialsFile; ··· 34 35 withoutSudo = 35 36 { ... }: 36 37 { 38 + security.apparmor.enable = true; 37 39 services.miniflux = { 38 40 enable = true; 39 41 inherit adminCredentialsFile; ··· 44 46 customized = 45 47 { ... }: 46 48 { 49 + security.apparmor.enable = true; 47 50 services.miniflux = { 48 51 enable = true; 49 52 config = { ··· 63 66 default.succeed( 64 67 "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" 65 68 ) 69 + default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') 66 70 67 71 withoutSudo.wait_for_unit("miniflux.service") 68 72 withoutSudo.wait_for_open_port(${toString defaultPort}) ··· 70 74 withoutSudo.succeed( 71 75 "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" 72 76 ) 77 + withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') 73 78 74 79 customized.wait_for_unit("miniflux.service") 75 80 customized.wait_for_open_port(${toString port}) ··· 77 82 customized.succeed( 78 83 "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'" 79 84 ) 85 + customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') 80 86 ''; 81 87 })

+4

nixos/tests/mumble.nix

··· 20 20 21 21 nodes = { 22 22 server = { config, ... }: { 23 + security.apparmor.enable = true; 23 24 services.murmur.enable = true; 24 25 services.murmur.registerName = "NixOS tests"; 25 26 services.murmur.password = "$MURMURD_PASSWORD"; ··· 81 82 server.sleep(5) # wait to get screenshot 82 83 client1.screenshot("screen1") 83 84 client2.screenshot("screen2") 85 + 86 + # check if apparmor denied anything 87 + server.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') 84 88 ''; 85 89 })

+16 -15

pkgs/os-specific/linux/apparmor/default.nix

··· 128 128 meta = apparmor-meta "library"; 129 129 }; 130 130 131 - apparmor-utils = stdenv.mkDerivation { 131 + apparmor-utils = python.pkgs.buildPythonApplication { 132 132 pname = "apparmor-utils"; 133 133 version = apparmor-version; 134 + format = "other"; 134 135 135 136 src = apparmor-sources; 136 137 ··· 146 147 libapparmor.python 147 148 ]; 148 149 150 + propagatedBuildInputs = [ 151 + libapparmor.python 152 + 153 + # Used by aa-notify 154 + python.pkgs.notify2 155 + python.pkgs.psutil 156 + ]; 157 + 149 158 prePatch = prePatchCommon + 150 159 # Do not build vim file 151 160 lib.optionalString stdenv.hostPlatform.isMusl '' 152 161 sed -i ./utils/Makefile -e "/\<vim\>/d" 153 162 '' + '' 154 - for file in utils/apparmor/easyprof.py utils/apparmor/aa.py utils/logprof.conf; do 155 - substituteInPlace $file --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" 156 - done 163 + sed -i -E 's/^(DESTDIR|BINDIR|PYPREFIX)=.*//g' ./utils/Makefile 164 + 165 + sed -i utils/aa-unconfined -e "/my_env\['PATH'\]/d" 166 + 167 + substituteInPlace utils/aa-remove-unknown \ 168 + --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" 157 169 ''; 158 170 inherit patches; 159 171 postPatch = "cd ./utils"; ··· 161 173 installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ]; 162 174 163 175 postInstall = '' 164 - sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d" 165 - for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-unconfined ; do 166 - wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.sitePackages}:$PYTHONPATH" 167 - done 168 - 169 - substituteInPlace $out/bin/aa-notify \ 170 - --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \ 171 - --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}" 172 - 173 - substituteInPlace $out/bin/aa-remove-unknown \ 174 - --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" 175 176 wrapProgram $out/bin/aa-remove-unknown \ 176 177 --prefix PATH : ${lib.makeBinPath [ gawk ]} 177 178