diff options
author | Julien Moutinho <julm+nixpkgs@sourcephile.fr> | 2020-10-18 15:36:24 +0200 |
---|---|---|
committer | Julien Moutinho <julm+nixpkgs@sourcephile.fr> | 2021-04-23 07:17:55 +0200 |
commit | 05d334cfe265f021b16c41375e3e5a4c4a07fc74 (patch) | |
tree | 0d00c946f6f9ed0492ec74725261a44d59bfd067 /pkgs/os-specific/linux/apparmor | |
parent | d239bc36439f4f1457c5c70ad59f8a737989d79a (diff) |
Revert "Revert "apparmor: fix and improve the service""
This reverts commit 420f89ceb267b461eed5d025b6c3c0e57703cc5c.
Diffstat (limited to 'pkgs/os-specific/linux/apparmor')
-rw-r--r-- | pkgs/os-specific/linux/apparmor/default.nix | 64 | ||||
-rw-r--r-- | pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh | 32 |
2 files changed, 93 insertions, 3 deletions
diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index bb0c0b45d6e1a..1ab02a5115683 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -10,6 +10,13 @@ , pam , libnotify , buildPackages +, coreutils +, gnugrep +, gnused +, kmod +, writeShellScript +, closureInfo +, runCommand }: let @@ -30,6 +37,12 @@ let sha256 = "13xshy7905d9q9n8d8i0jmdi9m36wr525g4wlsp8k21n7yvvh9j4"; }; + aa-teardown = writeShellScript "aa-teardown" '' + PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH" + . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions + remove_profiles + ''; + prePatchCommon = '' chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh @@ -121,7 +134,11 @@ let libapparmor.python ]; - prePatch = prePatchCommon + '' + prePatch = prePatchCommon + + # Do not build vim file + lib.optionalString stdenv.hostPlatform.isMusl '' + sed -i ./utils/Makefile -e "/\<vim\>/d" + '' + '' substituteInPlace ./utils/apparmor/easyprof.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" substituteInPlace ./utils/apparmor/aa.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" substituteInPlace ./utils/logprof.conf --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" @@ -132,6 +149,7 @@ let installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ]; postInstall = '' + sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d" for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-status aa-unconfined ; do wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.libPrefix}/site-packages:$PYTHONPATH" done @@ -139,6 +157,15 @@ let substituteInPlace $out/bin/aa-notify \ --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \ --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}" + + substituteInPlace $out/bin/aa-remove-unknown \ + --replace "/usr/bin/aa-status" "$out/bin/aa-status" \ + --replace "/sbin/modprobe" "${kmod}/bin/modprobe" \ + --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" + wrapProgram $out/bin/aa-remove-unknown \ + --prefix PATH : ${lib.makeBinPath [gawk]} + + ln -s ${aa-teardown} $out/bin/aa-teardown ''; inherit doCheck; @@ -187,6 +214,9 @@ let substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" ## techdoc.pdf still doesn't build ... substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages" + substituteInPlace parser/rc.apparmor.functions \ + --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser" + sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}' ''; inherit patches; postPatch = "cd ./parser"; @@ -248,8 +278,35 @@ let meta = apparmor-meta "kernel patches"; }; + # Generate generic AppArmor rules in a file, + # from the closure of given rootPaths. + # To be included in an AppArmor profile like so: + # include "$(apparmorRulesFromClosure {} [pkgs.hello]}" + apparmorRulesFromClosure = + { # The store path of the derivation is given in $path + additionalRules ? [] + # TODO: factorize here some other common paths + # that may emerge from use cases. + , baseRules ? [ + "r $path" + "r $path/etc/**" + "r $path/share/**" + # Note that not all libraries are prefixed with "lib", + # eg. glibc-2.30/lib/ld-2.30.so + "mr $path/lib/**.so*" + # eg. glibc-2.30/lib/gconv/gconv-modules + "r $path/lib/**" + ] + , name ? "" + }: rootPaths: runCommand + ( "apparmor-closure-rules" + + lib.optionalString (name != "") "-${name}") {} '' + touch $out + while read -r path + do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)} + done <${closureInfo {inherit rootPaths;}}/store-paths + ''; in - { inherit libapparmor @@ -258,5 +315,6 @@ in apparmor-parser apparmor-pam apparmor-profiles - apparmor-kernel-patches; + apparmor-kernel-patches + apparmorRulesFromClosure; } diff --git a/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh new file mode 100644 index 0000000000000..ebc1baaa92d4e --- /dev/null +++ b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh @@ -0,0 +1,32 @@ +aa_action() { + STRING=$1 + shift + $* + rc=$? + if [ $rc -eq 0 ] ; then + aa_log_success_msg $"$STRING " + else + aa_log_failure_msg $"$STRING " + fi + return $rc +} + +aa_log_success_msg() { + [ -n "$1" ] && echo -n $1 + echo ": done." +} + +aa_log_warning_msg() { + [ -n "$1" ] && echo -n $1 + echo ": Warning." +} + +aa_log_failure_msg() { + [ -n "$1" ] && echo -n $1 + echo ": Failed." +} + +aa_log_skipped_msg() { + [ -n "$1" ] && echo -n $1 + echo ": Skipped." +} |