diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix index adfca04426ca..88051de484c5 100644 --- a/nixos/modules/security/apparmor/includes.nix +++ b/nixos/modules/security/apparmor/includes.nix @@ -62,7 +62,7 @@ config.security.apparmor.includes = { include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" r ${pkgs.stdenv.cc.libc}/share/locale/**, r ${pkgs.stdenv.cc.libc}/share/locale.alias, - ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} + r ${config.i18n.glibcLocales}/lib/locale/locale-archive, ${etcRule "localtime"} r ${pkgs.tzdata}/share/zoneinfo/**, r ${pkgs.stdenv.cc.libc}/share/i18n/**, @@ -72,7 +72,7 @@ config.security.apparmor.includes = { # bash inspects filesystems at startup # and /etc/mtab is linked to /proc/mounts - @{PROC}/mounts + r @{PROC}/mounts, # system-wide bash configuration '' + lib.concatMapStringsSep "\n" etcRule [ @@ -211,6 +211,9 @@ config.security.apparmor.includes = { "abstractions/nis" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" ''; + "abstractions/nss-systemd" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nss-systemd" + ''; "abstractions/nvidia" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" ${etcRule "vdpau_wrapper.cfg"} @@ -279,6 +282,8 @@ config.security.apparmor.includes = { r /var/lib/acme/*/chain.pem, r /var/lib/acme/*/fullchain.pem, + r /etc/pki/tls/certs/, + '' + lib.concatMapStringsSep "\n" etcRule [ "ssl/certs/ca-certificates.crt" "ssl/certs/ca-bundle.crt" diff --git a/nixos/modules/services/networking/murmur.nix b/nixos/modules/services/networking/murmur.nix index 37a1ff8b2d34..20c2eff11e62 100644 --- a/nixos/modules/services/networking/murmur.nix +++ b/nixos/modules/services/networking/murmur.nix @@ -355,5 +355,37 @@ in ''; destination = "/share/dbus-1/system.d/murmur.conf"; })]; + + security.apparmor.policies."bin.mumble-server".profile = '' + include + + ${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} { + include + include + include + include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}" + pix ${cfg.package}/bin/.mumble-server-wrapped, + + r ${config.environment.etc."os-release".source}, + r ${config.environment.etc."lsb-release".source}, + owner rwk /var/lib/murmur/murmur.sqlite, + owner rw /var/lib/murmur/murmur.sqlite-journal, + owner r /var/lib/murmur/, + r /run/murmur/murmurd.pid, + r /run/murmur/murmurd.ini, + r ${configFile}, + '' + optionalString (cfg.logFile != null) '' + rw ${cfg.logFile}, + '' + optionalString (cfg.sslCert != "") '' + r ${cfg.sslCert}, + '' + optionalString (cfg.sslKey != "") '' + r ${cfg.sslKey}, + '' + optionalString (cfg.sslCa != "") '' + r ${cfg.sslCa}, + '' + optionalString (cfg.dbus != null) '' + dbus bus=${cfg.dbus} + '' + '' + } + ''; }; } diff --git a/nixos/modules/services/web-apps/miniflux.nix b/nixos/modules/services/web-apps/miniflux.nix index 7cc8ce10ffe0..3374c746ad3d 100644 --- a/nixos/modules/services/web-apps/miniflux.nix +++ b/nixos/modules/services/web-apps/miniflux.nix @@ -130,5 +130,17 @@ in environment = cfg.config; }; environment.systemPackages = [ cfg.package ]; + + security.apparmor.policies."bin.miniflux".profile = '' + include + ${cfg.package}/bin/miniflux { + include + include + include + include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}" + r ${cfg.package}/bin/miniflux, + r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size, + } + ''; }; } diff --git a/nixos/tests/miniflux.nix b/nixos/tests/miniflux.nix index be3e7abb6abd..a3af53db0e7a 100644 --- a/nixos/tests/miniflux.nix +++ b/nixos/tests/miniflux.nix @@ -25,6 +25,7 @@ in default = { ... }: { + security.apparmor.enable = true; services.miniflux = { enable = true; inherit adminCredentialsFile; @@ -34,6 +35,7 @@ in withoutSudo = { ... }: { + security.apparmor.enable = true; services.miniflux = { enable = true; inherit adminCredentialsFile; @@ -44,6 +46,7 @@ in customized = { ... }: { + security.apparmor.enable = true; services.miniflux = { enable = true; config = { @@ -63,6 +66,7 @@ in default.succeed( "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) + default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') withoutSudo.wait_for_unit("miniflux.service") withoutSudo.wait_for_open_port(${toString defaultPort}) @@ -70,6 +74,7 @@ in withoutSudo.succeed( "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) + withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') customized.wait_for_unit("miniflux.service") customized.wait_for_open_port(${toString port}) @@ -77,5 +82,6 @@ in customized.succeed( "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'" ) + customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') ''; }) diff --git a/nixos/tests/mumble.nix b/nixos/tests/mumble.nix index 2b5cc20163bc..8eee454721a1 100644 --- a/nixos/tests/mumble.nix +++ b/nixos/tests/mumble.nix @@ -20,6 +20,7 @@ in nodes = { server = { config, ... }: { + security.apparmor.enable = true; services.murmur.enable = true; services.murmur.registerName = "NixOS tests"; services.murmur.password = "$MURMURD_PASSWORD"; @@ -81,5 +82,8 @@ in server.sleep(5) # wait to get screenshot client1.screenshot("screen1") client2.screenshot("screen2") + + # check if apparmor denied anything + server.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""') ''; }) diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index 1a2aa2943055..b85392977c46 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -128,9 +128,10 @@ let meta = apparmor-meta "library"; }; - apparmor-utils = stdenv.mkDerivation { + apparmor-utils = python.pkgs.buildPythonApplication { pname = "apparmor-utils"; version = apparmor-version; + format = "other"; src = apparmor-sources; @@ -146,14 +147,25 @@ let libapparmor.python ]; + propagatedBuildInputs = [ + libapparmor.python + + # Used by aa-notify + python.pkgs.notify2 + python.pkgs.psutil + ]; + prePatch = prePatchCommon + # Do not build vim file lib.optionalString stdenv.hostPlatform.isMusl '' sed -i ./utils/Makefile -e "/\/d" '' + '' - for file in utils/apparmor/easyprof.py utils/apparmor/aa.py utils/logprof.conf; do - substituteInPlace $file --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" - done + sed -i -E 's/^(DESTDIR|BINDIR|PYPREFIX)=.*//g' ./utils/Makefile + + sed -i utils/aa-unconfined -e "/my_env\['PATH'\]/d" + + substituteInPlace utils/aa-remove-unknown \ + --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" ''; inherit patches; postPatch = "cd ./utils"; @@ -161,17 +173,6 @@ let installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ]; postInstall = '' - sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d" - for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-unconfined ; do - wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.sitePackages}:$PYTHONPATH" - done - - substituteInPlace $out/bin/aa-notify \ - --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \ - --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}" - - substituteInPlace $out/bin/aa-remove-unknown \ - --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" wrapProgram $out/bin/aa-remove-unknown \ --prefix PATH : ${lib.makeBinPath [ gawk ]}