movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

nixos/apparmor: policy activation tristate and policy path support (#356796)

Browse source
This commit is contained in:
Guillaume Girol 2024-12-17 19:56:13 +01:00 committed by GitHub
commit 03040e06fb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 376 additions and 187 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nixos/doc/manual/release-notes/rl-2505.section.md
View file

@ -166,6 +166,9 @@
| virtualBoxOVA | virtualbox-vagrant.box | nixos-image-vagrant-virtualbox-25.05pre-git-x86_64-linux.ova | | virtualBoxOVA | virtualbox-vagrant.box | nixos-image-vagrant-virtualbox-25.05pre-git-x86_64-linux.ova |
| vmwareImage | nixos-25.05pre-git-x86_64-linux.vmdk | nixos-image-vmware-25.05pre-git-x86_64-linux.vmdk | | vmwareImage | nixos-25.05pre-git-x86_64-linux.vmdk | nixos-image-vmware-25.05pre-git-x86_64-linux.vmdk |
- `security.apparmor.policies.<name>.enforce` and `security.apparmor.policies.<name>.enable` were removed.
Configuring the state of apparmor policies must now be done using `security.apparmor.policies.<name>.state` tristate option.
- the notmuch vim plugin now lives in a separate output of the `notmuch` - the notmuch vim plugin now lives in a separate output of the `notmuch`
package. Installing `notmuch` will not bring the notmuch vim package anymore, package. Installing `notmuch` will not bring the notmuch vim package anymore,
add `vimPlugins.notmuch-vim` to your (Neo)vim configuration if you want the add `vimPlugins.notmuch-vim` to your (Neo)vim configuration if you want the

272
nixos/modules/security/apparmor.nix
View file

@ -1,20 +1,34 @@
{ config, lib, pkgs, ... }: {
config,
lib,
pkgs,
...
}:
let let
inherit (builtins) attrNames head map match readFile;
inherit (lib) types; inherit (lib) types;
inherit (config.environment) etc; inherit (config.environment) etc;
cfg = config.security.apparmor; cfg = config.security.apparmor;
mkDisableOption = name: lib.mkEnableOption name // { enabledPolicies = lib.filterAttrs (n: p: p.state != "disable") cfg.policies;
default = true; buildPolicyPath = n: p: lib.defaultTo (pkgs.writeText n p.profile) p.path;
example = false;
}; # Accessing submodule options when not defined results in an error thunk rather than a regular option object
enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies; # We can emulate the behavior of `<option>.isDefined` by attempting to evaluate it instead
# This is required because getting isDefined on a submodule is not possible in global module asserts.
submoduleOptionIsDefined = value: (builtins.tryEval value).success;
in in
{ {
imports = [ imports = [
(lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.") (lib.mkRemovedOptionModule [
(lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") "security"
"apparmor"
"confineSUIDApplications"
] "Please use the new options: `security.apparmor.policies.<policy>.state'.")
(lib.mkRemovedOptionModule [
"security"
"apparmor"
"profiles"
] "Please use the new option: `security.apparmor.policies'.")
apparmor/includes.nix apparmor/includes.nix
apparmor/profiles.nix apparmor/profiles.nix
]; ];
@ -42,22 +56,39 @@ in
description = '' description = ''
AppArmor policies. AppArmor policies.
''; '';
type = types.attrsOf (types.submodule ({ name, config, ... }: { type = types.attrsOf (
options = { types.submodule {
enable = mkDisableOption "loading of the profile into the kernel"; options = {
enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; state = lib.mkOption {
profile = lib.mkOption { description = "How strictly this policy should be enforced";
description = "The policy of the profile."; type = types.enum [
type = types.lines; "disable"
apply = pkgs.writeText name; "complain"
"enforce"
];
# should enforce really be the default?
# the docs state that this should only be used once one is REALLY sure nothing's gonna break
default = "enforce";
};
profile = lib.mkOption {
description = "The profile file contents. Incompatible with path.";
type = types.lines;
};
path = lib.mkOption {
description = "A path of a profile file to include. Incompatible with profile.";
type = types.nullOr types.path;
default = null;
};
}; };
}; }
})); );
default = {}; default = { };
}; };
includes = lib.mkOption { includes = lib.mkOption {
type = types.attrsOf types.lines; type = types.attrsOf types.lines;
default = {}; default = { };
description = '' description = ''
List of paths to be added to AppArmor's searched paths List of paths to be added to AppArmor's searched paths
when resolving `include` directives. when resolving `include` directives.
@ -66,7 +97,7 @@ in
}; };
packages = lib.mkOption { packages = lib.mkOption {
type = types.listOf types.package; type = types.listOf types.package;
default = []; default = [ ];
description = "List of packages to be added to AppArmor's include path"; description = "List of packages to be added to AppArmor's include path";
}; };
enableCache = lib.mkEnableOption '' enableCache = lib.mkEnableOption ''
@ -90,13 +121,20 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
assertions = map (policy: assertions = lib.concatLists (
{ assertion = match ".*/.*" policy == null; lib.mapAttrsToList (policyName: policyCfg: [
message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; {
# Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions assertion = builtins.match ".*/.*" policyName == null;
# which does not recurse into sub-directories. message = "`security.apparmor.policies.\"${policyName}\"' must not contain a slash.";
} # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions
) (attrNames cfg.policies); # which does not recurse into sub-directories.
}
{
assertion = lib.xor (policyCfg.path != null) (submoduleOptionIsDefined policyCfg.profile);
message = "`security.apparmor.policies.\"${policyName}\"` must define exactly one of either path or profile.";
}
]) cfg.policies
);
environment.systemPackages = [ environment.systemPackages = [
pkgs.apparmor-utils pkgs.apparmor-utils
@ -105,67 +143,81 @@ in
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
# It's important to put only enabledPolicies here and not all cfg.policies # It's important to put only enabledPolicies here and not all cfg.policies
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/* # because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
lib.mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++ lib.mapAttrsToList (name: p: {
lib.mapAttrsToList (name: path: { inherit name path; }) cfg.includes inherit name;
path = buildPolicyPath name p;
}) enabledPolicies
++ lib.mapAttrsToList (name: path: { inherit name path; }) cfg.includes
); );
environment.etc."apparmor/parser.conf".text = '' environment.etc."apparmor/parser.conf".text =
''
${if cfg.enableCache then "write-cache" else "skip-cache"} ${if cfg.enableCache then "write-cache" else "skip-cache"}
cache-loc /var/cache/apparmor cache-loc /var/cache/apparmor
Include /etc/apparmor.d Include /etc/apparmor.d
'' + ''
lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; + lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;
# For aa-logprof # For aa-logprof
environment.etc."apparmor/apparmor.conf".text = '' environment.etc."apparmor/apparmor.conf".text = '''';
'';
# For aa-logprof # For aa-logprof
environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db";
environment.etc."apparmor/logprof.conf".source = pkgs.runCommand "logprof.conf" { environment.etc."apparmor/logprof.conf".source =
header = '' pkgs.runCommand "logprof.conf"
[settings] {
# /etc/apparmor.d/ is read-only on NixOS header = ''
profiledir = /var/cache/apparmor/logprof [settings]
inactive_profiledir = /etc/apparmor.d/disable # /etc/apparmor.d/ is read-only on NixOS
# Use: journalctl -b --since today --grep audit: | aa-logprof profiledir = /var/cache/apparmor/logprof
logfiles = /dev/stdin inactive_profiledir = /etc/apparmor.d/disable
# Use: journalctl -b --since today --grep audit: | aa-logprof
logfiles = /dev/stdin
parser = ${pkgs.apparmor-parser}/bin/apparmor_parser parser = ${pkgs.apparmor-parser}/bin/apparmor_parser
ldd = ${pkgs.glibc.bin}/bin/ldd ldd = ${pkgs.glibc.bin}/bin/ldd
logger = ${pkgs.util-linux}/bin/logger logger = ${pkgs.util-linux}/bin/logger
# customize how file ownership permissions are presented # customize how file ownership permissions are presented
# 0 - off # 0 - off
# 1 - default of what ever mode the log reported # 1 - default of what ever mode the log reported
# 2 - force the new permissions to be user # 2 - force the new permissions to be user
# 3 - force all perms on the rule to be user # 3 - force all perms on the rule to be user
default_owner_prompt = 1 default_owner_prompt = 1
custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} custom_includes = /etc/apparmor.d ${
lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages
}
[qualifiers] [qualifiers]
${pkgs.runtimeShell} = icnu ${pkgs.runtimeShell} = icnu
${pkgs.bashInteractive}/bin/sh = icnu ${pkgs.bashInteractive}/bin/sh = icnu
${pkgs.bashInteractive}/bin/bash = icnu ${pkgs.bashInteractive}/bin/bash = icnu
${config.users.defaultUserShell} = icnu ${config.users.defaultUserShell} = icnu
''; '';
footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"; footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf";
passAsFile = [ "header" ]; passAsFile = [ "header" ];
} '' }
cp $headerPath $out ''
sed '1,/\[qualifiers\]/d' $footer >> $out cp $headerPath $out
''; sed '1,/\[qualifiers\]/d' $footer >> $out
'';
boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; boot.kernelParams = [
"apparmor=1"
"security=apparmor"
];
systemd.services.apparmor = { systemd.services.apparmor = {
after = [ after = [
"local-fs.target" "local-fs.target"
"systemd-journald-audit.socket" "systemd-journald-audit.socket"
]; ];
before = [ "sysinit.target" "shutdown.target" ]; before = [
"sysinit.target"
"shutdown.target"
];
conflicts = [ "shutdown.target" ]; conflicts = [ "shutdown.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
unitConfig = { unitConfig = {
Description="Load AppArmor policies"; Description = "Load AppArmor policies";
DefaultDependencies = "no"; DefaultDependencies = "no";
ConditionSecurity = "apparmor"; ConditionSecurity = "apparmor";
}; };
@ -176,39 +228,57 @@ in
etc."apparmor/parser.conf".source etc."apparmor/parser.conf".source
etc."apparmor.d".source etc."apparmor.d".source
]; ];
serviceConfig = let serviceConfig =
killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" '' let
set -eu killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" ''
${pkgs.apparmor-bin-utils}/bin/aa-status --json | set -eu
${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' | ${pkgs.apparmor-bin-utils}/bin/aa-status --json |
xargs --verbose --no-run-if-empty --delimiter='\n' \ ${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' |
kill xargs --verbose --no-run-if-empty --delimiter='\n' \
''; kill
commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}"; '';
in { commonOpts =
Type = "oneshot"; n: p:
RemainAfterExit = "yes"; "--verbose --show-cache ${
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; lib.optionalString (p.state == "complain") "--complain "
ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; }${buildPolicyPath n p}";
ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; in
ExecReload = {
# Add or replace into the kernel profiles in enabledPolicies Type = "oneshot";
# (because AppArmor can do that without stopping the processes already confined). RemainAfterExit = "yes";
lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
# Remove from the kernel any profile whose name is not ExecStart = lib.mapAttrsToList (
# one of the names within the content of the profiles in enabledPolicies n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts n p}"
# (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). ) enabledPolicies;
# Note that this does not remove profiles dynamically generated by libvirt. ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
[ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ ExecReload =
# Optionally kill the processes which are unconfined but now have a profile loaded # Add or replace into the kernel profiles in enabledPolicies
# (because AppArmor can only start to confine new processes). # (because AppArmor can do that without stopping the processes already confined).
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; lib.mapAttrsToList (
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts n p}"
CacheDirectory = [ "apparmor" "apparmor/logprof" ]; ) enabledPolicies
CacheDirectoryMode = "0700"; ++
}; # Remove from the kernel any profile whose name is not
# one of the names within the content of the profiles in enabledPolicies
# (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).
# Note that this does not remove profiles dynamically generated by libvirt.
[ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ]
++
# Optionally kill the processes which are unconfined but now have a profile loaded
# (because AppArmor can only start to confine new processes).
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
CacheDirectory = [
"apparmor"
"apparmor/logprof"
];
CacheDirectoryMode = "0700";
};
}; };
}; };
meta.maintainers = with lib.maintainers; [ julm grimmauld ]; meta.maintainers = with lib.maintainers; [
julm
grimmauld
];
} }

2
nixos/tests/all-tests.nix
View file

@ -131,7 +131,7 @@ in {
apfs = runTest ./apfs.nix; apfs = runTest ./apfs.nix;
appliance-repart-image = runTest ./appliance-repart-image.nix; appliance-repart-image = runTest ./appliance-repart-image.nix;
appliance-repart-image-verity-store = runTest ./appliance-repart-image-verity-store.nix; appliance-repart-image-verity-store = runTest ./appliance-repart-image-verity-store.nix;
apparmor = handleTest ./apparmor.nix {}; apparmor = handleTest ./apparmor {};
archi = handleTest ./archi.nix {}; archi = handleTest ./archi.nix {};
aria2 = handleTest ./aria2.nix {}; aria2 = handleTest ./aria2.nix {};
armagetronad = handleTest ./armagetronad.nix {}; armagetronad = handleTest ./armagetronad.nix {};

85
nixos/tests/apparmor.nix
View file

@ -1,85 +0,0 @@
import ./make-test-python.nix ({ pkgs, lib, ... } : {
name = "apparmor";
meta.maintainers = with lib.maintainers; [ julm grimmauld ];
nodes.machine =
{ lib, pkgs, config, ... }:
{
security.apparmor.enable = lib.mkDefault true;
};
testScript =
''
machine.wait_for_unit("multi-user.target")
with subtest("AppArmor profiles are loaded"):
machine.succeed("systemctl status apparmor.service")
# AppArmor securityfs
with subtest("AppArmor securityfs is mounted"):
machine.succeed("mountpoint -q /sys/kernel/security")
machine.succeed("cat /sys/kernel/security/apparmor/profiles")
# Test apparmorRulesFromClosure by:
# 1. Prepending a string of the relevant packages' name and version on each line.
# 2. Sorting according to those strings.
# 3. Removing those prepended strings.
# 4. Using `diff` against the expected output.
with subtest("apparmorRulesFromClosure"):
machine.succeed(
"${pkgs.diffutils}/bin/diff -u ${pkgs.writeText "expected.rules" ''
mr ${pkgs.bash}/lib/**.so*,
r ${pkgs.bash},
r ${pkgs.bash}/etc/**,
r ${pkgs.bash}/lib/**,
r ${pkgs.bash}/share/**,
x ${pkgs.bash}/foo/**,
mr ${pkgs.glibc}/lib/**.so*,
r ${pkgs.glibc},
r ${pkgs.glibc}/etc/**,
r ${pkgs.glibc}/lib/**,
r ${pkgs.glibc}/share/**,
x ${pkgs.glibc}/foo/**,
mr ${pkgs.libcap}/lib/**.so*,
r ${pkgs.libcap},
r ${pkgs.libcap}/etc/**,
r ${pkgs.libcap}/lib/**,
r ${pkgs.libcap}/share/**,
x ${pkgs.libcap}/foo/**,
mr ${pkgs.libcap.lib}/lib/**.so*,
r ${pkgs.libcap.lib},
r ${pkgs.libcap.lib}/etc/**,
r ${pkgs.libcap.lib}/lib/**,
r ${pkgs.libcap.lib}/share/**,
x ${pkgs.libcap.lib}/foo/**,
mr ${pkgs.libidn2.out}/lib/**.so*,
r ${pkgs.libidn2.out},
r ${pkgs.libidn2.out}/etc/**,
r ${pkgs.libidn2.out}/lib/**,
r ${pkgs.libidn2.out}/share/**,
x ${pkgs.libidn2.out}/foo/**,
mr ${pkgs.libunistring}/lib/**.so*,
r ${pkgs.libunistring},
r ${pkgs.libunistring}/etc/**,
r ${pkgs.libunistring}/lib/**,
r ${pkgs.libunistring}/share/**,
x ${pkgs.libunistring}/foo/**,
mr ${pkgs.glibc.libgcc}/lib/**.so*,
r ${pkgs.glibc.libgcc},
r ${pkgs.glibc.libgcc}/etc/**,
r ${pkgs.glibc.libgcc}/lib/**,
r ${pkgs.glibc.libgcc}/share/**,
x ${pkgs.glibc.libgcc}/foo/**,
''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''
${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${
pkgs.apparmorRulesFromClosure {
name = "ping";
additionalRules = ["x $path/foo/**"];
} [ pkgs.libcap ]
} |
${pkgs.coreutils}/bin/sort -n -k1 |
${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out
''}"
)
'';
})

130
nixos/tests/apparmor/default.nix Normal file
View file

@ -0,0 +1,130 @@
import ../make-test-python.nix (
{ pkgs, lib, ... }:
let
helloProfileContents = ''
abi <abi/4.0>,
include <tunables/global>
profile hello ${lib.getExe pkgs.hello} {
include <abstractions/base>
}
'';
in
{
name = "apparmor";
meta.maintainers = with lib.maintainers; [
julm
grimmauld
];
nodes.machine =
{
lib,
pkgs,
config,
...
}:
{
security.apparmor = {
enable = lib.mkDefault true;
policies.hello = {
# test profile enforce and content definition
state = "enforce";
profile = helloProfileContents;
};
policies.sl = {
# test profile complain and path definition
state = "complain";
path = ./sl_profile;
};
policies.hexdump = {
# test profile complain and path definition
state = "enforce";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile hexdump /nix/store/*/bin/hexdump {
include <abstractions/base>
deny /tmp/** r,
}
'';
};
includes."abstractions/base" = ''
/nix/store/*/bin/** mr,
/nix/store/*/lib/** mr,
/nix/store/** r,
'';
};
};
testScript =
let
inherit (lib) getExe getExe';
in
''
machine.wait_for_unit("multi-user.target")
with subtest("AppArmor profiles are loaded"):
machine.succeed("systemctl status apparmor.service")
# AppArmor securityfs
with subtest("AppArmor securityfs is mounted"):
machine.succeed("mountpoint -q /sys/kernel/security")
machine.succeed("cat /sys/kernel/security/apparmor/profiles")
# Test apparmorRulesFromClosure by:
# 1. Prepending a string of the relevant packages' name and version on each line.
# 2. Sorting according to those strings.
# 3. Removing those prepended strings.
# 4. Using `diff` against the expected output.
with subtest("apparmorRulesFromClosure"):
machine.succeed(
"${getExe' pkgs.diffutils "diff"} -u ${
pkgs.writeText "expected.rules" (import ./makeExpectedPolicies.nix { inherit pkgs; })
} ${
pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''
${getExe pkgs.gnused} -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${
pkgs.apparmorRulesFromClosure {
name = "ping";
additionalRules = [ "x $path/foo/**" ];
} [ pkgs.libcap ]
} |
${getExe' pkgs.coreutils "sort"} -n -k1 |
${getExe pkgs.gnused} -e 's:^[^ ]* ::' >$out
''
}"
)
# Test apparmor profile states by using `diff` against `aa-status`
with subtest("apparmorProfileStates"):
machine.succeed("${getExe' pkgs.diffutils "diff"} -u \
<(${getExe' pkgs.apparmor-bin-utils "aa-status"} --json | ${getExe pkgs.jq} --sort-keys . ) \
<(${getExe pkgs.jq} --sort-keys . ${
pkgs.writers.writeJSON "expectedStates.json" {
version = "2";
processes = { };
profiles = {
hexdump = "enforce";
hello = "enforce";
sl = "complain";
};
}
})")
# Test apparmor profile files in /etc/apparmor.d/<name> to be either a correct symlink (sl) or have the right file contents (hello)
with subtest("apparmorProfileTargets"):
machine.succeed("${getExe' pkgs.diffutils "diff"} -u <(${getExe pkgs.file} /etc/static/apparmor.d/sl) ${pkgs.writeText "expected.link" ''
/etc/static/apparmor.d/sl: symbolic link to ${./sl_profile}
''}")
machine.succeed("${getExe' pkgs.diffutils "diff"} -u /etc/static/apparmor.d/hello ${pkgs.writeText "expected.content" helloProfileContents}")
with subtest("apparmorProfileEnforce"):
machine.succeed("${getExe pkgs.hello} 1> /tmp/test-file")
machine.fail("${lib.getExe' pkgs.util-linux "hexdump"} /tmp/test-file") # no access to /tmp/test-file granted by apparmor
'';
}
)

66
nixos/tests/apparmor/makeExpectedPolicies.nix Normal file
View file

@ -0,0 +1,66 @@
{ pkgs }:
''
ixr ${pkgs.bash}/libexec/**,
mr ${pkgs.bash}/lib/**.so*,
mr ${pkgs.bash}/lib64/**.so*,
mr ${pkgs.bash}/share/**,
r ${pkgs.bash},
r ${pkgs.bash}/etc/**,
r ${pkgs.bash}/lib/**,
r ${pkgs.bash}/lib64/**,
x ${pkgs.bash}/foo/**,
ixr ${pkgs.glibc}/libexec/**,
mr ${pkgs.glibc}/lib/**.so*,
mr ${pkgs.glibc}/lib64/**.so*,
mr ${pkgs.glibc}/share/**,
r ${pkgs.glibc},
r ${pkgs.glibc}/etc/**,
r ${pkgs.glibc}/lib/**,
r ${pkgs.glibc}/lib64/**,
x ${pkgs.glibc}/foo/**,
ixr ${pkgs.libcap}/libexec/**,
mr ${pkgs.libcap}/lib/**.so*,
mr ${pkgs.libcap}/lib64/**.so*,
mr ${pkgs.libcap}/share/**,
r ${pkgs.libcap},
r ${pkgs.libcap}/etc/**,
r ${pkgs.libcap}/lib/**,
r ${pkgs.libcap}/lib64/**,
x ${pkgs.libcap}/foo/**,
ixr ${pkgs.libcap.lib}/libexec/**,
mr ${pkgs.libcap.lib}/lib/**.so*,
mr ${pkgs.libcap.lib}/lib64/**.so*,
mr ${pkgs.libcap.lib}/share/**,
r ${pkgs.libcap.lib},
r ${pkgs.libcap.lib}/etc/**,
r ${pkgs.libcap.lib}/lib/**,
r ${pkgs.libcap.lib}/lib64/**,
x ${pkgs.libcap.lib}/foo/**,
ixr ${pkgs.libidn2.out}/libexec/**,
mr ${pkgs.libidn2.out}/lib/**.so*,
mr ${pkgs.libidn2.out}/lib64/**.so*,
mr ${pkgs.libidn2.out}/share/**,
r ${pkgs.libidn2.out},
r ${pkgs.libidn2.out}/etc/**,
r ${pkgs.libidn2.out}/lib/**,
r ${pkgs.libidn2.out}/lib64/**,
x ${pkgs.libidn2.out}/foo/**,
ixr ${pkgs.libunistring}/libexec/**,
mr ${pkgs.libunistring}/lib/**.so*,
mr ${pkgs.libunistring}/lib64/**.so*,
mr ${pkgs.libunistring}/share/**,
r ${pkgs.libunistring},
r ${pkgs.libunistring}/etc/**,
r ${pkgs.libunistring}/lib/**,
r ${pkgs.libunistring}/lib64/**,
x ${pkgs.libunistring}/foo/**,
ixr ${pkgs.glibc.libgcc}/libexec/**,
mr ${pkgs.glibc.libgcc}/lib/**.so*,
mr ${pkgs.glibc.libgcc}/lib64/**.so*,
mr ${pkgs.glibc.libgcc}/share/**,
r ${pkgs.glibc.libgcc},
r ${pkgs.glibc.libgcc}/etc/**,
r ${pkgs.glibc.libgcc}/lib/**,
r ${pkgs.glibc.libgcc}/lib64/**,
x ${pkgs.glibc.libgcc}/foo/**,
''

5
nixos/tests/apparmor/sl_profile Normal file
View file

@ -0,0 +1,5 @@
abi <abi/4.0>,
include <tunables/global>
profile sl /bin/sl {
include <abstractions/base>
}