summary refs log tree commit diff
path: root/pkgs/os-specific/linux/apparmor/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/os-specific/linux/apparmor/default.nix')
-rw-r--r--pkgs/os-specific/linux/apparmor/default.nix134
1 files changed, 88 insertions, 46 deletions
diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix
index 807ab4fa44b..1b1fb415451 100644
--- a/pkgs/os-specific/linux/apparmor/default.nix
+++ b/pkgs/os-specific/linux/apparmor/default.nix
@@ -1,45 +1,47 @@
 { stdenv, lib, fetchurl, fetchpatch, makeWrapper, autoreconfHook
-, pkgconfig, which
+, pkg-config, which
 , flex, bison
 , linuxHeaders ? stdenv.cc.libc.linuxHeaders
 , gawk
-, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) perl.meta.platforms, perl
-, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) python.meta.platforms, python
+, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform perl, perl
+, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.meta.availableOn stdenv.hostPlatform python, python
 , swig
 , ncurses
 , pam
 , libnotify
 , buildPackages
+, coreutils
+, gnugrep
+, gnused
+, kmod
+, writeShellScript
+, closureInfo
+, runCommand
 }:
 
 let
-  apparmor-series = "2.13";
-  apparmor-patchver = "4";
-  apparmor-version = apparmor-series + "." + apparmor-patchver;
+  apparmor-version = "3.0.1";
 
-  apparmor-meta = component: with stdenv.lib; {
+  apparmor-meta = component: with lib; {
     homepage = "https://apparmor.net/";
     description = "A mandatory access control system - ${component}";
     license = licenses.gpl2;
-    maintainers = with maintainers; [ phreedom thoughtpolice joachifm ];
+    maintainers = with maintainers; [ joachifm julm phreedom thoughtpolice ];
     platforms = platforms.linux;
   };
 
   apparmor-sources = fetchurl {
-    url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
-    sha256 = "03nislxccnbxld89giak2s8xa4mdbwscfxbdwhmw5qpvgz08dgwh";
+    url = "https://launchpad.net/apparmor/${lib.versions.majorMinor apparmor-version}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
+    sha256 = "096zbg3v7b51x7f1ly61mzd3iy9alad6sd4lam98j2d6v5ragbcg";
   };
 
-  # See <https://gitlab.com/apparmor/apparmor/-/issues/74> This and the
-  # accompanying application in prePatchCommon should be removed in 2.13.5
-  gnumake43Patch = fetchpatch {
-    url = "https://gitlab.com/apparmor/apparmor/-/merge_requests/465.patch";
-    name = "2-23-fix-build-with-make-4.3.patch";
-    sha256 = "0xw028iqp69j9mxv0kbwraplgkj5i5djdlgf0anpkc5cdbsf96r9";
-  };
+  aa-teardown = writeShellScript "aa-teardown" ''
+    PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH"
+    . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions
+    remove_profiles
+  '';
 
   prePatchCommon = ''
-    patch -p1 < ${gnumake43Patch}
     chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh
     patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh
     substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${buildPackages.perl}/bin/pod2man"
@@ -48,18 +50,12 @@ let
     substituteInPlace ./common/Make.rules --replace "/usr/share/man" "share/man"
   '';
 
-  patches = stdenv.lib.optionals stdenv.hostPlatform.isMusl [
+  patches = lib.optionals stdenv.hostPlatform.isMusl [
     (fetchpatch {
       url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0003-Added-missing-typedef-definitions-on-parser.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
       name = "0003-Added-missing-typedef-definitions-on-parser.patch";
       sha256 = "0yyaqz8jlmn1bm37arggprqz0njb4lhjni2d9c8qfqj0kll0bam0";
     })
-    (fetchpatch {
-      url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0007-Do-not-build-install-vim-file-with-utils-package.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
-      name = "0007-Do-not-build-install-vim-file-with-utils-package.patch";
-      sha256 = "1m4dx901biqgnr4w4wz8a2z9r9dxyw7wv6m6mqglqwf2lxinqmp4";
-    })
-    # (alpine patches {1,4,5,6,8} are needed for apparmor 2.11, but not 2.12)
     ];
 
   # Set to `true` after the next FIXME gets fixed or this gets some
@@ -76,7 +72,7 @@ let
       autoreconfHook
       bison
       flex
-      pkgconfig
+      pkg-config
       swig
       ncurses
       which
@@ -84,8 +80,8 @@ let
     ];
 
     buildInputs = []
-      ++ stdenv.lib.optional withPerl perl
-      ++ stdenv.lib.optional withPython python;
+      ++ lib.optional withPerl perl
+      ++ lib.optional withPython python;
 
     # required to build apparmor-parser
     dontDisableStatic = true;
@@ -93,21 +89,21 @@ let
     prePatch = prePatchCommon + ''
       substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.am --replace install_vendor install_site
       substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.in --replace install_vendor install_site
-      substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${stdenv.lib.getDev stdenv.cc.libc}/include/netinet/in.h"
-      substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${stdenv.lib.getDev stdenv.cc.libc}/include/netinet/in.h"
+      substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${lib.getDev stdenv.cc.libc}/include/netinet/in.h"
+      substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${lib.getDev stdenv.cc.libc}/include/netinet/in.h"
     '';
     inherit patches;
 
     postPatch = "cd ./libraries/libapparmor";
     # https://gitlab.com/apparmor/apparmor/issues/1
     configureFlags = [
-      (stdenv.lib.withFeature withPerl "perl")
-      (stdenv.lib.withFeature withPython "python")
+      (lib.withFeature withPerl "perl")
+      (lib.withFeature withPython "python")
     ];
 
-    outputs = [ "out" ] ++ stdenv.lib.optional withPython "python";
+    outputs = [ "out" ] ++ lib.optional withPython "python";
 
-    postInstall = stdenv.lib.optionalString withPython ''
+    postInstall = lib.optionalString withPython ''
       mkdir -p $python/lib
       mv $out/lib/python* $python/lib/
     '';
@@ -130,21 +126,36 @@ let
       libapparmor.python
     ];
 
-    prePatch = prePatchCommon;
+    prePatch = prePatchCommon +
+      # Do not build vim file
+      lib.optionalString stdenv.hostPlatform.isMusl ''
+        sed -i ./utils/Makefile -e "/\<vim\>/d"
+      '' + ''
+      substituteInPlace ./utils/apparmor/easyprof.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
+      substituteInPlace ./utils/apparmor/aa.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
+      substituteInPlace ./utils/logprof.conf --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
+    '';
     inherit patches;
     postPatch = "cd ./utils";
     makeFlags = [ "LANGS=" ];
     installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ];
 
     postInstall = ''
-      for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-status aa-unconfined ; do
+      sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d"
+      for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-unconfined ; do
         wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.libPrefix}/site-packages:$PYTHONPATH"
       done
 
-      substituteInPlace $out/bin/aa-notify --replace /usr/bin/notify-send ${libnotify}/bin/notify-send
-      # aa-notify checks its name and does not work named ".aa-notify-wrapped"
-      mv $out/bin/aa-notify $out/bin/aa-notify-wrapped
-      makeWrapper ${perl}/bin/perl $out/bin/aa-notify --set PERL5LIB ${libapparmor}/${perl.libPrefix} --add-flags $out/bin/aa-notify-wrapped
+      substituteInPlace $out/bin/aa-notify \
+        --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \
+        --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}"
+
+      substituteInPlace $out/bin/aa-remove-unknown \
+       --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions"
+      wrapProgram $out/bin/aa-remove-unknown \
+       --prefix PATH : ${lib.makeBinPath [gawk]}
+
+      ln -s ${aa-teardown} $out/bin/aa-teardown
     '';
 
     inherit doCheck;
@@ -159,7 +170,7 @@ let
     src = apparmor-sources;
 
     nativeBuildInputs = [
-      pkgconfig
+      pkg-config
       libapparmor
       gawk
       which
@@ -172,7 +183,7 @@ let
     prePatch = prePatchCommon;
     postPatch = "cd ./binutils";
     makeFlags = [ "LANGS=" "USE_SYSTEM=1" ];
-    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" ];
+    installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "SBINDIR=$(out)/bin" ];
 
     inherit doCheck;
 
@@ -193,6 +204,9 @@ let
       substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
       ## techdoc.pdf still doesn't build ...
       substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
+      substituteInPlace parser/rc.apparmor.functions \
+       --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser"
+      sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
     '';
     inherit patches;
     postPatch = "cd ./parser";
@@ -211,7 +225,7 @@ let
     name = "apparmor-pam-${apparmor-version}";
     src = apparmor-sources;
 
-    nativeBuildInputs = [ pkgconfig which ];
+    nativeBuildInputs = [ pkg-config which ];
 
     buildInputs = [ libapparmor pam ];
 
@@ -242,7 +256,7 @@ let
     name = "apparmor-kernel-patches-${apparmor-version}";
     src = apparmor-sources;
 
-    phases = ''unpackPhase installPhase'';
+    phases = "unpackPhase installPhase";
 
     installPhase = ''
       mkdir "$out"
@@ -254,8 +268,35 @@ let
     meta = apparmor-meta "kernel patches";
   };
 
+  # Generate generic AppArmor rules in a file,
+  # from the closure of given rootPaths.
+  # To be included in an AppArmor profile like so:
+  # include "$(apparmorRulesFromClosure {} [pkgs.hello]}"
+  apparmorRulesFromClosure =
+    { # The store path of the derivation is given in $path
+      additionalRules ? []
+      # TODO: factorize here some other common paths
+      # that may emerge from use cases.
+    , baseRules ? [
+        "r $path"
+        "r $path/etc/**"
+        "r $path/share/**"
+        # Note that not all libraries are prefixed with "lib",
+        # eg. glibc-2.30/lib/ld-2.30.so
+        "mr $path/lib/**.so*"
+        # eg. glibc-2.30/lib/gconv/gconv-modules
+        "r $path/lib/**"
+      ]
+    , name ? ""
+    }: rootPaths: runCommand
+      ( "apparmor-closure-rules"
+      + lib.optionalString (name != "") "-${name}" ) {} ''
+    touch $out
+    while read -r path
+    do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)}
+    done <${closureInfo {inherit rootPaths;}}/store-paths
+  '';
 in
-
 {
   inherit
     libapparmor
@@ -264,5 +305,6 @@ in
     apparmor-parser
     apparmor-pam
     apparmor-profiles
-    apparmor-kernel-patches;
+    apparmor-kernel-patches
+    apparmorRulesFromClosure;
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-04-18 23:25:22 +0000