path: root/pkgs/os-specific/linux/apparmor/default.nix

{ stdenv, lib, fetchFromGitLab, fetchpatch, makeWrapper, autoreconfHook
, pkg-config, which
, flex, bison
, linuxHeaders ? stdenv.cc.libc.linuxHeaders
, gawk
, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform perl, perl
, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform python3, python3
, swig
, ncurses
, pam
, libnotify
, buildPackages
, coreutils
, bash
, gnugrep
, gnused
, kmod
, writeShellScript
, closureInfo
, runCommand
}:

let
  apparmor-version = "3.0.4";

  apparmor-meta = component: with lib; {
    homepage = "https://apparmor.net/";
    description = "A mandatory access control system - ${component}";
    license = licenses.gpl2;
    maintainers = with maintainers; [ joachifm julm thoughtpolice ];
    platforms = platforms.linux;
  };

  apparmor-sources = fetchFromGitLab {
    owner = "apparmor";
    repo = "apparmor";
    rev = "v${apparmor-version}";
    sha256 = "1a217j28rgfq4lsmpn0wv1xgmdr9ba8iysv9i6q477kj6z77zrb9";
  };

  aa-teardown = writeShellScript "aa-teardown" ''
    PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH"
    . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions
    remove_profiles
  '';

  prePatchCommon = ''
    chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh
    patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh
    substituteInPlace ./common/Make.rules \
      --replace "/usr/bin/pod2man" "${buildPackages.perl}/bin/pod2man" \
      --replace "/usr/bin/pod2html" "${buildPackages.perl}/bin/pod2html" \
      --replace "/usr/share/man" "share/man"
    substituteInPlace ./utils/Makefile \
      --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
  '';

  patches = lib.optionals stdenv.hostPlatform.isMusl [
    (fetchpatch {
      url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0003-Added-missing-typedef-definitions-on-parser.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
      name = "0003-Added-missing-typedef-definitions-on-parser.patch";
      sha256 = "0yyaqz8jlmn1bm37arggprqz0njb4lhjni2d9c8qfqj0kll0bam0";
    })
  ];

  python = python3.withPackages (ps: with ps; [ setuptools ]);

  # Set to `true` after the next FIXME gets fixed or this gets some
  # common derivation infra. Too much copy-paste to fix one by one.
  doCheck = false;

  # FIXME: convert these to a single multiple-outputs package?

  libapparmor = stdenv.mkDerivation {
    pname = "libapparmor";
    version = apparmor-version;

    src = apparmor-sources;

   # checking whether python bindings are enabled... yes
   # checking for python3... no
   # configure: error: python is required when enabling python bindings
    strictDeps = false;

    nativeBuildInputs = [
      autoreconfHook
      bison
      flex
      pkg-config
      swig
      ncurses
      which
      perl
    ] ++ lib.optional withPython python;

    buildInputs = lib.optional withPerl perl
      ++ lib.optional withPython python;

    # required to build apparmor-parser
    dontDisableStatic = true;

    prePatch = prePatchCommon + ''
      substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.am --replace install_vendor install_site
    '';
    inherit patches;

    postPatch = ''
      cd ./libraries/libapparmor
    '';

    # https://gitlab.com/apparmor/apparmor/issues/1
    configureFlags = [
      (lib.withFeature withPerl "perl")
      (lib.withFeature withPython "python")
    ];

    outputs = [ "out" ] ++ lib.optional withPython "python";

    postInstall = lib.optionalString withPython ''
      mkdir -p $python/lib
      mv $out/lib/python* $python/lib/
    '';

    inherit doCheck;

    meta = apparmor-meta "library";
  };

  apparmor-utils = stdenv.mkDerivation {
    pname = "apparmor-utils";
    version = apparmor-version;

    src = apparmor-sources;

    strictDeps = true;

    nativeBuildInputs = [ makeWrapper which python ];

    buildInputs = [
      bash
      perl
      python
      libapparmor
      libapparmor.python
    ];

    prePatch = prePatchCommon +
      # Do not build vim file
      lib.optionalString stdenv.hostPlatform.isMusl ''
        sed -i ./utils/Makefile -e "/\<vim\>/d"
      '' + ''
      for file in utils/apparmor/easyprof.py utils/apparmor/aa.py utils/logprof.conf; do
        substituteInPlace $file --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
      done
    '';
    inherit patches;
    postPatch = "cd ./utils";
    makeFlags = [ "LANGS=" ];
    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ];

    postInstall = ''
      sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d"
      for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-unconfined ; do
        wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.libPrefix}/site-packages:$PYTHONPATH"
      done

      substituteInPlace $out/bin/aa-notify \
        --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \
        --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}"

      substituteInPlace $out/bin/aa-remove-unknown \
       --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions"
      wrapProgram $out/bin/aa-remove-unknown \
       --prefix PATH : ${lib.makeBinPath [ gawk ]}

      ln -s ${aa-teardown} $out/bin/aa-teardown
    '';

    inherit doCheck;

    meta = apparmor-meta "user-land utilities" // {
      broken = !(withPython && withPerl);
    };
  };

  apparmor-bin-utils = stdenv.mkDerivation {
    pname = "apparmor-bin-utils";
    version = apparmor-version;

    src = apparmor-sources;

    nativeBuildInputs = [
      pkg-config
      libapparmor
      gawk
      which
    ];

    buildInputs = [
      libapparmor
    ];

    prePatch = prePatchCommon;
    postPatch = ''
      cd ./binutils
    '';
    makeFlags = [ "LANGS=" "USE_SYSTEM=1" ];
    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "SBINDIR=$(out)/bin" ];

    inherit doCheck;

    meta = apparmor-meta "binary user-land utilities";
  };

  apparmor-parser = stdenv.mkDerivation {
    name = "apparmor-parser";
    version = apparmor-version;

    src = apparmor-sources;

    nativeBuildInputs = [ bison flex which ];

    buildInputs = [ libapparmor ];

    prePatch = prePatchCommon + ''
      ## techdoc.pdf still doesn't build ...
      substituteInPlace ./parser/Makefile \
        --replace "/usr/bin/bison" "${bison}/bin/bison" \
        --replace "/usr/bin/flex" "${flex}/bin/flex" \
        --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" \
        --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
      substituteInPlace parser/rc.apparmor.functions \
       --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser"
      sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
    '';
    inherit patches;
    postPatch = ''
      cd ./parser
    '';
    makeFlags = [
      "LANGS=" "USE_SYSTEM=1" "INCLUDEDIR=${libapparmor}/include"
      "AR=${stdenv.cc.bintools.targetPrefix}ar"
    ];
    installFlags = [ "DESTDIR=$(out)" "DISTRO=unknown" ];

    inherit doCheck;

    meta = apparmor-meta "rule parser";
  };

  apparmor-pam = stdenv.mkDerivation {
    pname = "apparmor-pam";
    version = apparmor-version;

    src = apparmor-sources;

    nativeBuildInputs = [ pkg-config which ];

    buildInputs = [ libapparmor pam ];

    postPatch = ''
      cd ./changehat/pam_apparmor
    '';
    makeFlags = [ "USE_SYSTEM=1" ];
    installFlags = [ "DESTDIR=$(out)" ];

    inherit doCheck;

    meta = apparmor-meta "PAM service";
  };

  apparmor-profiles = stdenv.mkDerivation {
    pname = "apparmor-profiles";
    version = apparmor-version;

    src = apparmor-sources;

    nativeBuildInputs = [ which ];

    postPatch = ''
      cd ./profiles
    '';

    installFlags = [ "DESTDIR=$(out)" "EXTRAS_DEST=$(out)/share/apparmor/extra-profiles" ];

    inherit doCheck;

    meta = apparmor-meta "profiles";
  };

  apparmor-kernel-patches = stdenv.mkDerivation {
    pname = "apparmor-kernel-patches";
    version = apparmor-version;

    src = apparmor-sources;

    dontBuild = true;

    installPhase = ''
      mkdir "$out"
      cp -R ./kernel-patches/* "$out"
    '';

    inherit doCheck;

    meta = apparmor-meta "kernel patches";
  };

  # Generate generic AppArmor rules in a file,
  # from the closure of given rootPaths.
  # To be included in an AppArmor profile like so:
  # include "$(apparmorRulesFromClosure {} [pkgs.hello]}"
  apparmorRulesFromClosure =
    { # The store path of the derivation is given in $path
      additionalRules ? []
      # TODO: factorize here some other common paths
      # that may emerge from use cases.
    , baseRules ? [
        "r $path"
        "r $path/etc/**"
        "r $path/share/**"
        # Note that not all libraries are prefixed with "lib",
        # eg. glibc-2.30/lib/ld-2.30.so
        "mr $path/lib/**.so*"
        # eg. glibc-2.30/lib/gconv/gconv-modules
        "r $path/lib/**"
      ]
    , name ? ""
    }: rootPaths: runCommand
      ( "apparmor-closure-rules"
      + lib.optionalString (name != "") "-${name}" ) {} ''
    touch $out
    while read -r path
    do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}
    done <${closureInfo { inherit rootPaths; }}/store-paths
  '';
in
{
  inherit
    libapparmor
    apparmor-utils
    apparmor-bin-utils
    apparmor-parser
    apparmor-pam
    apparmor-profiles
    apparmor-kernel-patches
    apparmorRulesFromClosure;
}