commit
ef95600372
3 changed files with 254 additions and 33 deletions
|
@ -1,43 +1,61 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
inherit (lib) mkIf mkOption types concatMapStrings;
|
||||
cfg = config.security.apparmor;
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
security.apparmor = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enable the AppArmor Mandatory Access Control system.";
|
||||
};
|
||||
#### interface
|
||||
options = {
|
||||
|
||||
profiles = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
description = "List of files containing AppArmor profiles.";
|
||||
};
|
||||
};
|
||||
};
|
||||
security.apparmor = {
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ pkgs.apparmor ];
|
||||
systemd.services.apparmor = {
|
||||
wantedBy = [ "local-fs.target" ];
|
||||
path = [ pkgs.apparmor ];
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Enable the AppArmor Mandatory Access Control system.";
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = "yes";
|
||||
ExecStart = concatMapStrings (profile:
|
||||
''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
|
||||
) cfg.profiles;
|
||||
ExecStop = concatMapStrings (profile:
|
||||
''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; ''
|
||||
) cfg.profiles;
|
||||
};
|
||||
};
|
||||
};
|
||||
profiles = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
description = "List of files containing AppArmor profiles.";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
#### implementation
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
environment.systemPackages = [
|
||||
pkgs.apparmor-utils
|
||||
];
|
||||
|
||||
systemd.services.apparmor = {
|
||||
wantedBy = [ "local-fs.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = "yes";
|
||||
ExecStart = concatMapStrings (p:
|
||||
''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; ''
|
||||
) cfg.profiles;
|
||||
ExecStop = concatMapStrings (p:
|
||||
''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; ''
|
||||
) cfg.profiles;
|
||||
};
|
||||
};
|
||||
|
||||
security.pam.services.apparmor.text = ''
|
||||
## The AppArmor service changes hats according to order: first try
|
||||
## user, then group, and finally fall back to a hat called "DEFAULT"
|
||||
##
|
||||
## For now, enable debugging as this is an experimental feature.
|
||||
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
|
||||
'';
|
||||
|
||||
};
|
||||
}
|
||||
|
|
196
pkgs/os-specific/linux/apparmor/2.9/default.nix
Normal file
196
pkgs/os-specific/linux/apparmor/2.9/default.nix
Normal file
|
@ -0,0 +1,196 @@
|
|||
{ stdenv, fetchurl, autoconf, automake, libtool, pkgconfig, perl, which
|
||||
, glibc, flex, bison, python27, swig, dbus, pam
|
||||
}:
|
||||
|
||||
let
|
||||
apparmor-series = "2.9";
|
||||
apparmor-patchver = "1";
|
||||
apparmor-version = "${apparmor-series}.${apparmor-patchver}";
|
||||
|
||||
apparmor-meta = component: with stdenv.lib; {
|
||||
homepage = http://apparmor.net/;
|
||||
description = "Linux application security system - ${component}";
|
||||
license = licenses.gpl2;
|
||||
maintainers = with maintainers; [ phreedom thoughtpolice joachifm ];
|
||||
platforms = platforms.linux;
|
||||
};
|
||||
|
||||
apparmor-sources = fetchurl {
|
||||
url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
|
||||
sha256 = "a63b8724c36c29ed438c9e3ca403bfeeb6c998a45990e300aa1b10faa23a0a22";
|
||||
};
|
||||
|
||||
libapparmor = stdenv.mkDerivation {
|
||||
name = "libapparmor-${apparmor-version}";
|
||||
src = apparmor-sources;
|
||||
|
||||
buildInputs = [
|
||||
autoconf
|
||||
automake
|
||||
bison
|
||||
flex
|
||||
dbus # requires patch to dbus ...
|
||||
glibc
|
||||
libtool
|
||||
perl
|
||||
pkgconfig
|
||||
python27
|
||||
swig
|
||||
which
|
||||
];
|
||||
|
||||
prePatch = ''
|
||||
### common
|
||||
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man"
|
||||
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html"
|
||||
substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
|
||||
|
||||
### libapparmor
|
||||
substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h"
|
||||
substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h"
|
||||
'';
|
||||
|
||||
buildPhase = ''
|
||||
### libapparmor
|
||||
cd ./libraries/libapparmor
|
||||
./autogen.sh
|
||||
./configure --prefix="$out" --with-python
|
||||
make
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
make install
|
||||
'';
|
||||
|
||||
meta = apparmor-meta "library";
|
||||
};
|
||||
|
||||
apparmor-utils = stdenv.mkDerivation {
|
||||
name = "apparmor-utils-${apparmor-version}";
|
||||
src = apparmor-sources;
|
||||
|
||||
buildInputs = [
|
||||
python27
|
||||
libapparmor
|
||||
which
|
||||
];
|
||||
|
||||
prePatch = ''
|
||||
### common
|
||||
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man"
|
||||
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html"
|
||||
substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
|
||||
'';
|
||||
|
||||
buildPhase = ''
|
||||
cd ./utils
|
||||
make LANGS=""
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
make install LANGS="" DESTDIR="$out" BINDIR="$out/bin"
|
||||
'';
|
||||
|
||||
meta = apparmor-meta "user-land utilities";
|
||||
};
|
||||
|
||||
apparmor-parser = stdenv.mkDerivation {
|
||||
name = "apparmor-parser-${apparmor-version}";
|
||||
src = apparmor-sources;
|
||||
|
||||
buildInputs = [
|
||||
libapparmor
|
||||
bison
|
||||
flex
|
||||
which
|
||||
];
|
||||
|
||||
prePatch = ''
|
||||
### common
|
||||
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man"
|
||||
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html"
|
||||
substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
|
||||
|
||||
### apparmor-parser
|
||||
substituteInPlace ./parser/Makefile --replace "/usr/bin/bison" "${bison}/bin/bison"
|
||||
substituteInPlace ./parser/Makefile --replace "/usr/bin/flex" "${flex}/bin/flex"
|
||||
substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h"
|
||||
## techdoc.pdf still doesn't build ...
|
||||
substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
|
||||
'';
|
||||
|
||||
buildPhase = ''
|
||||
cd ./parser
|
||||
make LANGS="" USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
make install LANGS="" USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include DESTDIR="$out" DISTRO="unknown"
|
||||
'';
|
||||
|
||||
meta = apparmor-meta "rule parser";
|
||||
};
|
||||
|
||||
apparmor-pam = stdenv.mkDerivation {
|
||||
name = "apparmor-pam-${apparmor-version}";
|
||||
src = apparmor-sources;
|
||||
|
||||
buildInputs = [
|
||||
libapparmor
|
||||
pam
|
||||
pkgconfig
|
||||
which
|
||||
];
|
||||
|
||||
buildPhase = ''
|
||||
cd ./changehat/pam_apparmor
|
||||
make USE_SYSTEM=1
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
make install DESTDIR="$out"
|
||||
'';
|
||||
|
||||
meta = apparmor-meta "PAM service";
|
||||
};
|
||||
|
||||
apparmor-profiles = stdenv.mkDerivation {
|
||||
name = "apparmor-profiles-${apparmor-version}";
|
||||
src = apparmor-sources;
|
||||
|
||||
buildInputs = [
|
||||
which
|
||||
];
|
||||
|
||||
buildPhase = ''
|
||||
cd ./profiles
|
||||
make
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
make install DESTDIR="$out"
|
||||
'';
|
||||
|
||||
meta = apparmor-meta "profiles";
|
||||
};
|
||||
|
||||
apparmor-kernel-patches = stdenv.mkDerivation {
|
||||
name = "apparmor-kernel-patches-${apparmor-version}";
|
||||
src = apparmor-sources;
|
||||
|
||||
phases = ''unpackPhase installPhase'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir "$out"
|
||||
cp -R ./kernel-patches "$out"
|
||||
'';
|
||||
|
||||
meta = apparmor-meta "kernel patches";
|
||||
};
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
inherit libapparmor apparmor-utils apparmor-parser apparmor-pam
|
||||
apparmor-profiles apparmor-kernel-patches;
|
||||
}
|
|
@ -8561,6 +8561,13 @@ let
|
|||
perl = perl516; # ${perl}/.../CORE/handy.h:124:34: error: 'bool' undeclared
|
||||
};
|
||||
|
||||
apparmor_2_9 = callPackage ../os-specific/linux/apparmor/2.9 { };
|
||||
libapparmor = apparmor_2_9.libapparmor;
|
||||
apparmor-pam = apparmor_2_9.apparmor-pam;
|
||||
apparmor-parser = apparmor_2_9.apparmor-parser;
|
||||
apparmor-profiles = apparmor_2_9.apparmor-profiles;
|
||||
apparmor-utils = apparmor_2_9.apparmor-utils;
|
||||
|
||||
atop = callPackage ../os-specific/linux/atop { };
|
||||
|
||||
audit = callPackage ../os-specific/linux/audit { };
|
||||
|
|
Loading…
Reference in a new issue