commit ef95600372bfd43d2a6bb884db3bdba7c7eb24da · pyrox.dev/nixpkgs

+51 -33

nixos/modules/security/apparmor.nix

··· 1 1 { config, lib, pkgs, ... }: 2 2 3 - with lib; 4 - 5 3 let 4 + inherit (lib) mkIf mkOption types concatMapStrings; 6 5 cfg = config.security.apparmor; 7 6 in 7 + 8 8 { 9 - options = { 10 - security.apparmor = { 11 - enable = mkOption { 12 - type = types.bool; 13 - default = false; 14 - description = "Enable the AppArmor Mandatory Access Control system."; 15 - }; 9 + #### interface 10 + options = { 16 11 17 - profiles = mkOption { 18 - type = types.listOf types.path; 19 - default = []; 20 - description = "List of files containing AppArmor profiles."; 21 - }; 22 - }; 23 - }; 12 + security.apparmor = { 24 13 25 - config = mkIf cfg.enable { 26 - environment.systemPackages = [ pkgs.apparmor ]; 27 - systemd.services.apparmor = { 28 - wantedBy = [ "local-fs.target" ]; 29 - path = [ pkgs.apparmor ]; 14 + enable = mkOption { 15 + type = types.bool; 16 + default = false; 17 + description = "Enable the AppArmor Mandatory Access Control system."; 18 + }; 30 19 31 - serviceConfig = { 32 - Type = "oneshot"; 33 - RemainAfterExit = "yes"; 34 - ExecStart = concatMapStrings (profile: 35 - ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' 36 - ) cfg.profiles; 37 - ExecStop = concatMapStrings (profile: 38 - ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' 39 - ) cfg.profiles; 40 - }; 41 - }; 42 - }; 20 + profiles = mkOption { 21 + type = types.listOf types.path; 22 + default = []; 23 + description = "List of files containing AppArmor profiles."; 24 + }; 25 + 26 + }; 27 + 28 + }; 29 + 30 + #### implementation 31 + config = mkIf cfg.enable { 32 + 33 + environment.systemPackages = [ 34 + pkgs.apparmor-utils 35 + ]; 36 + 37 + systemd.services.apparmor = { 38 + wantedBy = [ "local-fs.target" ]; 39 + 40 + serviceConfig = { 41 + Type = "oneshot"; 42 + RemainAfterExit = "yes"; 43 + ExecStart = concatMapStrings (p: 44 + ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; '' 45 + ) cfg.profiles; 46 + ExecStop = concatMapStrings (p: 47 + ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; '' 48 + ) cfg.profiles; 49 + }; 50 + }; 51 + 52 + security.pam.services.apparmor.text = '' 53 + ## The AppArmor service changes hats according to order: first try 54 + ## user, then group, and finally fall back to a hat called "DEFAULT" 55 + ## 56 + ## For now, enable debugging as this is an experimental feature. 57 + session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug 58 + ''; 59 + 60 + }; 43 61 }

+196

pkgs/os-specific/linux/apparmor/2.9/default.nix

··· 1 + { stdenv, fetchurl, autoconf, automake, libtool, pkgconfig, perl, which 2 + , glibc, flex, bison, python27, swig, dbus, pam 3 + }: 4 + 5 + let 6 + apparmor-series = "2.9"; 7 + apparmor-patchver = "1"; 8 + apparmor-version = "${apparmor-series}.${apparmor-patchver}"; 9 + 10 + apparmor-meta = component: with stdenv.lib; { 11 + homepage = http://apparmor.net/; 12 + description = "Linux application security system - ${component}"; 13 + license = licenses.gpl2; 14 + maintainers = with maintainers; [ phreedom thoughtpolice joachifm ]; 15 + platforms = platforms.linux; 16 + }; 17 + 18 + apparmor-sources = fetchurl { 19 + url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz"; 20 + sha256 = "a63b8724c36c29ed438c9e3ca403bfeeb6c998a45990e300aa1b10faa23a0a22"; 21 + }; 22 + 23 + libapparmor = stdenv.mkDerivation { 24 + name = "libapparmor-${apparmor-version}"; 25 + src = apparmor-sources; 26 + 27 + buildInputs = [ 28 + autoconf 29 + automake 30 + bison 31 + flex 32 + dbus # requires patch to dbus ... 33 + glibc 34 + libtool 35 + perl 36 + pkgconfig 37 + python27 38 + swig 39 + which 40 + ]; 41 + 42 + prePatch = '' 43 + ### common 44 + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man" 45 + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html" 46 + substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h" 47 + 48 + ### libapparmor 49 + substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h" 50 + substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h" 51 + ''; 52 + 53 + buildPhase = '' 54 + ### libapparmor 55 + cd ./libraries/libapparmor 56 + ./autogen.sh 57 + ./configure --prefix="$out" --with-python 58 + make 59 + ''; 60 + 61 + installPhase = '' 62 + make install 63 + ''; 64 + 65 + meta = apparmor-meta "library"; 66 + }; 67 + 68 + apparmor-utils = stdenv.mkDerivation { 69 + name = "apparmor-utils-${apparmor-version}"; 70 + src = apparmor-sources; 71 + 72 + buildInputs = [ 73 + python27 74 + libapparmor 75 + which 76 + ]; 77 + 78 + prePatch = '' 79 + ### common 80 + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man" 81 + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html" 82 + substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h" 83 + ''; 84 + 85 + buildPhase = '' 86 + cd ./utils 87 + make LANGS="" 88 + ''; 89 + 90 + installPhase = '' 91 + make install LANGS="" DESTDIR="$out" BINDIR="$out/bin" 92 + ''; 93 + 94 + meta = apparmor-meta "user-land utilities"; 95 + }; 96 + 97 + apparmor-parser = stdenv.mkDerivation { 98 + name = "apparmor-parser-${apparmor-version}"; 99 + src = apparmor-sources; 100 + 101 + buildInputs = [ 102 + libapparmor 103 + bison 104 + flex 105 + which 106 + ]; 107 + 108 + prePatch = '' 109 + ### common 110 + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man" 111 + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html" 112 + substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h" 113 + 114 + ### apparmor-parser 115 + substituteInPlace ./parser/Makefile --replace "/usr/bin/bison" "${bison}/bin/bison" 116 + substituteInPlace ./parser/Makefile --replace "/usr/bin/flex" "${flex}/bin/flex" 117 + substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h" 118 + ## techdoc.pdf still doesn't build ... 119 + substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages" 120 + ''; 121 + 122 + buildPhase = '' 123 + cd ./parser 124 + make LANGS="" USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include 125 + ''; 126 + 127 + installPhase = '' 128 + make install LANGS="" USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include DESTDIR="$out" DISTRO="unknown" 129 + ''; 130 + 131 + meta = apparmor-meta "rule parser"; 132 + }; 133 + 134 + apparmor-pam = stdenv.mkDerivation { 135 + name = "apparmor-pam-${apparmor-version}"; 136 + src = apparmor-sources; 137 + 138 + buildInputs = [ 139 + libapparmor 140 + pam 141 + pkgconfig 142 + which 143 + ]; 144 + 145 + buildPhase = '' 146 + cd ./changehat/pam_apparmor 147 + make USE_SYSTEM=1 148 + ''; 149 + 150 + installPhase = '' 151 + make install DESTDIR="$out" 152 + ''; 153 + 154 + meta = apparmor-meta "PAM service"; 155 + }; 156 + 157 + apparmor-profiles = stdenv.mkDerivation { 158 + name = "apparmor-profiles-${apparmor-version}"; 159 + src = apparmor-sources; 160 + 161 + buildInputs = [ 162 + which 163 + ]; 164 + 165 + buildPhase = '' 166 + cd ./profiles 167 + make 168 + ''; 169 + 170 + installPhase = '' 171 + make install DESTDIR="$out" 172 + ''; 173 + 174 + meta = apparmor-meta "profiles"; 175 + }; 176 + 177 + apparmor-kernel-patches = stdenv.mkDerivation { 178 + name = "apparmor-kernel-patches-${apparmor-version}"; 179 + src = apparmor-sources; 180 + 181 + phases = ''unpackPhase installPhase''; 182 + 183 + installPhase = '' 184 + mkdir "$out" 185 + cp -R ./kernel-patches "$out" 186 + ''; 187 + 188 + meta = apparmor-meta "kernel patches"; 189 + }; 190 + 191 + in 192 + 193 + { 194 + inherit libapparmor apparmor-utils apparmor-parser apparmor-pam 195 + apparmor-profiles apparmor-kernel-patches; 196 + }

+7

pkgs/top-level/all-packages.nix

··· 8561 8561 perl = perl516; # ${perl}/.../CORE/handy.h:124:34: error: 'bool' undeclared 8562 8562 }; 8563 8563 8564 + apparmor_2_9 = callPackage ../os-specific/linux/apparmor/2.9 { }; 8565 + libapparmor = apparmor_2_9.libapparmor; 8566 + apparmor-pam = apparmor_2_9.apparmor-pam; 8567 + apparmor-parser = apparmor_2_9.apparmor-parser; 8568 + apparmor-profiles = apparmor_2_9.apparmor-profiles; 8569 + apparmor-utils = apparmor_2_9.apparmor-utils; 8570 + 8564 8571 atop = callPackage ../os-specific/linux/atop { }; 8565 8572 8566 8573 audit = callPackage ../os-specific/linux/audit { };