movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/incus: add AppArmor rules (#386060)

Browse source
This commit is contained in:
Adam C. Stephens 2025-04-01 12:51:34 -04:00 committed by GitHub
commit 62d611a22b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 44 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

33
nixos/modules/virtualisation/incus.nix
View file

@ -338,7 +338,40 @@ in
"lxc-containers".profile = '' "lxc-containers".profile = ''
include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers
''; '';
"incusd".profile = ''
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"
abi <abi/4.0>,
include <tunables/global>
profile incusd ${lib.getExe' config.virtualisation.incus.package "incusd"} flags=(unconfined) {
userns,
</var/lib/incus/security/apparmor/cache>
</var/lib/incus/security/apparmor/profiles>
# Site-specific additions and overrides. See local/README for details.
include if exists <local/incusd>
}
'';
}; };
includes."abstractions/base" =
''
# Allow incusd's various AA profiles to load dynamic libraries from Nix store
# https://discuss.linuxcontainers.org/t/creating-new-containers-vms-blocked-by-apparmor-on-nixos/21908/6
mr /nix/store/*/lib/*.so*,
r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules,
r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/,
r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/gconv-modules-extra.conf,
# Support use of VM instance
mrix ${pkgs.qemu_kvm}/bin/*,
k ${OVMF2MB.fd}/FV/*.fd,
k ${pkgs.OVMFFull.fd}/FV/*.fd,
''
+ lib.optionalString pkgs.stdenv.hostPlatform.isx86_64 ''
k ${pkgs.seabios-qemu}/share/seabios/bios.bin,
'';
}; };
systemd.services.incus = { systemd.services.incus = {

8
nixos/tests/incus/default.nix
View file

@ -44,6 +44,12 @@ in
zfs = incusTest { zfs = incusTest {
inherit lts pkgs system; inherit lts pkgs system;
storageLvm = true; storageZfs = true;
};
appArmor = incusTest {
inherit lts pkgs system;
appArmor = true;
allTests = true;
}; };
} }

4
nixos/tests/incus/incus-tests.nix
View file

@ -7,6 +7,7 @@ import ../make-test-python.nix (
allTests ? false, allTests ? false,
appArmor ? false,
featureUser ? allTests, featureUser ? allTests,
initLegacy ? true, initLegacy ? true,
initSystemd ? true, initSystemd ? true,
@ -139,6 +140,9 @@ import ../make-test-python.nix (
networking.hostId = "01234567"; networking.hostId = "01234567";
networking.firewall.trustedInterfaces = [ "incusbr0" ]; networking.firewall.trustedInterfaces = [ "incusbr0" ];
security.apparmor.enable = appArmor;
services.dbus.apparmor = (if appArmor then "enabled" else "disabled");
services.lvm = { services.lvm = {
boot.thin.enable = storageLvm; boot.thin.enable = storageLvm;
dmeventd.enable = storageLvm; dmeventd.enable = storageLvm;