BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #242538 from tnias/fix/apparmor

Browse source 
apparmor: add some policies and improve abstractions and utils
This commit is contained in:
ajs124 2023-08-04 13:05:52 +02:00 committed by GitHub
commit bf4d2e6c1e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 77 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
nixos/modules/security/apparmor/includes.nix
View file

@ -62,7 +62,7 @@ config.security.apparmor.includes = {
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base"
r ${pkgs.stdenv.cc.libc}/share/locale/**, r ${pkgs.stdenv.cc.libc}/share/locale/**,
r ${pkgs.stdenv.cc.libc}/share/locale.alias, r ${pkgs.stdenv.cc.libc}/share/locale.alias,
${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} r ${config.i18n.glibcLocales}/lib/locale/locale-archive,
${etcRule "localtime"} ${etcRule "localtime"}
r ${pkgs.tzdata}/share/zoneinfo/**, r ${pkgs.tzdata}/share/zoneinfo/**,
r ${pkgs.stdenv.cc.libc}/share/i18n/**, r ${pkgs.stdenv.cc.libc}/share/i18n/**,
@ -72,7 +72,7 @@ config.security.apparmor.includes = {
# bash inspects filesystems at startup # bash inspects filesystems at startup
# and /etc/mtab is linked to /proc/mounts # and /etc/mtab is linked to /proc/mounts
@{PROC}/mounts r @{PROC}/mounts,
# system-wide bash configuration # system-wide bash configuration
'' + lib.concatMapStringsSep "\n" etcRule [ '' + lib.concatMapStringsSep "\n" etcRule [
@ -211,6 +211,9 @@ config.security.apparmor.includes = {
"abstractions/nis" = '' "abstractions/nis" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis"
''; '';
"abstractions/nss-systemd" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nss-systemd"
'';
"abstractions/nvidia" = '' "abstractions/nvidia" = ''
include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia"
${etcRule "vdpau_wrapper.cfg"} ${etcRule "vdpau_wrapper.cfg"}
@ -279,6 +282,8 @@ config.security.apparmor.includes = {
r /var/lib/acme/*/chain.pem, r /var/lib/acme/*/chain.pem,
r /var/lib/acme/*/fullchain.pem, r /var/lib/acme/*/fullchain.pem,
r /etc/pki/tls/certs/,
'' + lib.concatMapStringsSep "\n" etcRule [ '' + lib.concatMapStringsSep "\n" etcRule [
"ssl/certs/ca-certificates.crt" "ssl/certs/ca-certificates.crt"
"ssl/certs/ca-bundle.crt" "ssl/certs/ca-bundle.crt"

32
nixos/modules/services/networking/murmur.nix
View file

@ -355,5 +355,37 @@ in
''; '';
destination = "/share/dbus-1/system.d/murmur.conf"; destination = "/share/dbus-1/system.d/murmur.conf";
})]; })];
security.apparmor.policies."bin.mumble-server".profile = ''
include <tunables/global>
${cfg.package}/bin/{mumble-server,.mumble-server-wrapped} {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include "${pkgs.apparmorRulesFromClosure { name = "mumble-server"; } cfg.package}"
pix ${cfg.package}/bin/.mumble-server-wrapped,
r ${config.environment.etc."os-release".source},
r ${config.environment.etc."lsb-release".source},
owner rwk /var/lib/murmur/murmur.sqlite,
owner rw /var/lib/murmur/murmur.sqlite-journal,
owner r /var/lib/murmur/,
r /run/murmur/murmurd.pid,
r /run/murmur/murmurd.ini,
r ${configFile},
'' + optionalString (cfg.logFile != null) ''
rw ${cfg.logFile},
'' + optionalString (cfg.sslCert != "") ''
r ${cfg.sslCert},
'' + optionalString (cfg.sslKey != "") ''
r ${cfg.sslKey},
'' + optionalString (cfg.sslCa != "") ''
r ${cfg.sslCa},
'' + optionalString (cfg.dbus != null) ''
dbus bus=${cfg.dbus}
'' + ''
}
'';
}; };
} }

12
nixos/modules/services/web-apps/miniflux.nix
View file

@ -130,5 +130,17 @@ in
environment = cfg.config; environment = cfg.config;
}; };
environment.systemPackages = [ cfg.package ]; environment.systemPackages = [ cfg.package ];
security.apparmor.policies."bin.miniflux".profile = ''
include <tunables/global>
${cfg.package}/bin/miniflux {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/ssl_certs>
include "${pkgs.apparmorRulesFromClosure { name = "miniflux"; } cfg.package}"
r ${cfg.package}/bin/miniflux,
r @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size,
}
'';
}; };
} }

6
nixos/tests/miniflux.nix
View file

@ -25,6 +25,7 @@ in
default = default =
{ ... }: { ... }:
{ {
security.apparmor.enable = true;
services.miniflux = { services.miniflux = {
enable = true; enable = true;
inherit adminCredentialsFile; inherit adminCredentialsFile;
@ -34,6 +35,7 @@ in
withoutSudo = withoutSudo =
{ ... }: { ... }:
{ {
security.apparmor.enable = true;
services.miniflux = { services.miniflux = {
enable = true; enable = true;
inherit adminCredentialsFile; inherit adminCredentialsFile;
@ -44,6 +46,7 @@ in
customized = customized =
{ ... }: { ... }:
{ {
security.apparmor.enable = true;
services.miniflux = { services.miniflux = {
enable = true; enable = true;
config = { config = {
@ -63,6 +66,7 @@ in
default.succeed( default.succeed(
"curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"
) )
default.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
withoutSudo.wait_for_unit("miniflux.service") withoutSudo.wait_for_unit("miniflux.service")
withoutSudo.wait_for_open_port(${toString defaultPort}) withoutSudo.wait_for_open_port(${toString defaultPort})
@ -70,6 +74,7 @@ in
withoutSudo.succeed( withoutSudo.succeed(
"curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'" "curl 'http://localhost:${toString defaultPort}/v1/me' -u '${defaultUsername}:${defaultPassword}' -H Content-Type:application/json | grep '\"is_admin\":true'"
) )
withoutSudo.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
customized.wait_for_unit("miniflux.service") customized.wait_for_unit("miniflux.service")
customized.wait_for_open_port(${toString port}) customized.wait_for_open_port(${toString port})
@ -77,5 +82,6 @@ in
customized.succeed( customized.succeed(
"curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'" "curl 'http://localhost:${toString port}/v1/me' -u '${username}:${password}' -H Content-Type:application/json | grep '\"is_admin\":true'"
) )
customized.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
''; '';
}) })

4
nixos/tests/mumble.nix
View file

@ -20,6 +20,7 @@ in
nodes = { nodes = {
server = { config, ... }: { server = { config, ... }: {
security.apparmor.enable = true;
services.murmur.enable = true; services.murmur.enable = true;
services.murmur.registerName = "NixOS tests"; services.murmur.registerName = "NixOS tests";
services.murmur.password = "$MURMURD_PASSWORD"; services.murmur.password = "$MURMURD_PASSWORD";
@ -81,5 +82,8 @@ in
server.sleep(5) # wait to get screenshot server.sleep(5) # wait to get screenshot
client1.screenshot("screen1") client1.screenshot("screen1")
client2.screenshot("screen2") client2.screenshot("screen2")
# check if apparmor denied anything
server.fail('journalctl -b --no-pager --grep "^audit: .*apparmor=\\"DENIED\\""')
''; '';
}) })

31
pkgs/os-specific/linux/apparmor/default.nix
View file

@ -128,9 +128,10 @@ let
meta = apparmor-meta "library"; meta = apparmor-meta "library";
}; };
apparmor-utils = stdenv.mkDerivation { apparmor-utils = python.pkgs.buildPythonApplication {
pname = "apparmor-utils"; pname = "apparmor-utils";
version = apparmor-version; version = apparmor-version;
format = "other";
src = apparmor-sources; src = apparmor-sources;
@ -146,14 +147,25 @@ let
libapparmor.python libapparmor.python
]; ];
propagatedBuildInputs = [
libapparmor.python
# Used by aa-notify
python.pkgs.notify2
python.pkgs.psutil
];
prePatch = prePatchCommon + prePatch = prePatchCommon +
# Do not build vim file # Do not build vim file
lib.optionalString stdenv.hostPlatform.isMusl '' lib.optionalString stdenv.hostPlatform.isMusl ''
sed -i ./utils/Makefile -e "/\<vim\>/d" sed -i ./utils/Makefile -e "/\<vim\>/d"
'' + '' '' + ''
for file in utils/apparmor/easyprof.py utils/apparmor/aa.py utils/logprof.conf; do sed -i -E 's/^(DESTDIR|BINDIR|PYPREFIX)=.*//g' ./utils/Makefile
substituteInPlace $file --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
done sed -i utils/aa-unconfined -e "/my_env\['PATH'\]/d"
substituteInPlace utils/aa-remove-unknown \
--replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions"
''; '';
inherit patches; inherit patches;
postPatch = "cd ./utils"; postPatch = "cd ./utils";
@ -161,17 +173,6 @@ let
installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ]; installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ];
postInstall = '' postInstall = ''
sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d"
for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-unconfined ; do
wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.sitePackages}:$PYTHONPATH"
done
substituteInPlace $out/bin/aa-notify \
--replace /usr/bin/notify-send ${libnotify}/bin/notify-send \
--replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}"
substituteInPlace $out/bin/aa-remove-unknown \
--replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions"
wrapProgram $out/bin/aa-remove-unknown \ wrapProgram $out/bin/aa-remove-unknown \
--prefix PATH : ${lib.makeBinPath [ gawk ]} --prefix PATH : ${lib.makeBinPath [ gawk ]}