diff options
author | Vladimír Čunát <v@cunat.cz> | 2020-10-07 11:15:18 +0200 |
---|---|---|
committer | Vladimír Čunát <v@cunat.cz> | 2020-10-07 12:22:18 +0200 |
commit | 420f89ceb267b461eed5d025b6c3c0e57703cc5c (patch) | |
tree | 373179c02e9fd698fdb9c2b6fa1f4fd9b9a2dc87 /pkgs/os-specific/linux | |
parent | 3b0886c9af7fadcb46fc04c28cf5b79280d38371 (diff) | |
download | nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar.gz nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar.bz2 nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar.lz nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar.xz nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.tar.zst nixpkgs-420f89ceb267b461eed5d025b6c3c0e57703cc5c.zip |
Revert "apparmor: fix and improve the service"
This reverts commit fb6d63f3fdd95a5468d43a0693c8ca7c1894363f. I really hope this finally fixes #99236: evaluation on Hydra. This time I really did check basically the same commit on Hydra: https://hydra.nixos.org/eval/1618011 Right now I don't have energy to find what exactly is wrong in the commit, and it doesn't seem important in comparison to nixos-unstable channel being stuck on a commit over one week old.
Diffstat (limited to 'pkgs/os-specific/linux')
-rw-r--r-- | pkgs/os-specific/linux/apparmor/default.nix | 54 | ||||
-rw-r--r-- | pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh | 32 | ||||
-rw-r--r-- | pkgs/os-specific/linux/iputils/default.nix | 22 |
3 files changed, 2 insertions, 106 deletions
diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index 8806f6c50d3..0e10add5561 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -10,13 +10,6 @@ , pam , libnotify , buildPackages -, coreutils -, gnugrep -, gnused -, kmod -, writeShellScript -, closureInfo -, runCommand }: let @@ -45,12 +38,6 @@ let sha256 = "0xw028iqp69j9mxv0kbwraplgkj5i5djdlgf0anpkc5cdbsf96r9"; }; - aa-teardown = writeShellScript "aa-teardown" '' - PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH" - . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions - remove_profiles - ''; - prePatchCommon = '' patch -p1 < ${gnumake43Patch} chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh @@ -162,15 +149,6 @@ let # aa-notify checks its name and does not work named ".aa-notify-wrapped" mv $out/bin/aa-notify $out/bin/aa-notify-wrapped makeWrapper ${perl}/bin/perl $out/bin/aa-notify --set PERL5LIB ${libapparmor}/${perl.libPrefix} --add-flags $out/bin/aa-notify-wrapped - - substituteInPlace $out/bin/aa-remove-unknown \ - --replace "/usr/bin/aa-status" "$out/bin/aa-status" \ - --replace "/sbin/modprobe" "${kmod}/bin/modprobe" \ - --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" - wrapProgram $out/bin/aa-remove-unknown \ - --prefix PATH : ${lib.makeBinPath [gawk]} - - ln -s ${aa-teardown} $out/bin/aa-teardown ''; inherit doCheck; @@ -219,9 +197,6 @@ let substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" ## techdoc.pdf still doesn't build ... substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages" - substituteInPlace parser/rc.apparmor.functions \ - --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser" - sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}' ''; inherit patches; postPatch = "cd ./parser"; @@ -283,32 +258,8 @@ let meta = apparmor-meta "kernel patches"; }; - # Generate generic AppArmor rules in a file, - # from the closure of given rootPaths. - # To be included in an AppArmor profile like so: - # include "$(apparmorRulesFromClosure {} [pkgs.hello]}" - apparmorRulesFromClosure = - { # The store path of the derivation is given in $path - additionalRules ? [] - # TODO: factorize here some other common paths - # that may emerge from use cases. - , baseRules ? [ - "r $path" - "r $path/etc/**" - "r $path/share/**" - # Note that not all libraries are prefixed with "lib", - # eg. glibc-2.30/lib/ld-2.30.so - "mr $path/lib/**.so*" - # eg. glibc-2.30/lib/gconv/gconv-modules - "r $path/lib/**" - ] - }: rootPaths: runCommand "apparmor-closure-rules" {} '' - touch $out - while read -r path - do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)} - done <${closureInfo {inherit rootPaths;}}/store-paths - ''; in + { inherit libapparmor @@ -317,6 +268,5 @@ in apparmor-parser apparmor-pam apparmor-profiles - apparmor-kernel-patches - apparmorRulesFromClosure; + apparmor-kernel-patches; } diff --git a/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh deleted file mode 100644 index ebc1baaa92d..00000000000 --- a/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh +++ /dev/null @@ -1,32 +0,0 @@ -aa_action() { - STRING=$1 - shift - $* - rc=$? - if [ $rc -eq 0 ] ; then - aa_log_success_msg $"$STRING " - else - aa_log_failure_msg $"$STRING " - fi - return $rc -} - -aa_log_success_msg() { - [ -n "$1" ] && echo -n $1 - echo ": done." -} - -aa_log_warning_msg() { - [ -n "$1" ] && echo -n $1 - echo ": Warning." -} - -aa_log_failure_msg() { - [ -n "$1" ] && echo -n $1 - echo ": Failed." -} - -aa_log_skipped_msg() { - [ -n "$1" ] && echo -n $1 - echo ": Skipped." -} diff --git a/pkgs/os-specific/linux/iputils/default.nix b/pkgs/os-specific/linux/iputils/default.nix index b005c65684d..e12c44888a0 100644 --- a/pkgs/os-specific/linux/iputils/default.nix +++ b/pkgs/os-specific/linux/iputils/default.nix @@ -1,7 +1,6 @@ { stdenv, fetchFromGitHub , meson, ninja, pkgconfig, gettext, libxslt, docbook_xsl_ns , libcap, systemd, libidn2 -, apparmorRulesFromClosure }: with stdenv.lib; @@ -23,8 +22,6 @@ in stdenv.mkDerivation rec { sha256 = "1jhbcz75a4ij1myyyi110ma1d8d5hpm3scz9pyw7js6qym50xvh4"; }; - outputs = ["out" "apparmor"]; - mesonFlags = [ "-DBUILD_RARPD=true" "-DBUILD_TRACEROUTE6=true" @@ -38,25 +35,6 @@ in stdenv.mkDerivation rec { nativeBuildInputs = [ meson ninja pkgconfig gettext libxslt.bin docbook_xsl_ns ]; buildInputs = [ libcap systemd ] ++ optional (!stdenv.hostPlatform.isMusl) libidn2; - postInstall = '' - install -D /dev/stdin $apparmor/bin.ping <<EOF - include <tunables/global> - $out/bin/ping { - include <abstractions/base> - include <abstractions/consoles> - include <abstractions/nameservice> - include "${apparmorRulesFromClosure {} - ([libcap] ++ optional (!stdenv.hostPlatform.isMusl) libidn2)}" - include <local/bin.ping> - capability net_raw, - network inet raw, - network inet6 raw, - mr $out/bin/ping, - r $out/share/locale/**, - r @{PROC}/@{pid}/environ, - } - EOF - ''; meta = { description = "A set of small useful utilities for Linux networking"; |