nixos/incus: add AppArmor rules to allow access to Nix store

Fix #350012
2025-07-14 06:00:33 +03:00 · 2025-03-01 18:53:14 +08:00 · 2025-03-01 18:53:14 +08:00 · 9b7d65ad87
commit 9b7d65ad87
parent 24693557f7
1 changed files with 33 additions and 0 deletions
--- a/nixos/modules/virtualisation/incus.nix
+++ b/nixos/modules/virtualisation/incus.nix
@ -335,7 +335,40 @@ in
        "lxc-containers".profile = ''
          include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers
        '';
+        "incusd".profile = ''
+          # This profile allows everything and only exists to give the
+          # application a name instead of having the label "unconfined"
+
+          abi <abi/4.0>,
+          include <tunables/global>
+
+          profile incusd ${lib.getExe' config.virtualisation.incus.package "incusd"} flags=(unconfined) {
+            userns,
+            </var/lib/incus/security/apparmor/cache>
+            </var/lib/incus/security/apparmor/profiles>
+
+            # Site-specific additions and overrides. See local/README for details.
+            include if exists <local/incusd>
+          }
+        '';
      };
+      includes."abstractions/base" =
+        ''
+          # Allow incusd's various AA profiles to load dynamic libraries from Nix store
+          # https://discuss.linuxcontainers.org/t/creating-new-containers-vms-blocked-by-apparmor-on-nixos/21908/6
+          mr /nix/store/*/lib/*.so*,
+          r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules,
+          r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/,
+          r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/gconv-modules-extra.conf,
+
+          # Support use of VM instance
+          mrix ${pkgs.qemu_kvm}/bin/*,
+          k ${OVMF2MB.fd}/FV/*.fd,
+          k ${pkgs.OVMFFull.fd}/FV/*.fd,
+        ''
+        + lib.optionalString pkgs.stdenv.hostPlatform.isx86_64 ''
+          k ${pkgs.seabios-qemu}/share/seabios/bios.bin,
+        '';
    };

    systemd.services.incus = {