From 9b7d65ad87ab7423dd2f6d53ce536bd189ef1624 Mon Sep 17 00:00:00 2001 From: MakiseKurisu Date: Sat, 1 Mar 2025 18:53:14 +0800 Subject: [PATCH 1/3] nixos/incus: add AppArmor rules to allow access to Nix store Fix #350012 --- nixos/modules/virtualisation/incus.nix | 33 ++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/nixos/modules/virtualisation/incus.nix b/nixos/modules/virtualisation/incus.nix index c29c3215b722..3c5c7240873b 100644 --- a/nixos/modules/virtualisation/incus.nix +++ b/nixos/modules/virtualisation/incus.nix @@ -335,7 +335,40 @@ in "lxc-containers".profile = '' include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers ''; + "incusd".profile = '' + # This profile allows everything and only exists to give the + # application a name instead of having the label "unconfined" + + abi , + include + + profile incusd ${lib.getExe' config.virtualisation.incus.package "incusd"} flags=(unconfined) { + userns, + + + + # Site-specific additions and overrides. See local/README for details. + include if exists + } + ''; }; + includes."abstractions/base" = + '' + # Allow incusd's various AA profiles to load dynamic libraries from Nix store + # https://discuss.linuxcontainers.org/t/creating-new-containers-vms-blocked-by-apparmor-on-nixos/21908/6 + mr /nix/store/*/lib/*.so*, + r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules, + r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/, + r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/gconv-modules-extra.conf, + + # Support use of VM instance + mrix ${pkgs.qemu_kvm}/bin/*, + k ${OVMF2MB.fd}/FV/*.fd, + k ${pkgs.OVMFFull.fd}/FV/*.fd, + '' + + lib.optionalString pkgs.stdenv.hostPlatform.isx86_64 '' + k ${pkgs.seabios-qemu}/share/seabios/bios.bin, + ''; }; systemd.services.incus = { From f4fd5a51b5077370848be10639887181b6aeaec8 Mon Sep 17 00:00:00 2001 From: MakiseKurisu Date: Mon, 3 Mar 2025 12:53:02 +0800 Subject: [PATCH 2/3] nixos/tests/incus: fix zfs test configuration --- nixos/tests/incus/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/tests/incus/default.nix b/nixos/tests/incus/default.nix index 99a410f8ae5b..1144dd5bd268 100644 --- a/nixos/tests/incus/default.nix +++ b/nixos/tests/incus/default.nix @@ -44,6 +44,6 @@ in zfs = incusTest { inherit lts pkgs system; - storageLvm = true; + storageZfs = true; }; } From f6128c605016c95836b546bd38656742c5545dd5 Mon Sep 17 00:00:00 2001 From: MakiseKurisu Date: Mon, 3 Mar 2025 13:01:14 +0800 Subject: [PATCH 3/3] nixos/tests/incus: add AppArmor test --- nixos/tests/incus/default.nix | 6 ++++++ nixos/tests/incus/incus-tests.nix | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/nixos/tests/incus/default.nix b/nixos/tests/incus/default.nix index 1144dd5bd268..39e837824237 100644 --- a/nixos/tests/incus/default.nix +++ b/nixos/tests/incus/default.nix @@ -46,4 +46,10 @@ in inherit lts pkgs system; storageZfs = true; }; + + appArmor = incusTest { + inherit lts pkgs system; + appArmor = true; + allTests = true; + }; } diff --git a/nixos/tests/incus/incus-tests.nix b/nixos/tests/incus/incus-tests.nix index 1b9b590863e3..3d0e4f0e082f 100644 --- a/nixos/tests/incus/incus-tests.nix +++ b/nixos/tests/incus/incus-tests.nix @@ -7,6 +7,7 @@ import ../make-test-python.nix ( allTests ? false, + appArmor ? false, featureUser ? allTests, initLegacy ? true, initSystemd ? true, @@ -139,6 +140,9 @@ import ../make-test-python.nix ( networking.hostId = "01234567"; networking.firewall.trustedInterfaces = [ "incusbr0" ]; + security.apparmor.enable = appArmor; + services.dbus.apparmor = (if appArmor then "enabled" else "disabled"); + services.lvm = { boot.thin.enable = storageLvm; dmeventd.enable = storageLvm;