movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

nixos/apparmor: policy activation tristate and policy path support (#356796)

Browse source
This commit is contained in:
Guillaume Girol 2024-12-17 19:56:13 +01:00 committed by GitHub
commit 03040e06fb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 376 additions and 187 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nixos/doc/manual/release-notes/rl-2505.section.md
View file

@ -166,6 +166,9 @@
| virtualBoxOVA | virtualbox-vagrant.box | nixos-image-vagrant-virtualbox-25.05pre-git-x86_64-linux.ova |
| vmwareImage | nixos-25.05pre-git-x86_64-linux.vmdk | nixos-image-vmware-25.05pre-git-x86_64-linux.vmdk |
- `security.apparmor.policies.<name>.enforce` and `security.apparmor.policies.<name>.enable` were removed.
Configuring the state of apparmor policies must now be done using `security.apparmor.policies.<name>.state` tristate option.
- the notmuch vim plugin now lives in a separate output of the `notmuch`
package. Installing `notmuch` will not bring the notmuch vim package anymore,
add `vimPlugins.notmuch-vim` to your (Neo)vim configuration if you want the

156
nixos/modules/security/apparmor.nix
View file

@ -1,20 +1,34 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
let
inherit (builtins) attrNames head map match readFile;
inherit (lib) types;
inherit (config.environment) etc;
cfg = config.security.apparmor;
mkDisableOption = name: lib.mkEnableOption name // {
default = true;
example = false;
};
enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies;
enabledPolicies = lib.filterAttrs (n: p: p.state != "disable") cfg.policies;
buildPolicyPath = n: p: lib.defaultTo (pkgs.writeText n p.profile) p.path;
# Accessing submodule options when not defined results in an error thunk rather than a regular option object
# We can emulate the behavior of `<option>.isDefined` by attempting to evaluate it instead
# This is required because getting isDefined on a submodule is not possible in global module asserts.
submoduleOptionIsDefined = value: (builtins.tryEval value).success;
in
{
imports = [
(lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.")
(lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.")
(lib.mkRemovedOptionModule [
"security"
"apparmor"
"confineSUIDApplications"
] "Please use the new options: `security.apparmor.policies.<policy>.state'.")
(lib.mkRemovedOptionModule [
"security"
"apparmor"
"profiles"
] "Please use the new option: `security.apparmor.policies'.")
apparmor/includes.nix
apparmor/profiles.nix
];
@ -42,22 +56,39 @@ in
description = ''
AppArmor policies.
'';
type = types.attrsOf (types.submodule ({ name, config, ... }: {
type = types.attrsOf (
types.submodule {
options = {
enable = mkDisableOption "loading of the profile into the kernel";
enforce = mkDisableOption "enforcing of the policy or only complain in the logs";
state = lib.mkOption {
description = "How strictly this policy should be enforced";
type = types.enum [
"disable"
"complain"
"enforce"
];
# should enforce really be the default?
# the docs state that this should only be used once one is REALLY sure nothing's gonna break
default = "enforce";
};
profile = lib.mkOption {
description = "The policy of the profile.";
description = "The profile file contents. Incompatible with path.";
type = types.lines;
apply = pkgs.writeText name;
};
path = lib.mkOption {
description = "A path of a profile file to include. Incompatible with profile.";
type = types.nullOr types.path;
default = null;
};
};
}));
default = {};
}
);
default = { };
};
includes = lib.mkOption {
type = types.attrsOf types.lines;
default = {};
default = { };
description = ''
List of paths to be added to AppArmor's searched paths
when resolving `include` directives.
@ -66,7 +97,7 @@ in
};
packages = lib.mkOption {
type = types.listOf types.package;
default = [];
default = [ ];
description = "List of packages to be added to AppArmor's include path";
};
enableCache = lib.mkEnableOption ''
@ -90,13 +121,20 @@ in
};
config = lib.mkIf cfg.enable {
assertions = map (policy:
{ assertion = match ".*/.*" policy == null;
message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash.";
assertions = lib.concatLists (
lib.mapAttrsToList (policyName: policyCfg: [
{
assertion = builtins.match ".*/.*" policyName == null;
message = "`security.apparmor.policies.\"${policyName}\"' must not contain a slash.";
# Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions
# which does not recurse into sub-directories.
}
) (attrNames cfg.policies);
{
assertion = lib.xor (policyCfg.path != null) (submoduleOptionIsDefined policyCfg.profile);
message = "`security.apparmor.policies.\"${policyName}\"` must define exactly one of either path or profile.";
}
]) cfg.policies
);
environment.systemPackages = [
pkgs.apparmor-utils
@ -105,21 +143,26 @@ in
environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" (
# It's important to put only enabledPolicies here and not all cfg.policies
# because aa-remove-unknown reads profiles from all /etc/apparmor.d/*
lib.mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++
lib.mapAttrsToList (name: path: { inherit name path; }) cfg.includes
lib.mapAttrsToList (name: p: {
inherit name;
path = buildPolicyPath name p;
}) enabledPolicies
++ lib.mapAttrsToList (name: path: { inherit name path; }) cfg.includes
);
environment.etc."apparmor/parser.conf".text = ''
environment.etc."apparmor/parser.conf".text =
''
${if cfg.enableCache then "write-cache" else "skip-cache"}
cache-loc /var/cache/apparmor
Include /etc/apparmor.d
'' +
lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;
''
+ lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages;
# For aa-logprof
environment.etc."apparmor/apparmor.conf".text = ''
'';
environment.etc."apparmor/apparmor.conf".text = '''';
# For aa-logprof
environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db";
environment.etc."apparmor/logprof.conf".source = pkgs.runCommand "logprof.conf" {
environment.etc."apparmor/logprof.conf".source =
pkgs.runCommand "logprof.conf"
{
header = ''
[settings]
# /etc/apparmor.d/ is read-only on NixOS
@ -139,7 +182,9 @@ in
# 3 - force all perms on the rule to be user
default_owner_prompt = 1
custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages}
custom_includes = /etc/apparmor.d ${
lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages
}
[qualifiers]
${pkgs.runtimeShell} = icnu
@ -149,23 +194,30 @@ in
'';
footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf";
passAsFile = [ "header" ];
} ''
}
''
cp $headerPath $out
sed '1,/\[qualifiers\]/d' $footer >> $out
'';
boot.kernelParams = [ "apparmor=1" "security=apparmor" ];
boot.kernelParams = [
"apparmor=1"
"security=apparmor"
];
systemd.services.apparmor = {
after = [
"local-fs.target"
"systemd-journald-audit.socket"
];
before = [ "sysinit.target" "shutdown.target" ];
before = [
"sysinit.target"
"shutdown.target"
];
conflicts = [ "shutdown.target" ];
wantedBy = [ "multi-user.target" ];
unitConfig = {
Description="Load AppArmor policies";
Description = "Load AppArmor policies";
DefaultDependencies = "no";
ConditionSecurity = "apparmor";
};
@ -176,7 +228,8 @@ in
etc."apparmor/parser.conf".source
etc."apparmor.d".source
];
serviceConfig = let
serviceConfig =
let
killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" ''
set -eu
${pkgs.apparmor-bin-utils}/bin/aa-status --json |
@ -184,31 +237,48 @@ in
xargs --verbose --no-run-if-empty --delimiter='\n' \
kill
'';
commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}";
in {
commonOpts =
n: p:
"--verbose --show-cache ${
lib.optionalString (p.state == "complain") "--complain "
}${buildPolicyPath n p}";
in
{
Type = "oneshot";
RemainAfterExit = "yes";
ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown";
ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies;
ExecStart = lib.mapAttrsToList (
n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts n p}"
) enabledPolicies;
ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
ExecReload =
# Add or replace into the kernel profiles in enabledPolicies
# (because AppArmor can do that without stopping the processes already confined).
lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++
lib.mapAttrsToList (
n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts n p}"
) enabledPolicies
++
# Remove from the kernel any profile whose name is not
# one of the names within the content of the profiles in enabledPolicies
# (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory).
# Note that this does not remove profiles dynamically generated by libvirt.
[ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++
[ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ]
++
# Optionally kill the processes which are unconfined but now have a profile loaded
# (because AppArmor can only start to confine new processes).
lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables;
ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown";
CacheDirectory = [ "apparmor" "apparmor/logprof" ];
CacheDirectory = [
"apparmor"
"apparmor/logprof"
];
CacheDirectoryMode = "0700";
};
};
};
meta.maintainers = with lib.maintainers; [ julm grimmauld ];
meta.maintainers = with lib.maintainers; [
julm
grimmauld
];
}

2
nixos/tests/all-tests.nix
View file

@ -131,7 +131,7 @@ in {
apfs = runTest ./apfs.nix;
appliance-repart-image = runTest ./appliance-repart-image.nix;
appliance-repart-image-verity-store = runTest ./appliance-repart-image-verity-store.nix;
apparmor = handleTest ./apparmor.nix {};
apparmor = handleTest ./apparmor {};
archi = handleTest ./archi.nix {};
aria2 = handleTest ./aria2.nix {};
armagetronad = handleTest ./armagetronad.nix {};

85
nixos/tests/apparmor.nix
View file

@ -1,85 +0,0 @@
import ./make-test-python.nix ({ pkgs, lib, ... } : {
name = "apparmor";
meta.maintainers = with lib.maintainers; [ julm grimmauld ];
nodes.machine =
{ lib, pkgs, config, ... }:
{
security.apparmor.enable = lib.mkDefault true;
};
testScript =
''
machine.wait_for_unit("multi-user.target")
with subtest("AppArmor profiles are loaded"):
machine.succeed("systemctl status apparmor.service")
# AppArmor securityfs
with subtest("AppArmor securityfs is mounted"):
machine.succeed("mountpoint -q /sys/kernel/security")
machine.succeed("cat /sys/kernel/security/apparmor/profiles")
# Test apparmorRulesFromClosure by:
# 1. Prepending a string of the relevant packages' name and version on each line.
# 2. Sorting according to those strings.
# 3. Removing those prepended strings.
# 4. Using `diff` against the expected output.
with subtest("apparmorRulesFromClosure"):
machine.succeed(
"${pkgs.diffutils}/bin/diff -u ${pkgs.writeText "expected.rules" ''
mr ${pkgs.bash}/lib/**.so*,
r ${pkgs.bash},
r ${pkgs.bash}/etc/**,
r ${pkgs.bash}/lib/**,
r ${pkgs.bash}/share/**,
x ${pkgs.bash}/foo/**,
mr ${pkgs.glibc}/lib/**.so*,
r ${pkgs.glibc},
r ${pkgs.glibc}/etc/**,
r ${pkgs.glibc}/lib/**,
r ${pkgs.glibc}/share/**,
x ${pkgs.glibc}/foo/**,
mr ${pkgs.libcap}/lib/**.so*,
r ${pkgs.libcap},
r ${pkgs.libcap}/etc/**,
r ${pkgs.libcap}/lib/**,
r ${pkgs.libcap}/share/**,
x ${pkgs.libcap}/foo/**,
mr ${pkgs.libcap.lib}/lib/**.so*,
r ${pkgs.libcap.lib},
r ${pkgs.libcap.lib}/etc/**,
r ${pkgs.libcap.lib}/lib/**,
r ${pkgs.libcap.lib}/share/**,
x ${pkgs.libcap.lib}/foo/**,
mr ${pkgs.libidn2.out}/lib/**.so*,
r ${pkgs.libidn2.out},
r ${pkgs.libidn2.out}/etc/**,
r ${pkgs.libidn2.out}/lib/**,
r ${pkgs.libidn2.out}/share/**,
x ${pkgs.libidn2.out}/foo/**,
mr ${pkgs.libunistring}/lib/**.so*,
r ${pkgs.libunistring},
r ${pkgs.libunistring}/etc/**,
r ${pkgs.libunistring}/lib/**,
r ${pkgs.libunistring}/share/**,
x ${pkgs.libunistring}/foo/**,
mr ${pkgs.glibc.libgcc}/lib/**.so*,
r ${pkgs.glibc.libgcc},
r ${pkgs.glibc.libgcc}/etc/**,
r ${pkgs.glibc.libgcc}/lib/**,
r ${pkgs.glibc.libgcc}/share/**,
x ${pkgs.glibc.libgcc}/foo/**,
''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''
${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${
pkgs.apparmorRulesFromClosure {
name = "ping";
additionalRules = ["x $path/foo/**"];
} [ pkgs.libcap ]
} |
${pkgs.coreutils}/bin/sort -n -k1 |
${pkgs.gnused}/bin/sed -e 's:^[^ ]* ::' >$out
''}"
)
'';
})

130
nixos/tests/apparmor/default.nix Normal file
View file

@ -0,0 +1,130 @@
import ../make-test-python.nix (
{ pkgs, lib, ... }:
let
helloProfileContents = ''
abi <abi/4.0>,
include <tunables/global>
profile hello ${lib.getExe pkgs.hello} {
include <abstractions/base>
}
'';
in
{
name = "apparmor";
meta.maintainers = with lib.maintainers; [
julm
grimmauld
];
nodes.machine =
{
lib,
pkgs,
config,
...
}:
{
security.apparmor = {
enable = lib.mkDefault true;
policies.hello = {
# test profile enforce and content definition
state = "enforce";
profile = helloProfileContents;
};
policies.sl = {
# test profile complain and path definition
state = "complain";
path = ./sl_profile;
};
policies.hexdump = {
# test profile complain and path definition
state = "enforce";
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile hexdump /nix/store/*/bin/hexdump {
include <abstractions/base>
deny /tmp/** r,
}
'';
};
includes."abstractions/base" = ''
/nix/store/*/bin/** mr,
/nix/store/*/lib/** mr,
/nix/store/** r,
'';
};
};
testScript =
let
inherit (lib) getExe getExe';
in
''
machine.wait_for_unit("multi-user.target")
with subtest("AppArmor profiles are loaded"):
machine.succeed("systemctl status apparmor.service")
# AppArmor securityfs
with subtest("AppArmor securityfs is mounted"):
machine.succeed("mountpoint -q /sys/kernel/security")
machine.succeed("cat /sys/kernel/security/apparmor/profiles")
# Test apparmorRulesFromClosure by:
# 1. Prepending a string of the relevant packages' name and version on each line.
# 2. Sorting according to those strings.
# 3. Removing those prepended strings.
# 4. Using `diff` against the expected output.
with subtest("apparmorRulesFromClosure"):
machine.succeed(
"${getExe' pkgs.diffutils "diff"} -u ${
pkgs.writeText "expected.rules" (import ./makeExpectedPolicies.nix { inherit pkgs; })
} ${
pkgs.runCommand "actual.rules" { preferLocalBuild = true; } ''
${getExe pkgs.gnused} -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${
pkgs.apparmorRulesFromClosure {
name = "ping";
additionalRules = [ "x $path/foo/**" ];
} [ pkgs.libcap ]
} |
${getExe' pkgs.coreutils "sort"} -n -k1 |
${getExe pkgs.gnused} -e 's:^[^ ]* ::' >$out
''
}"
)
# Test apparmor profile states by using `diff` against `aa-status`
with subtest("apparmorProfileStates"):
machine.succeed("${getExe' pkgs.diffutils "diff"} -u \
<(${getExe' pkgs.apparmor-bin-utils "aa-status"} --json | ${getExe pkgs.jq} --sort-keys . ) \
<(${getExe pkgs.jq} --sort-keys . ${
pkgs.writers.writeJSON "expectedStates.json" {
version = "2";
processes = { };
profiles = {
hexdump = "enforce";
hello = "enforce";
sl = "complain";
};
}
})")
# Test apparmor profile files in /etc/apparmor.d/<name> to be either a correct symlink (sl) or have the right file contents (hello)
with subtest("apparmorProfileTargets"):
machine.succeed("${getExe' pkgs.diffutils "diff"} -u <(${getExe pkgs.file} /etc/static/apparmor.d/sl) ${pkgs.writeText "expected.link" ''
/etc/static/apparmor.d/sl: symbolic link to ${./sl_profile}
''}")
machine.succeed("${getExe' pkgs.diffutils "diff"} -u /etc/static/apparmor.d/hello ${pkgs.writeText "expected.content" helloProfileContents}")
with subtest("apparmorProfileEnforce"):
machine.succeed("${getExe pkgs.hello} 1> /tmp/test-file")
machine.fail("${lib.getExe' pkgs.util-linux "hexdump"} /tmp/test-file") # no access to /tmp/test-file granted by apparmor
'';
}
)

66
nixos/tests/apparmor/makeExpectedPolicies.nix Normal file
View file

@ -0,0 +1,66 @@
{ pkgs }:
''
ixr ${pkgs.bash}/libexec/**,
mr ${pkgs.bash}/lib/**.so*,
mr ${pkgs.bash}/lib64/**.so*,
mr ${pkgs.bash}/share/**,
r ${pkgs.bash},
r ${pkgs.bash}/etc/**,
r ${pkgs.bash}/lib/**,
r ${pkgs.bash}/lib64/**,
x ${pkgs.bash}/foo/**,
ixr ${pkgs.glibc}/libexec/**,
mr ${pkgs.glibc}/lib/**.so*,
mr ${pkgs.glibc}/lib64/**.so*,
mr ${pkgs.glibc}/share/**,
r ${pkgs.glibc},
r ${pkgs.glibc}/etc/**,
r ${pkgs.glibc}/lib/**,
r ${pkgs.glibc}/lib64/**,
x ${pkgs.glibc}/foo/**,
ixr ${pkgs.libcap}/libexec/**,
mr ${pkgs.libcap}/lib/**.so*,
mr ${pkgs.libcap}/lib64/**.so*,
mr ${pkgs.libcap}/share/**,
r ${pkgs.libcap},
r ${pkgs.libcap}/etc/**,
r ${pkgs.libcap}/lib/**,
r ${pkgs.libcap}/lib64/**,
x ${pkgs.libcap}/foo/**,
ixr ${pkgs.libcap.lib}/libexec/**,
mr ${pkgs.libcap.lib}/lib/**.so*,
mr ${pkgs.libcap.lib}/lib64/**.so*,
mr ${pkgs.libcap.lib}/share/**,
r ${pkgs.libcap.lib},
r ${pkgs.libcap.lib}/etc/**,
r ${pkgs.libcap.lib}/lib/**,
r ${pkgs.libcap.lib}/lib64/**,
x ${pkgs.libcap.lib}/foo/**,
ixr ${pkgs.libidn2.out}/libexec/**,
mr ${pkgs.libidn2.out}/lib/**.so*,
mr ${pkgs.libidn2.out}/lib64/**.so*,
mr ${pkgs.libidn2.out}/share/**,
r ${pkgs.libidn2.out},
r ${pkgs.libidn2.out}/etc/**,
r ${pkgs.libidn2.out}/lib/**,
r ${pkgs.libidn2.out}/lib64/**,
x ${pkgs.libidn2.out}/foo/**,
ixr ${pkgs.libunistring}/libexec/**,
mr ${pkgs.libunistring}/lib/**.so*,
mr ${pkgs.libunistring}/lib64/**.so*,
mr ${pkgs.libunistring}/share/**,
r ${pkgs.libunistring},
r ${pkgs.libunistring}/etc/**,
r ${pkgs.libunistring}/lib/**,
r ${pkgs.libunistring}/lib64/**,
x ${pkgs.libunistring}/foo/**,
ixr ${pkgs.glibc.libgcc}/libexec/**,
mr ${pkgs.glibc.libgcc}/lib/**.so*,
mr ${pkgs.glibc.libgcc}/lib64/**.so*,
mr ${pkgs.glibc.libgcc}/share/**,
r ${pkgs.glibc.libgcc},
r ${pkgs.glibc.libgcc}/etc/**,
r ${pkgs.glibc.libgcc}/lib/**,
r ${pkgs.glibc.libgcc}/lib64/**,
x ${pkgs.glibc.libgcc}/foo/**,
''

5
nixos/tests/apparmor/sl_profile Normal file
View file

@ -0,0 +1,5 @@
abi <abi/4.0>,
include <tunables/global>
profile sl /bin/sl {
include <abstractions/base>
}