From fb6d63f3fdd95a5468d43a0693c8ca7c1894363f Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 8 Aug 2020 02:01:35 +0200 Subject: apparmor: fix and improve the service --- nixos/modules/security/apparmor/includes.nix | 301 +++++++++++++++++++++++++++ 1 file changed, 301 insertions(+) create mode 100644 nixos/modules/security/apparmor/includes.nix (limited to 'nixos/modules/security/apparmor/includes.nix') diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix new file mode 100644 index 00000000000..498d7e77650 --- /dev/null +++ b/nixos/modules/security/apparmor/includes.nix @@ -0,0 +1,301 @@ +{ config, lib, pkgs, ... }: +let + inherit (builtins) attrNames hasAttr isAttrs; + inherit (lib) getLib; + inherit (config.environment) etc; + etcRule = arg: + let go = {path ? null, mode ? "r", trail ? ""}: + lib.optionalString (hasAttr path etc) + "${mode} ${config.environment.etc.${path}.source}${trail},"; + in if isAttrs arg + then go arg + else go {path=arg;}; +in +{ +# FIXME: most of the etcRule calls below have been +# written systematically by converting from apparmor-profiles's profiles +# without testing nor deep understanding of their uses, +# and thus may need more rules or can have less rules; +# this remains to be determined case by case, +# some may even be completely useless. +config.security.apparmor.includes = { + # This one is included by + # which is usualy included before any profile. + "abstractions/tunables/alias" = '' + alias /bin -> /run/current-system/sw/bin, + alias /lib/modules -> /run/current-system/kernel/lib/modules, + alias /sbin -> /run/current-system/sw/sbin, + alias /usr -> /run/current-system/sw, + ''; + "abstractions/audio" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" + ${etcRule "asound.conf"} + ${etcRule "esound/esd.conf"} + ${etcRule "libao.conf"} + ${etcRule {path="pulse"; trail="/";}} + ${etcRule {path="pulse"; trail="/**";}} + ${etcRule {path="sound"; trail="/";}} + ${etcRule {path="sound"; trail="/**";}} + ${etcRule {path="alsa/conf.d"; trail="/";}} + ${etcRule {path="alsa/conf.d"; trail="/*";}} + ${etcRule "openal/alsoft.conf"} + ${etcRule "wildmidi/wildmidi.conf"} + ''; + "abstractions/authentication" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" + # Defined in security.pam + include + ${etcRule "nologin"} + ${etcRule "securetty"} + ${etcRule {path="security"; trail="/*";}} + ${etcRule "shadow"} + ${etcRule "gshadow"} + ${etcRule "pwdb.conf"} + ${etcRule "default/passwd"} + ${etcRule "login.defs"} + ''; + "abstractions/base" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" + r ${pkgs.stdenv.cc.libc}/share/locale/**, + r ${pkgs.stdenv.cc.libc}/share/locale.alias, + ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} + ${etcRule "localtime"} + r ${pkgs.tzdata}/share/zoneinfo/**, + r ${pkgs.stdenv.cc.libc}/share/i18n/**, + ''; + "abstractions/bash" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" + # system-wide bash configuration + ${etcRule "profile.dos"} + ${etcRule "profile"} + ${etcRule "profile.d"} + ${etcRule {path="profile.d"; trail="/*";}} + ${etcRule "bashrc"} + ${etcRule "bash.bashrc"} + ${etcRule "bash.bashrc.local"} + ${etcRule "bash_completion"} + ${etcRule "bash_completion.d"} + ${etcRule {path="bash_completion.d"; trail="/*";}} + # bash relies on system-wide readline configuration + ${etcRule "inputrc"} + # bash inspects filesystems at startup + # and /etc/mtab is linked to /proc/mounts + @{PROC}/mounts + + # run out of /etc/bash.bashrc + ${etcRule "DIR_COLORS"} + ''; + "abstractions/cups-client" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client" + ${etcRule "cups/cups-client.conf"} + ''; + "abstractions/consoles" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" + ''; + "abstractions/dbus-session-strict" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" + ${etcRule "machine-id"} + ''; + "abstractions/dconf" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" + ${etcRule {path="dconf"; trail="/**";}} + ''; + "abstractions/dri-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" + ${etcRule "drirc"} + ''; + # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ + # by symlinking them but without exporting them outside of its NixOS module, + # those are therefore added there to this "abstractions/fonts". + "abstractions/fonts" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" + ${etcRule {path="fonts"; trail="/**";}} + ''; + "abstractions/gnome" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" + ${etcRule {path="gnome"; trail="/gtkrc*";}} + ${etcRule {path="gtk"; trail="/*";}} + ${etcRule {path="gtk-2.0"; trail="/*";}} + ${etcRule {path="gtk-3.0"; trail="/*";}} + ${etcRule "orbitrc"} + include + ${etcRule {path="pango"; trail="/*";}} + ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}} + ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}} + ${etcRule "papersize"} + ${etcRule {path="cups"; trail="/lpoptions";}} + ${etcRule {path="gnome"; trail="/defaults.list";}} + ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}} + ${etcRule "xdg/mimeapps.list"} + ''; + "abstractions/kde" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" + ${etcRule {path="qt3"; trail="/kstylerc";}} + ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}} + ${etcRule {path="qt3"; trail="/qtrc";}} + ${etcRule "kderc"} + ${etcRule {path="kde3"; trail="/*";}} + ${etcRule "kde4rc"} + ${etcRule {path="xdg"; trail="/kdeglobals";}} + ${etcRule {path="xdg"; trail="/Trolltech.conf";}} + ''; + "abstractions/kerberosclient" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" + ${etcRule {path="krb5.keytab"; mode="rk";}} + ${etcRule "krb5.conf"} + ${etcRule "krb5.conf.d"} + ${etcRule {path="krb5.conf.d"; trail="/*";}} + + # config files found via strings on libs + ${etcRule "krb.conf"} + ${etcRule "krb.realms"} + ${etcRule "srvtab"} + ''; + "abstractions/ldapclient" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" + ${etcRule "ldap.conf"} + ${etcRule "ldap.secret"} + ${etcRule {path="openldap"; trail="/*";}} + ${etcRule {path="openldap"; trail="/cacerts/*";}} + ${etcRule {path="sasl2"; trail="/*";}} + ''; + "abstractions/likewise" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" + ''; + "abstractions/mdns" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" + ${etcRule "nss_mdns.conf"} + ''; + "abstractions/nameservice" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" + + # Many programs wish to perform nameservice-like operations, such as + # looking up users by name or id, groups by name or id, hosts by name + # or IP, etc. These operations may be performed through files, dns, + # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. + ${etcRule "group"} + ${etcRule "host.conf"} + ${etcRule "hosts"} + ${etcRule "nsswitch.conf"} + ${etcRule "gai.conf"} + ${etcRule "passwd"} + ${etcRule "protocols"} + + # libtirpc (used for NIS/YP login) needs this + ${etcRule "netconfig"} + + ${etcRule "resolv.conf"} + + ${etcRule {path="samba"; trail="/lmhosts";}} + ${etcRule "services"} + + ${etcRule "default/nss"} + + # libnl-3-200 via libnss-gw-name + ${etcRule {path="libnl"; trail="/classid";}} + ${etcRule {path="libnl-3"; trail="/classid";}} + + mr ${getLib pkgs.nss}/lib/libnss_*.so*, + mr ${getLib pkgs.nss}/lib64/libnss_*.so*, + ''; + "abstractions/nis" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" + ''; + "abstractions/nvidia" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" + ${etcRule "vdpau_wrapper.cfg"} + ''; + "abstractions/opencl-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" + ${etcRule {path="OpenCL"; trail="/**";}} + ''; + "abstractions/opencl-mesa" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" + ${etcRule "default/drirc"} + ''; + "abstractions/openssl" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" + ${etcRule {path="ssl"; trail="/openssl.cnf";}} + ''; + "abstractions/p11-kit" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" + ${etcRule {path="pkcs11"; trail="/";}} + ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}} + ${etcRule {path="pkcs11"; trail="/modules/";}} + ${etcRule {path="pkcs11"; trail="/modules/*";}} + ''; + "abstractions/perl" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" + ${etcRule {path="perl"; trail="/**";}} + ''; + "abstractions/php" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" + ${etcRule {path="php"; trail="/**/";}} + ${etcRule {path="php5"; trail="/**/";}} + ${etcRule {path="php7"; trail="/**/";}} + ${etcRule {path="php"; trail="/**.ini";}} + ${etcRule {path="php5"; trail="/**.ini";}} + ${etcRule {path="php7"; trail="/**.ini";}} + ''; + "abstractions/postfix-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" + ${etcRule "mailname"} + ${etcRule {path="postfix"; trail="/*.cf";}} + ${etcRule "postfix/main.cf"} + ${etcRule "postfix/master.cf"} + ''; + "abstractions/python" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" + ''; + "abstractions/qt5" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" + ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}} + ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}} + ${etcRule "xdg/QtProject/qtlogging.ini"} + ''; + "abstractions/samba" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" + ${etcRule {path="samba"; trail="/*";}} + ''; + "abstractions/ssl_certs" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" + ${etcRule "ssl/certs/ca-certificates.crt"} + ${etcRule "ssl/certs/ca-bundle.crt"} + ${etcRule "pki/tls/certs/ca-bundle.crt"} + + ${etcRule {path="ssl/trust"; trail="/";}} + ${etcRule {path="ssl/trust"; trail="/*";}} + ${etcRule {path="ssl/trust/anchors"; trail="/";}} + ${etcRule {path="ssl/trust/anchors"; trail="/**";}} + ${etcRule {path="pki/trust"; trail="/";}} + ${etcRule {path="pki/trust"; trail="/*";}} + ${etcRule {path="pki/trust/anchors"; trail="/";}} + ${etcRule {path="pki/trust/anchors"; trail="/**";}} + + # security.acme NixOS module + r /var/lib/acme/*/cert.pem, + r /var/lib/acme/*/chain.pem, + r /var/lib/acme/*/fullchain.pem, + ''; + "abstractions/ssl_keys" = '' + # security.acme NixOS module + r /var/lib/acme/*/full.pem, + r /var/lib/acme/*/key.pem, + ''; + "abstractions/vulkan" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" + ${etcRule {path="vulkan/icd.d"; trail="/";}} + ${etcRule {path="vulkan/icd.d"; trail="/*.json";}} + ''; + "abstractions/winbind" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" + ${etcRule {path="samba"; trail="/smb.conf";}} + ${etcRule {path="samba"; trail="/dhcp.conf";}} + ''; + "abstractions/X" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" + ${etcRule {path="X11/cursors"; trail="/";}} + ${etcRule {path="X11/cursors"; trail="/**";}} + ''; +}; +} -- cgit 1.4.1 From 420f89ceb267b461eed5d025b6c3c0e57703cc5c Mon Sep 17 00:00:00 2001 From: Vladimír Čunát Date: Wed, 7 Oct 2020 11:15:18 +0200 Subject: Revert "apparmor: fix and improve the service" This reverts commit fb6d63f3fdd95a5468d43a0693c8ca7c1894363f. I really hope this finally fixes #99236: evaluation on Hydra. This time I really did check basically the same commit on Hydra: https://hydra.nixos.org/eval/1618011 Right now I don't have energy to find what exactly is wrong in the commit, and it doesn't seem important in comparison to nixos-unstable channel being stuck on a commit over one week old. --- maintainers/maintainer-list.nix | 2 +- nixos/doc/manual/release-notes/rl-2009.xml | 18 -- nixos/modules/config/fonts/fontconfig.nix | 34 --- nixos/modules/config/malloc.nix | 7 - nixos/modules/module-list.nix | 1 + nixos/modules/security/apparmor-suid.nix | 49 ++++ nixos/modules/security/apparmor.nix | 241 ++++------------- nixos/modules/security/apparmor/includes.nix | 301 --------------------- nixos/modules/security/apparmor/profiles.nix | 11 - nixos/modules/security/pam.nix | 55 ---- nixos/modules/security/wrappers/default.nix | 8 - nixos/modules/services/torrent/transmission.nix | 63 ++++- nixos/modules/tasks/network-interfaces.nix | 15 - nixos/modules/virtualisation/lxc.nix | 12 +- nixos/modules/virtualisation/lxd.nix | 12 +- pkgs/os-specific/linux/apparmor/default.nix | 54 +--- .../linux/apparmor/fix-rc.apparmor.functions.sh | 32 --- pkgs/os-specific/linux/iputils/default.nix | 22 -- pkgs/tools/networking/inetutils/default.nix | 22 +- pkgs/top-level/all-packages.nix | 2 +- 20 files changed, 167 insertions(+), 794 deletions(-) create mode 100644 nixos/modules/security/apparmor-suid.nix delete mode 100644 nixos/modules/security/apparmor/includes.nix delete mode 100644 nixos/modules/security/apparmor/profiles.nix delete mode 100644 pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh (limited to 'nixos/modules/security/apparmor/includes.nix') diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index 57d075c1549..8dd51baed53 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -4251,7 +4251,7 @@ name = "Julien Dehos"; }; julm = { - email = "julm+nixpkgs@sourcephile.fr"; + email = "julm+nix@sourcephile.fr"; github = "ju1m"; githubId = 21160136; name = "Julien Moutinho"; diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index d6e5826fda1..c50bc58ca45 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -1009,24 +1009,6 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; to get the previous behavior of listening on all network interfaces. - - - The security.apparmor module, - for the AppArmor - Mandatory Access Control system, - has been substantialy improved along with related tools, - so that module maintainers can now more easily write AppArmor profiles for NixOS. - The most notable change on the user-side is the new option , - replacing the previous profiles option - to provide a way to disable a profile - and to select whether to confine in enforce mode (default) - or in complain mode (see journalctl -b --grep apparmor). - Before enabling this module, either directly - or by importing <nixpkgs/nixos/modules/profiles/hardened.nix>, - please be sure to read the documentation of security.apparmor.enable, - and especially the part about . - - With this release systemd-networkd (when enabled through ) diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 97607134bb1..5b681ca5946 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -448,40 +448,6 @@ in (mkIf cfg.enable { environment.systemPackages = [ pkgs.fontconfig ]; environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/"; - security.apparmor.includes."abstractions/fonts" = '' - # fonts.conf - r ${pkg.out}/etc/fonts/fonts.conf, - - # fontconfig default config files - r ${pkg.out}/etc/fonts/conf.d/*.conf, - - # 00-nixos-cache.conf - r ${cacheConf}, - - # 10-nixos-rendering.conf - r ${renderConf}, - - # 50-user.conf - ${optionalString cfg.includeUserConf '' - r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf, - ''} - - # local.conf (indirect priority 51) - ${optionalString (cfg.localConf != "") '' - r ${localConf}, - ''} - - # 52-nixos-default-fonts.conf - r ${defaultFontsConf}, - - # 53-no-bitmaps.conf - r ${rejectBitmaps}, - - ${optionalString (!cfg.allowType1) '' - # 53-nixos-reject-type1.conf - r ${rejectType1}, - ''} - ''; }) (mkIf cfg.enable { fonts.fontconfig.confPackages = [ confPkg ]; diff --git a/nixos/modules/config/malloc.nix b/nixos/modules/config/malloc.nix index 5c5752ef515..31a659ee83f 100644 --- a/nixos/modules/config/malloc.nix +++ b/nixos/modules/config/malloc.nix @@ -87,12 +87,5 @@ in environment.etc."ld-nix.so.preload".text = '' ${providerLibPath} ''; - security.apparmor.includes = { - "abstractions/base" = '' - r /etc/ld-nix.so.preload, - r ${config.environment.etc."ld-nix.so.preload".source}, - mr ${providerLibPath}, - ''; - }; }; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 76263a32138..9ed87b018a7 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -186,6 +186,7 @@ ./rename.nix ./security/acme.nix ./security/apparmor.nix + ./security/apparmor-suid.nix ./security/audit.nix ./security/auditd.nix ./security/ca.nix diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix new file mode 100644 index 00000000000..6c479e070e2 --- /dev/null +++ b/nixos/modules/security/apparmor-suid.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.security.apparmor; +in +with lib; +{ + imports = [ + (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) + ]; + + options.security.apparmor.confineSUIDApplications = mkOption { + type = types.bool; + default = true; + description = '' + Install AppArmor profiles for commonly-used SUID application + to mitigate potential privilege escalation attacks due to bugs + in such applications. + + Currently available profiles: ping + ''; + }; + + config = mkIf (cfg.confineSUIDApplications) { + security.apparmor.profiles = [ (pkgs.writeText "ping" '' + #include + /run/wrappers/bin/ping { + #include + #include + #include + + capability net_raw, + capability setuid, + network inet raw, + + ${pkgs.stdenv.cc.libc.out}/lib/*.so mr, + ${pkgs.libcap.lib}/lib/libcap.so* mr, + ${pkgs.attr.out}/lib/libattr.so* mr, + + ${pkgs.iputils}/bin/ping mixr, + + #/etc/modules.conf r, + + ## Site-specific additions and overrides. See local/README for details. + ##include + } + '') ]; + }; + +} diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 3bf1e0fefc3..cfc65b347bc 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,198 +1,59 @@ { config, lib, pkgs, ... }: let - inherit (builtins) attrNames head map match readFile; - inherit (lib) types; - inherit (config.environment) etc; + inherit (lib) mkIf mkOption types concatMapStrings; cfg = config.security.apparmor; - mkDisableOption = name: lib.mkEnableOption name // { - default = true; - example = false; - }; - enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies; in { - imports = [ - (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - (lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies..enable'.") - (lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") - apparmor/includes.nix - apparmor/profiles.nix - ]; - - options = { - security.apparmor = { - enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system. - - If you're enabling this module on a running system, - note that a reboot will be required to activate AppArmor in the kernel. - - Also, beware that enabling this module will by default - try to kill unconfined but confinable running processes, - in order to obtain a confinement matching what is declared in the NixOS configuration. - This will happen when upgrading to a NixOS revision - introducing an AppArmor profile for the executable of a running process. - This is because enabling an AppArmor profile for an executable - can only confine new or already confined processes of that executable, - but leaves already running processes unconfined. - Set killUnconfinedConfinables - to false if you prefer to leave those processes running''; - policies = lib.mkOption { - description = '' - AppArmor policies. - ''; - type = types.attrsOf (types.submodule ({ name, config, ... }: { - options = { - enable = mkDisableOption "loading of the profile into the kernel"; - enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; - profile = lib.mkOption { - description = "The policy of the profile."; - type = types.lines; - apply = pkgs.writeText name; - }; - }; - })); - default = {}; - }; - includes = lib.mkOption { - type = types.attrsOf types.lines; - default = {}; - description = '' - List of paths to be added to AppArmor's searched paths - when resolving include directives. - ''; - apply = lib.mapAttrs pkgs.writeText; - }; - packages = lib.mkOption { - type = types.listOf types.package; - default = []; - description = "List of packages to be added to AppArmor's include path"; - }; - enableCache = lib.mkEnableOption ''caching of AppArmor policies - in /var/cache/apparmor/. - - Beware that AppArmor policies almost always contain Nix store paths, - and thus produce at each change of these paths - a new cached version accumulating in the cache''; - killUnconfinedConfinables = mkDisableOption ''killing of processes - which have an AppArmor profile enabled - (in policies) - but are not confined (because AppArmor can only confine new processes). - Beware that due to a current limitation of AppArmor, - only profiles with exact paths (and no name) can enable such kills''; - }; - }; - - config = lib.mkIf cfg.enable { - assertions = map (policy: - { assertion = match ".*/.*" policy == null; - message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; - # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions - # which does not recurse into sub-directories. - } - ) (attrNames cfg.policies); - - environment.systemPackages = [ pkgs.apparmor-utils ]; - environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( - # It's important to put only enabledPolicies here and not all cfg.policies - # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* - lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++ - lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes - ); - environment.etc."apparmor/parser.conf".text = '' - ${if cfg.enableCache then "write-cache" else "skip-cache"} - cache-loc /var/cache/apparmor - Include /etc/apparmor.d - '' + - lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; - # For aa-logprof - environment.etc."apparmor/apparmor.conf".text = '' - ''; - # For aa-logprof - environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; - environment.etc."apparmor/logprof.conf".text = '' - [settings] - # /etc/apparmor.d/ is read-only on NixOS - profiledir = /var/cache/apparmor/logprof - inactive_profiledir = /etc/apparmor.d/disable - # Use: journalctl -b --since today --grep audit: | aa-logprof - logfiles = /dev/stdin - - parser = ${pkgs.apparmor-parser}/bin/apparmor_parser - ldd = ${pkgs.glibc.bin}/bin/ldd - logger = ${pkgs.utillinux}/bin/logger - - # customize how file ownership permissions are presented - # 0 - off - # 1 - default of what ever mode the log reported - # 2 - force the new permissions to be user - # 3 - force all perms on the rule to be user - default_owner_prompt = 1 - - custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} - - [qualifiers] - ${pkgs.runtimeShell} = icnu - ${pkgs.bashInteractive}/bin/sh = icnu - ${pkgs.bashInteractive}/bin/bash = icnu - '' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section. - (readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf")); - - boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; - - systemd.services.apparmor = { - after = [ - "local-fs.target" - "systemd-journald-audit.socket" - ]; - before = [ "sysinit.target" ]; - wantedBy = [ "multi-user.target" ]; - unitConfig = { - Description="Load AppArmor policies"; - DefaultDependencies = "no"; - ConditionSecurity = "apparmor"; - }; - # Reloading instead of restarting enables to load new AppArmor profiles - # without necessarily restarting all services which have Requires=apparmor.service - reloadIfChanged = true; - restartTriggers = [ - etc."apparmor/parser.conf".source - etc."apparmor.d".source - ]; - serviceConfig = let - killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" '' - set -eu - ${pkgs.apparmor-utils}/bin/aa-status --json | - ${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' | - xargs --verbose --no-run-if-empty --delimiter='\n' \ - kill - ''; - commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}"; - in { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; - ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; - ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; - ExecReload = - # Add or replace into the kernel profiles in enabledPolicies - # (because AppArmor can do that without stopping the processes already confined). - lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ - # Remove from the kernel any profile whose name is not - # one of the names within the content of the profiles in enabledPolicies - # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). - # Note that this does not remove profiles dynamically generated by libvirt. - [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ - # Optionaly kill the processes which are unconfined but now have a profile loaded - # (because AppArmor can only start to confine new processes). - lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; - ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; - CacheDirectory = [ "apparmor" "apparmor/logprof" ]; - CacheDirectoryMode = "0700"; - }; - }; - }; - - meta.maintainers = with lib.maintainers; [ julm ]; + options = { + security.apparmor = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the AppArmor Mandatory Access Control system."; + }; + profiles = mkOption { + type = types.listOf types.path; + default = []; + description = "List of files containing AppArmor profiles."; + }; + packages = mkOption { + type = types.listOf types.package; + default = []; + description = "List of packages to be added to apparmor's include path"; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.apparmor-utils ]; + + boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; + + systemd.services.apparmor = let + paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") + ([ pkgs.apparmor-profiles ] ++ cfg.packages); + in { + after = [ "local-fs.target" ]; + before = [ "sysinit.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + DefaultDependencies = "no"; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"'' + ) cfg.profiles; + ExecStop = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' + ) cfg.profiles; + ExecReload = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' + ) cfg.profiles; + }; + }; + }; } diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix deleted file mode 100644 index 498d7e77650..00000000000 --- a/nixos/modules/security/apparmor/includes.nix +++ /dev/null @@ -1,301 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (builtins) attrNames hasAttr isAttrs; - inherit (lib) getLib; - inherit (config.environment) etc; - etcRule = arg: - let go = {path ? null, mode ? "r", trail ? ""}: - lib.optionalString (hasAttr path etc) - "${mode} ${config.environment.etc.${path}.source}${trail},"; - in if isAttrs arg - then go arg - else go {path=arg;}; -in -{ -# FIXME: most of the etcRule calls below have been -# written systematically by converting from apparmor-profiles's profiles -# without testing nor deep understanding of their uses, -# and thus may need more rules or can have less rules; -# this remains to be determined case by case, -# some may even be completely useless. -config.security.apparmor.includes = { - # This one is included by - # which is usualy included before any profile. - "abstractions/tunables/alias" = '' - alias /bin -> /run/current-system/sw/bin, - alias /lib/modules -> /run/current-system/kernel/lib/modules, - alias /sbin -> /run/current-system/sw/sbin, - alias /usr -> /run/current-system/sw, - ''; - "abstractions/audio" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" - ${etcRule "asound.conf"} - ${etcRule "esound/esd.conf"} - ${etcRule "libao.conf"} - ${etcRule {path="pulse"; trail="/";}} - ${etcRule {path="pulse"; trail="/**";}} - ${etcRule {path="sound"; trail="/";}} - ${etcRule {path="sound"; trail="/**";}} - ${etcRule {path="alsa/conf.d"; trail="/";}} - ${etcRule {path="alsa/conf.d"; trail="/*";}} - ${etcRule "openal/alsoft.conf"} - ${etcRule "wildmidi/wildmidi.conf"} - ''; - "abstractions/authentication" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" - # Defined in security.pam - include - ${etcRule "nologin"} - ${etcRule "securetty"} - ${etcRule {path="security"; trail="/*";}} - ${etcRule "shadow"} - ${etcRule "gshadow"} - ${etcRule "pwdb.conf"} - ${etcRule "default/passwd"} - ${etcRule "login.defs"} - ''; - "abstractions/base" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" - r ${pkgs.stdenv.cc.libc}/share/locale/**, - r ${pkgs.stdenv.cc.libc}/share/locale.alias, - ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} - ${etcRule "localtime"} - r ${pkgs.tzdata}/share/zoneinfo/**, - r ${pkgs.stdenv.cc.libc}/share/i18n/**, - ''; - "abstractions/bash" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" - # system-wide bash configuration - ${etcRule "profile.dos"} - ${etcRule "profile"} - ${etcRule "profile.d"} - ${etcRule {path="profile.d"; trail="/*";}} - ${etcRule "bashrc"} - ${etcRule "bash.bashrc"} - ${etcRule "bash.bashrc.local"} - ${etcRule "bash_completion"} - ${etcRule "bash_completion.d"} - ${etcRule {path="bash_completion.d"; trail="/*";}} - # bash relies on system-wide readline configuration - ${etcRule "inputrc"} - # bash inspects filesystems at startup - # and /etc/mtab is linked to /proc/mounts - @{PROC}/mounts - - # run out of /etc/bash.bashrc - ${etcRule "DIR_COLORS"} - ''; - "abstractions/cups-client" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client" - ${etcRule "cups/cups-client.conf"} - ''; - "abstractions/consoles" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" - ''; - "abstractions/dbus-session-strict" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" - ${etcRule "machine-id"} - ''; - "abstractions/dconf" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" - ${etcRule {path="dconf"; trail="/**";}} - ''; - "abstractions/dri-common" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" - ${etcRule "drirc"} - ''; - # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ - # by symlinking them but without exporting them outside of its NixOS module, - # those are therefore added there to this "abstractions/fonts". - "abstractions/fonts" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" - ${etcRule {path="fonts"; trail="/**";}} - ''; - "abstractions/gnome" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" - ${etcRule {path="gnome"; trail="/gtkrc*";}} - ${etcRule {path="gtk"; trail="/*";}} - ${etcRule {path="gtk-2.0"; trail="/*";}} - ${etcRule {path="gtk-3.0"; trail="/*";}} - ${etcRule "orbitrc"} - include - ${etcRule {path="pango"; trail="/*";}} - ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}} - ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}} - ${etcRule "papersize"} - ${etcRule {path="cups"; trail="/lpoptions";}} - ${etcRule {path="gnome"; trail="/defaults.list";}} - ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}} - ${etcRule "xdg/mimeapps.list"} - ''; - "abstractions/kde" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" - ${etcRule {path="qt3"; trail="/kstylerc";}} - ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}} - ${etcRule {path="qt3"; trail="/qtrc";}} - ${etcRule "kderc"} - ${etcRule {path="kde3"; trail="/*";}} - ${etcRule "kde4rc"} - ${etcRule {path="xdg"; trail="/kdeglobals";}} - ${etcRule {path="xdg"; trail="/Trolltech.conf";}} - ''; - "abstractions/kerberosclient" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" - ${etcRule {path="krb5.keytab"; mode="rk";}} - ${etcRule "krb5.conf"} - ${etcRule "krb5.conf.d"} - ${etcRule {path="krb5.conf.d"; trail="/*";}} - - # config files found via strings on libs - ${etcRule "krb.conf"} - ${etcRule "krb.realms"} - ${etcRule "srvtab"} - ''; - "abstractions/ldapclient" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" - ${etcRule "ldap.conf"} - ${etcRule "ldap.secret"} - ${etcRule {path="openldap"; trail="/*";}} - ${etcRule {path="openldap"; trail="/cacerts/*";}} - ${etcRule {path="sasl2"; trail="/*";}} - ''; - "abstractions/likewise" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" - ''; - "abstractions/mdns" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" - ${etcRule "nss_mdns.conf"} - ''; - "abstractions/nameservice" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" - - # Many programs wish to perform nameservice-like operations, such as - # looking up users by name or id, groups by name or id, hosts by name - # or IP, etc. These operations may be performed through files, dns, - # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. - ${etcRule "group"} - ${etcRule "host.conf"} - ${etcRule "hosts"} - ${etcRule "nsswitch.conf"} - ${etcRule "gai.conf"} - ${etcRule "passwd"} - ${etcRule "protocols"} - - # libtirpc (used for NIS/YP login) needs this - ${etcRule "netconfig"} - - ${etcRule "resolv.conf"} - - ${etcRule {path="samba"; trail="/lmhosts";}} - ${etcRule "services"} - - ${etcRule "default/nss"} - - # libnl-3-200 via libnss-gw-name - ${etcRule {path="libnl"; trail="/classid";}} - ${etcRule {path="libnl-3"; trail="/classid";}} - - mr ${getLib pkgs.nss}/lib/libnss_*.so*, - mr ${getLib pkgs.nss}/lib64/libnss_*.so*, - ''; - "abstractions/nis" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" - ''; - "abstractions/nvidia" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" - ${etcRule "vdpau_wrapper.cfg"} - ''; - "abstractions/opencl-common" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" - ${etcRule {path="OpenCL"; trail="/**";}} - ''; - "abstractions/opencl-mesa" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" - ${etcRule "default/drirc"} - ''; - "abstractions/openssl" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" - ${etcRule {path="ssl"; trail="/openssl.cnf";}} - ''; - "abstractions/p11-kit" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" - ${etcRule {path="pkcs11"; trail="/";}} - ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}} - ${etcRule {path="pkcs11"; trail="/modules/";}} - ${etcRule {path="pkcs11"; trail="/modules/*";}} - ''; - "abstractions/perl" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" - ${etcRule {path="perl"; trail="/**";}} - ''; - "abstractions/php" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" - ${etcRule {path="php"; trail="/**/";}} - ${etcRule {path="php5"; trail="/**/";}} - ${etcRule {path="php7"; trail="/**/";}} - ${etcRule {path="php"; trail="/**.ini";}} - ${etcRule {path="php5"; trail="/**.ini";}} - ${etcRule {path="php7"; trail="/**.ini";}} - ''; - "abstractions/postfix-common" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" - ${etcRule "mailname"} - ${etcRule {path="postfix"; trail="/*.cf";}} - ${etcRule "postfix/main.cf"} - ${etcRule "postfix/master.cf"} - ''; - "abstractions/python" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" - ''; - "abstractions/qt5" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" - ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}} - ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}} - ${etcRule "xdg/QtProject/qtlogging.ini"} - ''; - "abstractions/samba" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" - ${etcRule {path="samba"; trail="/*";}} - ''; - "abstractions/ssl_certs" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" - ${etcRule "ssl/certs/ca-certificates.crt"} - ${etcRule "ssl/certs/ca-bundle.crt"} - ${etcRule "pki/tls/certs/ca-bundle.crt"} - - ${etcRule {path="ssl/trust"; trail="/";}} - ${etcRule {path="ssl/trust"; trail="/*";}} - ${etcRule {path="ssl/trust/anchors"; trail="/";}} - ${etcRule {path="ssl/trust/anchors"; trail="/**";}} - ${etcRule {path="pki/trust"; trail="/";}} - ${etcRule {path="pki/trust"; trail="/*";}} - ${etcRule {path="pki/trust/anchors"; trail="/";}} - ${etcRule {path="pki/trust/anchors"; trail="/**";}} - - # security.acme NixOS module - r /var/lib/acme/*/cert.pem, - r /var/lib/acme/*/chain.pem, - r /var/lib/acme/*/fullchain.pem, - ''; - "abstractions/ssl_keys" = '' - # security.acme NixOS module - r /var/lib/acme/*/full.pem, - r /var/lib/acme/*/key.pem, - ''; - "abstractions/vulkan" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" - ${etcRule {path="vulkan/icd.d"; trail="/";}} - ${etcRule {path="vulkan/icd.d"; trail="/*.json";}} - ''; - "abstractions/winbind" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" - ${etcRule {path="samba"; trail="/smb.conf";}} - ${etcRule {path="samba"; trail="/dhcp.conf";}} - ''; - "abstractions/X" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" - ${etcRule {path="X11/cursors"; trail="/";}} - ${etcRule {path="X11/cursors"; trail="/**";}} - ''; -}; -} diff --git a/nixos/modules/security/apparmor/profiles.nix b/nixos/modules/security/apparmor/profiles.nix deleted file mode 100644 index 8eb630b5a48..00000000000 --- a/nixos/modules/security/apparmor/profiles.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, lib, pkgs, ... }: -let apparmor = config.security.apparmor; in -{ -config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; -config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' - include "${pkgs.iputils.apparmor}/bin.ping" - include "${pkgs.inetutils.apparmor}/bin.ping" - # Note that including those two profiles in the same profile - # would not work if the second one were to re-include . -''; -} diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 4e1bec91ff3..7ae26804317 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -834,61 +834,6 @@ in runuser-l = { rootOK = true; unixAuth = false; }; }; - security.apparmor.includes."abstractions/pam" = let - isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); - in '' - ${lib.concatMapStringsSep "\n" - (name: "r ${config.environment.etc."pam.d/${name}".source},") - (attrNames config.security.pam.services)} - mr ${getLib pkgs.pam}/lib/security/pam_filter/*, - mr ${getLib pkgs.pam}/lib/security/pam_*.so, - r ${getLib pkgs.pam}/lib/security/, - ${optionalString use_ldap - "mr ${pam_ldap}/lib/security/pam_ldap.so,"} - ${optionalString config.services.sssd.enable - "mr ${pkgs.sssd}/lib/security/pam_sss.so,"} - ${optionalString config.krb5.enable '' - mr ${pam_krb5}/lib/security/pam_krb5.so, - mr ${pam_ccreds}/lib/security/pam_ccreds.so, - ''} - ${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, - ''} - ${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) - "mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"} - ${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth)) - "mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"} - ${optionalString (isEnabled (cfg: cfg.fprintAuth)) - "mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"} - ${optionalString (isEnabled (cfg: cfg.u2fAuth)) - "mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"} - ${optionalString (isEnabled (cfg: cfg.usbAuth)) - "mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"} - ${optionalString (isEnabled (cfg: cfg.oathAuth)) - "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"} - ${optionalString (isEnabled (cfg: cfg.yubicoAuth)) - "mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"} - ${optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) - "mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"} - ${optionalString (isEnabled (cfg: cfg.otpwAuth)) - "mr ${pkgs.otpw}/lib/security/pam_otpw.so,"} - ${optionalString config.security.pam.enableEcryptfs - "mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"} - ${optionalString (isEnabled (cfg: cfg.pamMount)) - "mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"} - ${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) - "mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"} - ${optionalString (isEnabled (cfg: cfg.startSession)) - "mr ${pkgs.systemd}/lib/security/pam_systemd.so,"} - ${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable) - "mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"} - ${optionalString (isEnabled (cfg: cfg.enableKwallet)) - "mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"} - ${optionalString config.virtualisation.lxc.lxcfs.enable - "mr ${pkgs.lxc}/lib/security/pam_cgfs.so"} - ''; - }; } diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index f560f5c7628..52de21bca9b 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -179,14 +179,6 @@ in export PATH="${wrapperDir}:$PATH" ''; - security.apparmor.includes."nixos/security.wrappers" = '' - include "${pkgs.apparmorRulesFromClosure {} [ - securityWrapper - pkgs.stdenv.cc.cc - pkgs.stdenv.cc.libc - ]}" - ''; - ###### setcap activation script system.activationScripts.wrappers = lib.stringAfter [ "specialfs" "users" ] diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 57982c20ccd..014a22bb5a8 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.transmission; inherit (config.environment) etc; - apparmor = config.security.apparmor; + apparmor = config.security.apparmor.enable; rootDir = "/run/transmission"; homeDir = "/var/lib/transmission"; settingsDir = ".config/transmission-daemon"; @@ -184,8 +184,8 @@ in systemd.services.transmission = { description = "Transmission BitTorrent Service"; - after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service"; - requires = optional apparmor.enable "apparmor.service"; + after = [ "network.target" ] ++ optional apparmor "apparmor.service"; + requires = optional apparmor "apparmor.service"; wantedBy = [ "multi-user.target" ]; environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; @@ -357,21 +357,61 @@ in }) ]; - security.apparmor.policies."bin.transmission-daemon".profile = '' + security.apparmor.profiles = mkIf apparmor [ + (pkgs.writeText "apparmor-transmission-daemon" '' include + ${pkgs.transmission}/bin/transmission-daemon { include include - include - include "${pkgs.apparmorRulesFromClosure {} [pkgs.transmission]}" - include + + # NOTE: https://github.com/NixOS/nixpkgs/pull/93457 + # will remove the need for these by fixing + r ${etc."hosts".source}, + r /etc/ld-nix.so.preload, + ${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) '' + r ${etc."ld-nix.so.preload".source}, + ${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n")) + (splitString "\n" config.environment.etc."ld-nix.so.preload".text)} + ''} + r ${etc."ssl/certs/ca-certificates.crt".source}, + r ${pkgs.tzdata}/share/zoneinfo/**, + r ${pkgs.stdenv.cc.libc}/share/i18n/**, + r ${pkgs.stdenv.cc.libc}/share/locale/**, + + mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*, + mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*, + mr ${getLib pkgs.attr}/lib/libattr*.so*, + mr ${getLib pkgs.c-ares}/lib/libcares*.so*, + mr ${getLib pkgs.curl}/lib/libcurl*.so*, + mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*, + mr ${getLib pkgs.libcap}/lib/libcap*.so*, + mr ${getLib pkgs.libevent}/lib/libevent*.so*, + mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*, + mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*, + mr ${getLib pkgs.libkrb5}/lib/lib*.so*, + mr ${getLib pkgs.libssh2}/lib/libssh2*.so*, + mr ${getLib pkgs.lz4}/lib/liblz4*.so*, + mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*, + mr ${getLib pkgs.openssl}/lib/libcrypto*.so*, + mr ${getLib pkgs.openssl}/lib/libssl*.so*, + mr ${getLib pkgs.systemd}/lib/libsystemd*.so*, + mr ${getLib pkgs.utillinuxMinimal.out}/lib/libblkid.so*, + mr ${getLib pkgs.utillinuxMinimal.out}/lib/libmount.so*, + mr ${getLib pkgs.utillinuxMinimal.out}/lib/libuuid.so*, + mr ${getLib pkgs.xz}/lib/liblzma*.so*, + mr ${getLib pkgs.zlib}/lib/libz*.so*, r @{PROC}/sys/kernel/random/uuid, r @{PROC}/sys/vm/overcommit_memory, - r @{PROC}/@{pid}/environ, + # @{pid} is not a kernel variable yet but a regexp + #r @{PROC}/@{pid}/environ, r @{PROC}/@{pid}/mounts, rwk /tmp/tr_session_id_*, + + r ${pkgs.openssl.out}/etc/**, r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, + r ${pkgs.transmission}/share/transmission/**, owner rw ${cfg.home}/${settingsDir}/**, rw ${cfg.settings.download-dir}/**, @@ -399,9 +439,12 @@ in # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, ''} + + # FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457 + # include } - ''; - security.apparmor.includes."local/bin.transmission-daemon" = ""; + '') + ]; }; meta.maintainers = with lib.maintainers; [ julm ]; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index b956f49c036..d369aab5457 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1090,21 +1090,6 @@ in } else { ping.source = "${pkgs.iputils.out}/bin/ping"; }; - security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' - /run/wrappers/bin/ping { - include - include - rpx /run/wrappers/wrappers.*/ping, - } - /run/wrappers/wrappers.*/ping { - include - include - r /run/wrappers/wrappers.*/ping.real, - mrpx ${config.security.wrappers.ping.source}, - capability net_raw, - capability setpcap, - } - ''); # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, diff --git a/nixos/modules/virtualisation/lxc.nix b/nixos/modules/virtualisation/lxc.nix index 0f8b22a45df..f484d5ee59a 100644 --- a/nixos/modules/virtualisation/lxc.nix +++ b/nixos/modules/virtualisation/lxc.nix @@ -74,13 +74,9 @@ in systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; security.apparmor.packages = [ pkgs.lxc ]; - security.apparmor.policies = { - "bin.lxc-start".profile = '' - include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start - ''; - "lxc-containers".profile = '' - include ${pkgs.lxc}/etc/apparmor.d/lxc-containers - ''; - }; + security.apparmor.profiles = [ + "${pkgs.lxc}/etc/apparmor.d/lxc-containers" + "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start" + ]; }; } diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 876956f654b..3958fc2c1d7 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -93,15 +93,11 @@ in security.apparmor = { enable = true; + profiles = [ + "${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start" + "${cfg.lxcPackage}/etc/apparmor.d/lxc-containers" + ]; packages = [ cfg.lxcPackage ]; - policies = { - "bin.lxc-start".profile = '' - include ${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start - ''; - "lxc-containers".profile = '' - include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers - ''; - }; }; systemd.services.lxd = { diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index 8806f6c50d3..0e10add5561 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -10,13 +10,6 @@ , pam , libnotify , buildPackages -, coreutils -, gnugrep -, gnused -, kmod -, writeShellScript -, closureInfo -, runCommand }: let @@ -45,12 +38,6 @@ let sha256 = "0xw028iqp69j9mxv0kbwraplgkj5i5djdlgf0anpkc5cdbsf96r9"; }; - aa-teardown = writeShellScript "aa-teardown" '' - PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH" - . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions - remove_profiles - ''; - prePatchCommon = '' patch -p1 < ${gnumake43Patch} chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh @@ -162,15 +149,6 @@ let # aa-notify checks its name and does not work named ".aa-notify-wrapped" mv $out/bin/aa-notify $out/bin/aa-notify-wrapped makeWrapper ${perl}/bin/perl $out/bin/aa-notify --set PERL5LIB ${libapparmor}/${perl.libPrefix} --add-flags $out/bin/aa-notify-wrapped - - substituteInPlace $out/bin/aa-remove-unknown \ - --replace "/usr/bin/aa-status" "$out/bin/aa-status" \ - --replace "/sbin/modprobe" "${kmod}/bin/modprobe" \ - --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" - wrapProgram $out/bin/aa-remove-unknown \ - --prefix PATH : ${lib.makeBinPath [gawk]} - - ln -s ${aa-teardown} $out/bin/aa-teardown ''; inherit doCheck; @@ -219,9 +197,6 @@ let substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" ## techdoc.pdf still doesn't build ... substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages" - substituteInPlace parser/rc.apparmor.functions \ - --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser" - sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}' ''; inherit patches; postPatch = "cd ./parser"; @@ -283,32 +258,8 @@ let meta = apparmor-meta "kernel patches"; }; - # Generate generic AppArmor rules in a file, - # from the closure of given rootPaths. - # To be included in an AppArmor profile like so: - # include "$(apparmorRulesFromClosure {} [pkgs.hello]}" - apparmorRulesFromClosure = - { # The store path of the derivation is given in $path - additionalRules ? [] - # TODO: factorize here some other common paths - # that may emerge from use cases. - , baseRules ? [ - "r $path" - "r $path/etc/**" - "r $path/share/**" - # Note that not all libraries are prefixed with "lib", - # eg. glibc-2.30/lib/ld-2.30.so - "mr $path/lib/**.so*" - # eg. glibc-2.30/lib/gconv/gconv-modules - "r $path/lib/**" - ] - }: rootPaths: runCommand "apparmor-closure-rules" {} '' - touch $out - while read -r path - do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)} - done <${closureInfo {inherit rootPaths;}}/store-paths - ''; in + { inherit libapparmor @@ -317,6 +268,5 @@ in apparmor-parser apparmor-pam apparmor-profiles - apparmor-kernel-patches - apparmorRulesFromClosure; + apparmor-kernel-patches; } diff --git a/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh deleted file mode 100644 index ebc1baaa92d..00000000000 --- a/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh +++ /dev/null @@ -1,32 +0,0 @@ -aa_action() { - STRING=$1 - shift - $* - rc=$? - if [ $rc -eq 0 ] ; then - aa_log_success_msg $"$STRING " - else - aa_log_failure_msg $"$STRING " - fi - return $rc -} - -aa_log_success_msg() { - [ -n "$1" ] && echo -n $1 - echo ": done." -} - -aa_log_warning_msg() { - [ -n "$1" ] && echo -n $1 - echo ": Warning." -} - -aa_log_failure_msg() { - [ -n "$1" ] && echo -n $1 - echo ": Failed." -} - -aa_log_skipped_msg() { - [ -n "$1" ] && echo -n $1 - echo ": Skipped." -} diff --git a/pkgs/os-specific/linux/iputils/default.nix b/pkgs/os-specific/linux/iputils/default.nix index b005c65684d..e12c44888a0 100644 --- a/pkgs/os-specific/linux/iputils/default.nix +++ b/pkgs/os-specific/linux/iputils/default.nix @@ -1,7 +1,6 @@ { stdenv, fetchFromGitHub , meson, ninja, pkgconfig, gettext, libxslt, docbook_xsl_ns , libcap, systemd, libidn2 -, apparmorRulesFromClosure }: with stdenv.lib; @@ -23,8 +22,6 @@ in stdenv.mkDerivation rec { sha256 = "1jhbcz75a4ij1myyyi110ma1d8d5hpm3scz9pyw7js6qym50xvh4"; }; - outputs = ["out" "apparmor"]; - mesonFlags = [ "-DBUILD_RARPD=true" "-DBUILD_TRACEROUTE6=true" @@ -38,25 +35,6 @@ in stdenv.mkDerivation rec { nativeBuildInputs = [ meson ninja pkgconfig gettext libxslt.bin docbook_xsl_ns ]; buildInputs = [ libcap systemd ] ++ optional (!stdenv.hostPlatform.isMusl) libidn2; - postInstall = '' - install -D /dev/stdin $apparmor/bin.ping < - $out/bin/ping { - include - include - include - include "${apparmorRulesFromClosure {} - ([libcap] ++ optional (!stdenv.hostPlatform.isMusl) libidn2)}" - include - capability net_raw, - network inet raw, - network inet6 raw, - mr $out/bin/ping, - r $out/share/locale/**, - r @{PROC}/@{pid}/environ, - } - EOF - ''; meta = { description = "A set of small useful utilities for Linux networking"; diff --git a/pkgs/tools/networking/inetutils/default.nix b/pkgs/tools/networking/inetutils/default.nix index bcc4237f434..1290ec2bdb1 100644 --- a/pkgs/tools/networking/inetutils/default.nix +++ b/pkgs/tools/networking/inetutils/default.nix @@ -1,6 +1,4 @@ -{ stdenv, lib, fetchurl, ncurses, perl, help2man -, apparmorRulesFromClosure -}: +{ stdenv, lib, fetchurl, ncurses, perl, help2man }: stdenv.mkDerivation rec { name = "inetutils-1.9.4"; @@ -10,8 +8,6 @@ stdenv.mkDerivation rec { sha256 = "05n65k4ixl85dc6rxc51b1b732gnmm8xnqi424dy9f1nz7ppb3xy"; }; - outputs = ["out" "apparmor"]; - patches = [ ./whois-Update-Canadian-TLD-server.patch ./service-name.patch @@ -45,22 +41,6 @@ stdenv.mkDerivation rec { installFlags = [ "SUIDMODE=" ]; - postInstall = '' - install -D /dev/stdin $apparmor/bin.ping < - include - include - include "${apparmorRulesFromClosure {} [stdenv.cc.libc]}" - include - capability net_raw, - network inet raw, - network inet6 raw, - mr $out/bin/ping, - } - EOF - ''; - meta = with lib; { description = "Collection of common network programs"; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 28544314acc..c60cfea4e87 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -17357,7 +17357,7 @@ in inherit (callPackages ../os-specific/linux/apparmor { python = python3; }) libapparmor apparmor-utils apparmor-bin-utils apparmor-parser apparmor-pam - apparmor-profiles apparmor-kernel-patches apparmorRulesFromClosure; + apparmor-profiles apparmor-kernel-patches; atop = callPackage ../os-specific/linux/atop { }; -- cgit 1.4.1 From 05d334cfe265f021b16c41375e3e5a4c4a07fc74 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sun, 18 Oct 2020 15:36:24 +0200 Subject: Revert "Revert "apparmor: fix and improve the service"" This reverts commit 420f89ceb267b461eed5d025b6c3c0e57703cc5c. --- maintainers/maintainer-list.nix | 2 +- nixos/doc/manual/release-notes/rl-2009.xml | 18 ++ nixos/modules/config/fonts/fontconfig.nix | 34 +++ nixos/modules/config/malloc.nix | 7 + nixos/modules/module-list.nix | 1 - nixos/modules/security/apparmor-suid.nix | 49 ---- nixos/modules/security/apparmor.nix | 241 +++++++++++++---- nixos/modules/security/apparmor/includes.nix | 301 +++++++++++++++++++++ nixos/modules/security/apparmor/profiles.nix | 11 + nixos/modules/security/pam.nix | 55 ++++ nixos/modules/security/wrappers/default.nix | 8 + nixos/modules/services/torrent/transmission.nix | 63 +---- nixos/modules/tasks/network-interfaces.nix | 15 + nixos/modules/virtualisation/lxc.nix | 12 +- nixos/modules/virtualisation/lxd.nix | 16 +- pkgs/os-specific/linux/apparmor/default.nix | 64 ++++- .../linux/apparmor/fix-rc.apparmor.functions.sh | 32 +++ pkgs/os-specific/linux/iputils/default.nix | 22 ++ pkgs/tools/networking/inetutils/default.nix | 22 +- pkgs/top-level/all-packages.nix | 2 +- 20 files changed, 808 insertions(+), 167 deletions(-) delete mode 100644 nixos/modules/security/apparmor-suid.nix create mode 100644 nixos/modules/security/apparmor/includes.nix create mode 100644 nixos/modules/security/apparmor/profiles.nix create mode 100644 pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh (limited to 'nixos/modules/security/apparmor/includes.nix') diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix index b8de823c9af..e0256e98a2b 100644 --- a/maintainers/maintainer-list.nix +++ b/maintainers/maintainer-list.nix @@ -4937,7 +4937,7 @@ name = "Julien Dehos"; }; julm = { - email = "julm+nix@sourcephile.fr"; + email = "julm+nixpkgs@sourcephile.fr"; github = "ju1m"; githubId = 21160136; name = "Julien Moutinho"; diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 49446afdead..1f1e785021b 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -1513,6 +1513,24 @@ services.transmission.settings.rpc-bind-address = "0.0.0.0"; to get the previous behavior of listening on all network interfaces. + + + The security.apparmor module, + for the AppArmor + Mandatory Access Control system, + has been substantialy improved along with related tools, + so that module maintainers can now more easily write AppArmor profiles for NixOS. + The most notable change on the user-side is the new option , + replacing the previous profiles option + to provide a way to disable a profile + and to select whether to confine in enforce mode (default) + or in complain mode (see journalctl -b --grep apparmor). + Before enabling this module, either directly + or by importing <nixpkgs/nixos/modules/profiles/hardened.nix>, + please be sure to read the documentation of security.apparmor.enable, + and especially the part about . + + With this release systemd-networkd (when enabled through ) diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 6e7b8c4b88a..72827c5abaa 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -448,6 +448,40 @@ in (mkIf cfg.enable { environment.systemPackages = [ pkgs.fontconfig ]; environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/"; + security.apparmor.includes."abstractions/fonts" = '' + # fonts.conf + r ${pkg.out}/etc/fonts/fonts.conf, + + # fontconfig default config files + r ${pkg.out}/etc/fonts/conf.d/*.conf, + + # 00-nixos-cache.conf + r ${cacheConf}, + + # 10-nixos-rendering.conf + r ${renderConf}, + + # 50-user.conf + ${optionalString cfg.includeUserConf '' + r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf, + ''} + + # local.conf (indirect priority 51) + ${optionalString (cfg.localConf != "") '' + r ${localConf}, + ''} + + # 52-nixos-default-fonts.conf + r ${defaultFontsConf}, + + # 53-no-bitmaps.conf + r ${rejectBitmaps}, + + ${optionalString (!cfg.allowType1) '' + # 53-nixos-reject-type1.conf + r ${rejectType1}, + ''} + ''; }) (mkIf cfg.enable { fonts.fontconfig.confPackages = [ confPkg ]; diff --git a/nixos/modules/config/malloc.nix b/nixos/modules/config/malloc.nix index a3eb55d8a42..fc35993b5a8 100644 --- a/nixos/modules/config/malloc.nix +++ b/nixos/modules/config/malloc.nix @@ -87,5 +87,12 @@ in environment.etc."ld-nix.so.preload".text = '' ${providerLibPath} ''; + security.apparmor.includes = { + "abstractions/base" = '' + r /etc/ld-nix.so.preload, + r ${config.environment.etc."ld-nix.so.preload".source}, + mr ${providerLibPath}, + ''; + }; }; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 0cd0659d1da..220515fb2ea 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -205,7 +205,6 @@ ./rename.nix ./security/acme.nix ./security/apparmor.nix - ./security/apparmor-suid.nix ./security/audit.nix ./security/auditd.nix ./security/ca.nix diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix deleted file mode 100644 index 6c479e070e2..00000000000 --- a/nixos/modules/security/apparmor-suid.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, lib, pkgs, ... }: -let - cfg = config.security.apparmor; -in -with lib; -{ - imports = [ - (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - ]; - - options.security.apparmor.confineSUIDApplications = mkOption { - type = types.bool; - default = true; - description = '' - Install AppArmor profiles for commonly-used SUID application - to mitigate potential privilege escalation attacks due to bugs - in such applications. - - Currently available profiles: ping - ''; - }; - - config = mkIf (cfg.confineSUIDApplications) { - security.apparmor.profiles = [ (pkgs.writeText "ping" '' - #include - /run/wrappers/bin/ping { - #include - #include - #include - - capability net_raw, - capability setuid, - network inet raw, - - ${pkgs.stdenv.cc.libc.out}/lib/*.so mr, - ${pkgs.libcap.lib}/lib/libcap.so* mr, - ${pkgs.attr.out}/lib/libattr.so* mr, - - ${pkgs.iputils}/bin/ping mixr, - - #/etc/modules.conf r, - - ## Site-specific additions and overrides. See local/README for details. - ##include - } - '') ]; - }; - -} diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index cfc65b347bc..3bf1e0fefc3 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,59 +1,198 @@ { config, lib, pkgs, ... }: let - inherit (lib) mkIf mkOption types concatMapStrings; + inherit (builtins) attrNames head map match readFile; + inherit (lib) types; + inherit (config.environment) etc; cfg = config.security.apparmor; + mkDisableOption = name: lib.mkEnableOption name // { + default = true; + example = false; + }; + enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies; in { - options = { - security.apparmor = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable the AppArmor Mandatory Access Control system."; - }; - profiles = mkOption { - type = types.listOf types.path; - default = []; - description = "List of files containing AppArmor profiles."; - }; - packages = mkOption { - type = types.listOf types.package; - default = []; - description = "List of packages to be added to apparmor's include path"; - }; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.apparmor-utils ]; - - boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; - - systemd.services.apparmor = let - paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") - ([ pkgs.apparmor-profiles ] ++ cfg.packages); - in { - after = [ "local-fs.target" ]; - before = [ "sysinit.target" ]; - wantedBy = [ "multi-user.target" ]; - unitConfig = { - DefaultDependencies = "no"; - }; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStart = map (p: - ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"'' - ) cfg.profiles; - ExecStop = map (p: - ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' - ) cfg.profiles; - ExecReload = map (p: - ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' - ) cfg.profiles; - }; - }; - }; + imports = [ + (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) + (lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies..enable'.") + (lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") + apparmor/includes.nix + apparmor/profiles.nix + ]; + + options = { + security.apparmor = { + enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system. + + If you're enabling this module on a running system, + note that a reboot will be required to activate AppArmor in the kernel. + + Also, beware that enabling this module will by default + try to kill unconfined but confinable running processes, + in order to obtain a confinement matching what is declared in the NixOS configuration. + This will happen when upgrading to a NixOS revision + introducing an AppArmor profile for the executable of a running process. + This is because enabling an AppArmor profile for an executable + can only confine new or already confined processes of that executable, + but leaves already running processes unconfined. + Set killUnconfinedConfinables + to false if you prefer to leave those processes running''; + policies = lib.mkOption { + description = '' + AppArmor policies. + ''; + type = types.attrsOf (types.submodule ({ name, config, ... }: { + options = { + enable = mkDisableOption "loading of the profile into the kernel"; + enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; + profile = lib.mkOption { + description = "The policy of the profile."; + type = types.lines; + apply = pkgs.writeText name; + }; + }; + })); + default = {}; + }; + includes = lib.mkOption { + type = types.attrsOf types.lines; + default = {}; + description = '' + List of paths to be added to AppArmor's searched paths + when resolving include directives. + ''; + apply = lib.mapAttrs pkgs.writeText; + }; + packages = lib.mkOption { + type = types.listOf types.package; + default = []; + description = "List of packages to be added to AppArmor's include path"; + }; + enableCache = lib.mkEnableOption ''caching of AppArmor policies + in /var/cache/apparmor/. + + Beware that AppArmor policies almost always contain Nix store paths, + and thus produce at each change of these paths + a new cached version accumulating in the cache''; + killUnconfinedConfinables = mkDisableOption ''killing of processes + which have an AppArmor profile enabled + (in policies) + but are not confined (because AppArmor can only confine new processes). + Beware that due to a current limitation of AppArmor, + only profiles with exact paths (and no name) can enable such kills''; + }; + }; + + config = lib.mkIf cfg.enable { + assertions = map (policy: + { assertion = match ".*/.*" policy == null; + message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; + # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions + # which does not recurse into sub-directories. + } + ) (attrNames cfg.policies); + + environment.systemPackages = [ pkgs.apparmor-utils ]; + environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( + # It's important to put only enabledPolicies here and not all cfg.policies + # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* + lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++ + lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes + ); + environment.etc."apparmor/parser.conf".text = '' + ${if cfg.enableCache then "write-cache" else "skip-cache"} + cache-loc /var/cache/apparmor + Include /etc/apparmor.d + '' + + lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; + # For aa-logprof + environment.etc."apparmor/apparmor.conf".text = '' + ''; + # For aa-logprof + environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; + environment.etc."apparmor/logprof.conf".text = '' + [settings] + # /etc/apparmor.d/ is read-only on NixOS + profiledir = /var/cache/apparmor/logprof + inactive_profiledir = /etc/apparmor.d/disable + # Use: journalctl -b --since today --grep audit: | aa-logprof + logfiles = /dev/stdin + + parser = ${pkgs.apparmor-parser}/bin/apparmor_parser + ldd = ${pkgs.glibc.bin}/bin/ldd + logger = ${pkgs.utillinux}/bin/logger + + # customize how file ownership permissions are presented + # 0 - off + # 1 - default of what ever mode the log reported + # 2 - force the new permissions to be user + # 3 - force all perms on the rule to be user + default_owner_prompt = 1 + + custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} + + [qualifiers] + ${pkgs.runtimeShell} = icnu + ${pkgs.bashInteractive}/bin/sh = icnu + ${pkgs.bashInteractive}/bin/bash = icnu + '' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section. + (readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf")); + + boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; + + systemd.services.apparmor = { + after = [ + "local-fs.target" + "systemd-journald-audit.socket" + ]; + before = [ "sysinit.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + Description="Load AppArmor policies"; + DefaultDependencies = "no"; + ConditionSecurity = "apparmor"; + }; + # Reloading instead of restarting enables to load new AppArmor profiles + # without necessarily restarting all services which have Requires=apparmor.service + reloadIfChanged = true; + restartTriggers = [ + etc."apparmor/parser.conf".source + etc."apparmor.d".source + ]; + serviceConfig = let + killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" '' + set -eu + ${pkgs.apparmor-utils}/bin/aa-status --json | + ${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' | + xargs --verbose --no-run-if-empty --delimiter='\n' \ + kill + ''; + commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}"; + in { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; + ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; + ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + ExecReload = + # Add or replace into the kernel profiles in enabledPolicies + # (because AppArmor can do that without stopping the processes already confined). + lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ + # Remove from the kernel any profile whose name is not + # one of the names within the content of the profiles in enabledPolicies + # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). + # Note that this does not remove profiles dynamically generated by libvirt. + [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ + # Optionaly kill the processes which are unconfined but now have a profile loaded + # (because AppArmor can only start to confine new processes). + lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; + CacheDirectory = [ "apparmor" "apparmor/logprof" ]; + CacheDirectoryMode = "0700"; + }; + }; + }; + + meta.maintainers = with lib.maintainers; [ julm ]; } diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix new file mode 100644 index 00000000000..498d7e77650 --- /dev/null +++ b/nixos/modules/security/apparmor/includes.nix @@ -0,0 +1,301 @@ +{ config, lib, pkgs, ... }: +let + inherit (builtins) attrNames hasAttr isAttrs; + inherit (lib) getLib; + inherit (config.environment) etc; + etcRule = arg: + let go = {path ? null, mode ? "r", trail ? ""}: + lib.optionalString (hasAttr path etc) + "${mode} ${config.environment.etc.${path}.source}${trail},"; + in if isAttrs arg + then go arg + else go {path=arg;}; +in +{ +# FIXME: most of the etcRule calls below have been +# written systematically by converting from apparmor-profiles's profiles +# without testing nor deep understanding of their uses, +# and thus may need more rules or can have less rules; +# this remains to be determined case by case, +# some may even be completely useless. +config.security.apparmor.includes = { + # This one is included by + # which is usualy included before any profile. + "abstractions/tunables/alias" = '' + alias /bin -> /run/current-system/sw/bin, + alias /lib/modules -> /run/current-system/kernel/lib/modules, + alias /sbin -> /run/current-system/sw/sbin, + alias /usr -> /run/current-system/sw, + ''; + "abstractions/audio" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" + ${etcRule "asound.conf"} + ${etcRule "esound/esd.conf"} + ${etcRule "libao.conf"} + ${etcRule {path="pulse"; trail="/";}} + ${etcRule {path="pulse"; trail="/**";}} + ${etcRule {path="sound"; trail="/";}} + ${etcRule {path="sound"; trail="/**";}} + ${etcRule {path="alsa/conf.d"; trail="/";}} + ${etcRule {path="alsa/conf.d"; trail="/*";}} + ${etcRule "openal/alsoft.conf"} + ${etcRule "wildmidi/wildmidi.conf"} + ''; + "abstractions/authentication" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" + # Defined in security.pam + include + ${etcRule "nologin"} + ${etcRule "securetty"} + ${etcRule {path="security"; trail="/*";}} + ${etcRule "shadow"} + ${etcRule "gshadow"} + ${etcRule "pwdb.conf"} + ${etcRule "default/passwd"} + ${etcRule "login.defs"} + ''; + "abstractions/base" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" + r ${pkgs.stdenv.cc.libc}/share/locale/**, + r ${pkgs.stdenv.cc.libc}/share/locale.alias, + ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} + ${etcRule "localtime"} + r ${pkgs.tzdata}/share/zoneinfo/**, + r ${pkgs.stdenv.cc.libc}/share/i18n/**, + ''; + "abstractions/bash" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" + # system-wide bash configuration + ${etcRule "profile.dos"} + ${etcRule "profile"} + ${etcRule "profile.d"} + ${etcRule {path="profile.d"; trail="/*";}} + ${etcRule "bashrc"} + ${etcRule "bash.bashrc"} + ${etcRule "bash.bashrc.local"} + ${etcRule "bash_completion"} + ${etcRule "bash_completion.d"} + ${etcRule {path="bash_completion.d"; trail="/*";}} + # bash relies on system-wide readline configuration + ${etcRule "inputrc"} + # bash inspects filesystems at startup + # and /etc/mtab is linked to /proc/mounts + @{PROC}/mounts + + # run out of /etc/bash.bashrc + ${etcRule "DIR_COLORS"} + ''; + "abstractions/cups-client" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client" + ${etcRule "cups/cups-client.conf"} + ''; + "abstractions/consoles" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" + ''; + "abstractions/dbus-session-strict" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" + ${etcRule "machine-id"} + ''; + "abstractions/dconf" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" + ${etcRule {path="dconf"; trail="/**";}} + ''; + "abstractions/dri-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" + ${etcRule "drirc"} + ''; + # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ + # by symlinking them but without exporting them outside of its NixOS module, + # those are therefore added there to this "abstractions/fonts". + "abstractions/fonts" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" + ${etcRule {path="fonts"; trail="/**";}} + ''; + "abstractions/gnome" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" + ${etcRule {path="gnome"; trail="/gtkrc*";}} + ${etcRule {path="gtk"; trail="/*";}} + ${etcRule {path="gtk-2.0"; trail="/*";}} + ${etcRule {path="gtk-3.0"; trail="/*";}} + ${etcRule "orbitrc"} + include + ${etcRule {path="pango"; trail="/*";}} + ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}} + ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}} + ${etcRule "papersize"} + ${etcRule {path="cups"; trail="/lpoptions";}} + ${etcRule {path="gnome"; trail="/defaults.list";}} + ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}} + ${etcRule "xdg/mimeapps.list"} + ''; + "abstractions/kde" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" + ${etcRule {path="qt3"; trail="/kstylerc";}} + ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}} + ${etcRule {path="qt3"; trail="/qtrc";}} + ${etcRule "kderc"} + ${etcRule {path="kde3"; trail="/*";}} + ${etcRule "kde4rc"} + ${etcRule {path="xdg"; trail="/kdeglobals";}} + ${etcRule {path="xdg"; trail="/Trolltech.conf";}} + ''; + "abstractions/kerberosclient" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" + ${etcRule {path="krb5.keytab"; mode="rk";}} + ${etcRule "krb5.conf"} + ${etcRule "krb5.conf.d"} + ${etcRule {path="krb5.conf.d"; trail="/*";}} + + # config files found via strings on libs + ${etcRule "krb.conf"} + ${etcRule "krb.realms"} + ${etcRule "srvtab"} + ''; + "abstractions/ldapclient" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" + ${etcRule "ldap.conf"} + ${etcRule "ldap.secret"} + ${etcRule {path="openldap"; trail="/*";}} + ${etcRule {path="openldap"; trail="/cacerts/*";}} + ${etcRule {path="sasl2"; trail="/*";}} + ''; + "abstractions/likewise" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" + ''; + "abstractions/mdns" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" + ${etcRule "nss_mdns.conf"} + ''; + "abstractions/nameservice" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" + + # Many programs wish to perform nameservice-like operations, such as + # looking up users by name or id, groups by name or id, hosts by name + # or IP, etc. These operations may be performed through files, dns, + # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. + ${etcRule "group"} + ${etcRule "host.conf"} + ${etcRule "hosts"} + ${etcRule "nsswitch.conf"} + ${etcRule "gai.conf"} + ${etcRule "passwd"} + ${etcRule "protocols"} + + # libtirpc (used for NIS/YP login) needs this + ${etcRule "netconfig"} + + ${etcRule "resolv.conf"} + + ${etcRule {path="samba"; trail="/lmhosts";}} + ${etcRule "services"} + + ${etcRule "default/nss"} + + # libnl-3-200 via libnss-gw-name + ${etcRule {path="libnl"; trail="/classid";}} + ${etcRule {path="libnl-3"; trail="/classid";}} + + mr ${getLib pkgs.nss}/lib/libnss_*.so*, + mr ${getLib pkgs.nss}/lib64/libnss_*.so*, + ''; + "abstractions/nis" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" + ''; + "abstractions/nvidia" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" + ${etcRule "vdpau_wrapper.cfg"} + ''; + "abstractions/opencl-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" + ${etcRule {path="OpenCL"; trail="/**";}} + ''; + "abstractions/opencl-mesa" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" + ${etcRule "default/drirc"} + ''; + "abstractions/openssl" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" + ${etcRule {path="ssl"; trail="/openssl.cnf";}} + ''; + "abstractions/p11-kit" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" + ${etcRule {path="pkcs11"; trail="/";}} + ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}} + ${etcRule {path="pkcs11"; trail="/modules/";}} + ${etcRule {path="pkcs11"; trail="/modules/*";}} + ''; + "abstractions/perl" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" + ${etcRule {path="perl"; trail="/**";}} + ''; + "abstractions/php" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" + ${etcRule {path="php"; trail="/**/";}} + ${etcRule {path="php5"; trail="/**/";}} + ${etcRule {path="php7"; trail="/**/";}} + ${etcRule {path="php"; trail="/**.ini";}} + ${etcRule {path="php5"; trail="/**.ini";}} + ${etcRule {path="php7"; trail="/**.ini";}} + ''; + "abstractions/postfix-common" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" + ${etcRule "mailname"} + ${etcRule {path="postfix"; trail="/*.cf";}} + ${etcRule "postfix/main.cf"} + ${etcRule "postfix/master.cf"} + ''; + "abstractions/python" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" + ''; + "abstractions/qt5" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" + ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}} + ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}} + ${etcRule "xdg/QtProject/qtlogging.ini"} + ''; + "abstractions/samba" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" + ${etcRule {path="samba"; trail="/*";}} + ''; + "abstractions/ssl_certs" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" + ${etcRule "ssl/certs/ca-certificates.crt"} + ${etcRule "ssl/certs/ca-bundle.crt"} + ${etcRule "pki/tls/certs/ca-bundle.crt"} + + ${etcRule {path="ssl/trust"; trail="/";}} + ${etcRule {path="ssl/trust"; trail="/*";}} + ${etcRule {path="ssl/trust/anchors"; trail="/";}} + ${etcRule {path="ssl/trust/anchors"; trail="/**";}} + ${etcRule {path="pki/trust"; trail="/";}} + ${etcRule {path="pki/trust"; trail="/*";}} + ${etcRule {path="pki/trust/anchors"; trail="/";}} + ${etcRule {path="pki/trust/anchors"; trail="/**";}} + + # security.acme NixOS module + r /var/lib/acme/*/cert.pem, + r /var/lib/acme/*/chain.pem, + r /var/lib/acme/*/fullchain.pem, + ''; + "abstractions/ssl_keys" = '' + # security.acme NixOS module + r /var/lib/acme/*/full.pem, + r /var/lib/acme/*/key.pem, + ''; + "abstractions/vulkan" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" + ${etcRule {path="vulkan/icd.d"; trail="/";}} + ${etcRule {path="vulkan/icd.d"; trail="/*.json";}} + ''; + "abstractions/winbind" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" + ${etcRule {path="samba"; trail="/smb.conf";}} + ${etcRule {path="samba"; trail="/dhcp.conf";}} + ''; + "abstractions/X" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" + ${etcRule {path="X11/cursors"; trail="/";}} + ${etcRule {path="X11/cursors"; trail="/**";}} + ''; +}; +} diff --git a/nixos/modules/security/apparmor/profiles.nix b/nixos/modules/security/apparmor/profiles.nix new file mode 100644 index 00000000000..8eb630b5a48 --- /dev/null +++ b/nixos/modules/security/apparmor/profiles.nix @@ -0,0 +1,11 @@ +{ config, lib, pkgs, ... }: +let apparmor = config.security.apparmor; in +{ +config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; +config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' + include "${pkgs.iputils.apparmor}/bin.ping" + include "${pkgs.inetutils.apparmor}/bin.ping" + # Note that including those two profiles in the same profile + # would not work if the second one were to re-include . +''; +} diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 103cf205012..8216c03795a 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -895,6 +895,61 @@ in runuser-l = { rootOK = true; unixAuth = false; }; }; + security.apparmor.includes."abstractions/pam" = let + isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); + in '' + ${lib.concatMapStringsSep "\n" + (name: "r ${config.environment.etc."pam.d/${name}".source},") + (attrNames config.security.pam.services)} + mr ${getLib pkgs.pam}/lib/security/pam_filter/*, + mr ${getLib pkgs.pam}/lib/security/pam_*.so, + r ${getLib pkgs.pam}/lib/security/, + ${optionalString use_ldap + "mr ${pam_ldap}/lib/security/pam_ldap.so,"} + ${optionalString config.services.sssd.enable + "mr ${pkgs.sssd}/lib/security/pam_sss.so,"} + ${optionalString config.krb5.enable '' + mr ${pam_krb5}/lib/security/pam_krb5.so, + mr ${pam_ccreds}/lib/security/pam_ccreds.so, + ''} + ${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, + ''} + ${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) + "mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"} + ${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth)) + "mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"} + ${optionalString (isEnabled (cfg: cfg.fprintAuth)) + "mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"} + ${optionalString (isEnabled (cfg: cfg.u2fAuth)) + "mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"} + ${optionalString (isEnabled (cfg: cfg.usbAuth)) + "mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"} + ${optionalString (isEnabled (cfg: cfg.oathAuth)) + "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"} + ${optionalString (isEnabled (cfg: cfg.yubicoAuth)) + "mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"} + ${optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) + "mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"} + ${optionalString (isEnabled (cfg: cfg.otpwAuth)) + "mr ${pkgs.otpw}/lib/security/pam_otpw.so,"} + ${optionalString config.security.pam.enableEcryptfs + "mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"} + ${optionalString (isEnabled (cfg: cfg.pamMount)) + "mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"} + ${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) + "mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"} + ${optionalString (isEnabled (cfg: cfg.startSession)) + "mr ${pkgs.systemd}/lib/security/pam_systemd.so,"} + ${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable) + "mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"} + ${optionalString (isEnabled (cfg: cfg.enableKwallet)) + "mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"} + ${optionalString config.virtualisation.lxc.lxcfs.enable + "mr ${pkgs.lxc}/lib/security/pam_cgfs.so"} + ''; + }; } diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 3cbf22fea7a..1e65f451515 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -171,6 +171,14 @@ in export PATH="${wrapperDir}:$PATH" ''; + security.apparmor.includes."nixos/security.wrappers" = '' + include "${pkgs.apparmorRulesFromClosure { name="security.wrappers"; } [ + securityWrapper + pkgs.stdenv.cc.cc + pkgs.stdenv.cc.libc + ]}" + ''; + ###### setcap activation script system.activationScripts.wrappers = lib.stringAfter [ "specialfs" "users" ] diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 7bec073e26f..e9b5834dab4 100644 --- a/nixos/modules/services/torrent/transmission.nix +++ b/nixos/modules/services/torrent/transmission.nix @@ -5,7 +5,7 @@ with lib; let cfg = config.services.transmission; inherit (config.environment) etc; - apparmor = config.security.apparmor.enable; + apparmor = config.security.apparmor; rootDir = "/run/transmission"; homeDir = "/var/lib/transmission"; settingsDir = ".config/transmission-daemon"; @@ -184,8 +184,8 @@ in systemd.services.transmission = { description = "Transmission BitTorrent Service"; - after = [ "network.target" ] ++ optional apparmor "apparmor.service"; - requires = optional apparmor "apparmor.service"; + after = [ "network.target" ] ++ optional apparmor.enable "apparmor.service"; + requires = optional apparmor.enable "apparmor.service"; wantedBy = [ "multi-user.target" ]; environment.CURL_CA_BUNDLE = etc."ssl/certs/ca-certificates.crt".source; @@ -358,62 +358,26 @@ in }) ]; - security.apparmor.profiles = mkIf apparmor [ - (pkgs.writeText "apparmor-transmission-daemon" '' + security.apparmor.policies."bin.transmission-daemon".profile = '' include - ${pkgs.transmission}/bin/transmission-daemon { include include - - # NOTE: https://github.com/NixOS/nixpkgs/pull/93457 - # will remove the need for these by fixing - r ${etc."hosts".source}, - r /etc/ld-nix.so.preload, - ${lib.optionalString (builtins.hasAttr "ld-nix.so.preload" etc) '' - r ${etc."ld-nix.so.preload".source}, - ${concatMapStrings (p: optionalString (p != "") ("mr ${p},\n")) - (splitString "\n" config.environment.etc."ld-nix.so.preload".text)} - ''} - r ${etc."ssl/certs/ca-certificates.crt".source}, - r ${pkgs.tzdata}/share/zoneinfo/**, - r ${pkgs.stdenv.cc.libc}/share/i18n/**, - r ${pkgs.stdenv.cc.libc}/share/locale/**, - - mr ${getLib pkgs.stdenv.cc.cc}/lib/*.so*, - mr ${getLib pkgs.stdenv.cc.libc}/lib/*.so*, - mr ${getLib pkgs.attr}/lib/libattr*.so*, - mr ${getLib pkgs.c-ares}/lib/libcares*.so*, - mr ${getLib pkgs.curl}/lib/libcurl*.so*, - mr ${getLib pkgs.keyutils}/lib/libkeyutils*.so*, - mr ${getLib pkgs.libcap}/lib/libcap*.so*, - mr ${getLib pkgs.libevent}/lib/libevent*.so*, - mr ${getLib pkgs.libgcrypt}/lib/libgcrypt*.so*, - mr ${getLib pkgs.libgpgerror}/lib/libgpg-error*.so*, - mr ${getLib pkgs.libkrb5}/lib/lib*.so*, - mr ${getLib pkgs.libssh2}/lib/libssh2*.so*, - mr ${getLib pkgs.lz4}/lib/liblz4*.so*, - mr ${getLib pkgs.nghttp2}/lib/libnghttp2*.so*, - mr ${getLib pkgs.openssl}/lib/libcrypto*.so*, - mr ${getLib pkgs.openssl}/lib/libssl*.so*, - mr ${getLib pkgs.systemd}/lib/libsystemd*.so*, - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libblkid.so*, - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libmount.so*, - mr ${getLib pkgs.util-linuxMinimal.out}/lib/libuuid.so*, - mr ${getLib pkgs.xz}/lib/liblzma*.so*, - mr ${getLib pkgs.zlib}/lib/libz*.so*, + include + include "${pkgs.apparmorRulesFromClosure + { name = "transmission-daemon"; } + [ pkgs.transmission ]}" + include r @{PROC}/sys/kernel/random/uuid, r @{PROC}/sys/vm/overcommit_memory, - # @{pid} is not a kernel variable yet but a regexp - #r @{PROC}/@{pid}/environ, + r @{PROC}/@{pid}/environ, r @{PROC}/@{pid}/mounts, rwk /tmp/tr_session_id_*, r /run/systemd/resolve/stub-resolv.conf, r ${pkgs.openssl.out}/etc/**, r ${config.systemd.services.transmission.environment.CURL_CA_BUNDLE}, - r ${pkgs.transmission}/share/transmission/**, owner rw ${cfg.home}/${settingsDir}/**, rw ${cfg.settings.download-dir}/**, @@ -441,12 +405,9 @@ in # https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking#seccomp-and-no_new_privs px ${cfg.settings.script-torrent-done-filename} -> &@{dirs}, ''} - - # FIXME: enable customizing using https://github.com/NixOS/nixpkgs/pull/93457 - # include } - '') - ]; + ''; + security.apparmor.includes."local/bin.transmission-daemon" = ""; }; meta.maintainers = with lib.maintainers; [ julm ]; diff --git a/nixos/modules/tasks/network-interfaces.nix b/nixos/modules/tasks/network-interfaces.nix index f501f85b2a9..448ff842f18 100644 --- a/nixos/modules/tasks/network-interfaces.nix +++ b/nixos/modules/tasks/network-interfaces.nix @@ -1111,6 +1111,21 @@ in } else { ping.source = "${pkgs.iputils.out}/bin/ping"; }; + security.apparmor.policies."bin.ping".profile = lib.mkIf config.security.apparmor.policies."bin.ping".enable (lib.mkAfter '' + /run/wrappers/bin/ping { + include + include + rpx /run/wrappers/wrappers.*/ping, + } + /run/wrappers/wrappers.*/ping { + include + include + r /run/wrappers/wrappers.*/ping.real, + mrpx ${config.security.wrappers.ping.source}, + capability net_raw, + capability setpcap, + } + ''); # Set the host and domain names in the activation script. Don't # clear it if it's not configured in the NixOS configuration, diff --git a/nixos/modules/virtualisation/lxc.nix b/nixos/modules/virtualisation/lxc.nix index f484d5ee59a..0f8b22a45df 100644 --- a/nixos/modules/virtualisation/lxc.nix +++ b/nixos/modules/virtualisation/lxc.nix @@ -74,9 +74,13 @@ in systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; security.apparmor.packages = [ pkgs.lxc ]; - security.apparmor.profiles = [ - "${pkgs.lxc}/etc/apparmor.d/lxc-containers" - "${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start" - ]; + security.apparmor.policies = { + "bin.lxc-start".profile = '' + include ${pkgs.lxc}/etc/apparmor.d/usr.bin.lxc-start + ''; + "lxc-containers".profile = '' + include ${pkgs.lxc}/etc/apparmor.d/lxc-containers + ''; + }; }; } diff --git a/nixos/modules/virtualisation/lxd.nix b/nixos/modules/virtualisation/lxd.nix index 96e8d68ae50..6b6f4b6e652 100644 --- a/nixos/modules/virtualisation/lxd.nix +++ b/nixos/modules/virtualisation/lxd.nix @@ -97,11 +97,17 @@ in { # does a bunch of unrelated things. systemd.tmpfiles.rules = [ "d /var/lib/lxc/rootfs 0755 root root -" ]; - security.apparmor.packages = [ cfg.lxcPackage ]; - security.apparmor.profiles = [ - "${cfg.lxcPackage}/etc/apparmor.d/lxc-containers" - "${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start" - ]; + security.apparmor = { + packages = [ cfg.lxcPackage ]; + policies = { + "bin.lxc-start".profile = '' + include ${cfg.lxcPackage}/etc/apparmor.d/usr.bin.lxc-start + ''; + "lxc-containers".profile = '' + include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers + ''; + }; + }; # TODO: remove once LXD gets proper support for cgroupsv2 # (currently most of the e.g. CPU accounting stuff doesn't work) diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index bb0c0b45d6e..1ab02a51156 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -10,6 +10,13 @@ , pam , libnotify , buildPackages +, coreutils +, gnugrep +, gnused +, kmod +, writeShellScript +, closureInfo +, runCommand }: let @@ -30,6 +37,12 @@ let sha256 = "13xshy7905d9q9n8d8i0jmdi9m36wr525g4wlsp8k21n7yvvh9j4"; }; + aa-teardown = writeShellScript "aa-teardown" '' + PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH" + . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions + remove_profiles + ''; + prePatchCommon = '' chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh @@ -121,7 +134,11 @@ let libapparmor.python ]; - prePatch = prePatchCommon + '' + prePatch = prePatchCommon + + # Do not build vim file + lib.optionalString stdenv.hostPlatform.isMusl '' + sed -i ./utils/Makefile -e "/\/d" + '' + '' substituteInPlace ./utils/apparmor/easyprof.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" substituteInPlace ./utils/apparmor/aa.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" substituteInPlace ./utils/logprof.conf --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" @@ -132,6 +149,7 @@ let installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ]; postInstall = '' + sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d" for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-status aa-unconfined ; do wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.libPrefix}/site-packages:$PYTHONPATH" done @@ -139,6 +157,15 @@ let substituteInPlace $out/bin/aa-notify \ --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \ --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}" + + substituteInPlace $out/bin/aa-remove-unknown \ + --replace "/usr/bin/aa-status" "$out/bin/aa-status" \ + --replace "/sbin/modprobe" "${kmod}/bin/modprobe" \ + --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" + wrapProgram $out/bin/aa-remove-unknown \ + --prefix PATH : ${lib.makeBinPath [gawk]} + + ln -s ${aa-teardown} $out/bin/aa-teardown ''; inherit doCheck; @@ -187,6 +214,9 @@ let substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h" ## techdoc.pdf still doesn't build ... substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages" + substituteInPlace parser/rc.apparmor.functions \ + --replace "/sbin/apparmor_parser" "$out/bin/apparmor_parser" + sed -i parser/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}' ''; inherit patches; postPatch = "cd ./parser"; @@ -248,8 +278,35 @@ let meta = apparmor-meta "kernel patches"; }; + # Generate generic AppArmor rules in a file, + # from the closure of given rootPaths. + # To be included in an AppArmor profile like so: + # include "$(apparmorRulesFromClosure {} [pkgs.hello]}" + apparmorRulesFromClosure = + { # The store path of the derivation is given in $path + additionalRules ? [] + # TODO: factorize here some other common paths + # that may emerge from use cases. + , baseRules ? [ + "r $path" + "r $path/etc/**" + "r $path/share/**" + # Note that not all libraries are prefixed with "lib", + # eg. glibc-2.30/lib/ld-2.30.so + "mr $path/lib/**.so*" + # eg. glibc-2.30/lib/gconv/gconv-modules + "r $path/lib/**" + ] + , name ? "" + }: rootPaths: runCommand + ( "apparmor-closure-rules" + + lib.optionalString (name != "") "-${name}") {} '' + touch $out + while read -r path + do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)} + done <${closureInfo {inherit rootPaths;}}/store-paths + ''; in - { inherit libapparmor @@ -258,5 +315,6 @@ in apparmor-parser apparmor-pam apparmor-profiles - apparmor-kernel-patches; + apparmor-kernel-patches + apparmorRulesFromClosure; } diff --git a/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh new file mode 100644 index 00000000000..ebc1baaa92d --- /dev/null +++ b/pkgs/os-specific/linux/apparmor/fix-rc.apparmor.functions.sh @@ -0,0 +1,32 @@ +aa_action() { + STRING=$1 + shift + $* + rc=$? + if [ $rc -eq 0 ] ; then + aa_log_success_msg $"$STRING " + else + aa_log_failure_msg $"$STRING " + fi + return $rc +} + +aa_log_success_msg() { + [ -n "$1" ] && echo -n $1 + echo ": done." +} + +aa_log_warning_msg() { + [ -n "$1" ] && echo -n $1 + echo ": Warning." +} + +aa_log_failure_msg() { + [ -n "$1" ] && echo -n $1 + echo ": Failed." +} + +aa_log_skipped_msg() { + [ -n "$1" ] && echo -n $1 + echo ": Skipped." +} diff --git a/pkgs/os-specific/linux/iputils/default.nix b/pkgs/os-specific/linux/iputils/default.nix index 56942d6d420..122a9ca1b7b 100644 --- a/pkgs/os-specific/linux/iputils/default.nix +++ b/pkgs/os-specific/linux/iputils/default.nix @@ -1,6 +1,7 @@ { lib, stdenv, fetchFromGitHub , meson, ninja, pkg-config, gettext, libxslt, docbook_xsl_ns , libcap, libidn2 +, apparmorRulesFromClosure }: let @@ -20,6 +21,8 @@ in stdenv.mkDerivation rec { sha256 = "08j2hfgnfh31vv9rn1ml7090j2lsvm9wdpdz13rz60rmyzrx9dq3"; }; + outputs = ["out" "apparmor"]; + mesonFlags = [ "-DBUILD_RARPD=true" "-DBUILD_TRACEROUTE6=true" @@ -34,6 +37,25 @@ in stdenv.mkDerivation rec { nativeBuildInputs = [ meson ninja pkg-config gettext libxslt.bin docbook_xsl_ns ]; buildInputs = [ libcap ] ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2; + postInstall = '' + install -D -m 644 /dev/stdin $apparmor/bin.ping < + $out/bin/ping { + include + include + include + include "${apparmorRulesFromClosure { name = "ping"; } + ([libcap] ++ lib.optional (!stdenv.hostPlatform.isMusl) libidn2)}" + include + capability net_raw, + network inet raw, + network inet6 raw, + mr $out/bin/ping, + r $out/share/locale/**, + r @{PROC}/@{pid}/environ, + } + EOF + ''; meta = with lib; { description = "A set of small useful utilities for Linux networking"; diff --git a/pkgs/tools/networking/inetutils/default.nix b/pkgs/tools/networking/inetutils/default.nix index 1290ec2bdb1..fe5a0d91585 100644 --- a/pkgs/tools/networking/inetutils/default.nix +++ b/pkgs/tools/networking/inetutils/default.nix @@ -1,4 +1,6 @@ -{ stdenv, lib, fetchurl, ncurses, perl, help2man }: +{ stdenv, lib, fetchurl, ncurses, perl, help2man +, apparmorRulesFromClosure +}: stdenv.mkDerivation rec { name = "inetutils-1.9.4"; @@ -8,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "05n65k4ixl85dc6rxc51b1b732gnmm8xnqi424dy9f1nz7ppb3xy"; }; + outputs = ["out" "apparmor"]; + patches = [ ./whois-Update-Canadian-TLD-server.patch ./service-name.patch @@ -41,6 +45,22 @@ stdenv.mkDerivation rec { installFlags = [ "SUIDMODE=" ]; + postInstall = '' + install -D -m 644 /dev/stdin $apparmor/bin.ping < + include + include + include "${apparmorRulesFromClosure { name = "ping"; } [stdenv.cc.libc]}" + include + capability net_raw, + network inet raw, + network inet6 raw, + mr $out/bin/ping, + } + EOF + ''; + meta = with lib; { description = "Collection of common network programs"; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 29858e94c9c..a8c267a438e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -19482,7 +19482,7 @@ in inherit (callPackages ../os-specific/linux/apparmor { python = python3; }) libapparmor apparmor-utils apparmor-bin-utils apparmor-parser apparmor-pam - apparmor-profiles apparmor-kernel-patches; + apparmor-profiles apparmor-kernel-patches apparmorRulesFromClosure; aseq2json = callPackage ../os-specific/linux/aseq2json {}; -- cgit 1.4.1 From 45e5d726b22db783731f0460870e9ab4f06bc5c4 Mon Sep 17 00:00:00 2001 From: Julien Moutinho Date: Sat, 27 Feb 2021 21:26:47 +0100 Subject: nixos/apparmor: improve code readability --- nixos/modules/security/apparmor.nix | 62 +++--- nixos/modules/security/apparmor/includes.nix | 322 ++++++++++++++------------- nixos/modules/security/misc.nix | 4 + nixos/modules/security/pam.nix | 112 ++++++---- pkgs/os-specific/linux/apparmor/default.nix | 2 +- 5 files changed, 273 insertions(+), 229 deletions(-) (limited to 'nixos/modules/security/apparmor/includes.nix') diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index dfa695b81bb..68bc3f126cb 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,29 +1,31 @@ { config, lib, pkgs, ... }: +with lib; + let inherit (builtins) attrNames head map match readFile; inherit (lib) types; inherit (config.environment) etc; cfg = config.security.apparmor; - mkDisableOption = name: lib.mkEnableOption name // { + mkDisableOption = name: mkEnableOption name // { default = true; example = false; }; - enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies; + enabledPolicies = filterAttrs (n: p: p.enable) cfg.policies; in { imports = [ - (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - (lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies..enable'.") - (lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") + (mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies..enable'.") + (mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") apparmor/includes.nix apparmor/profiles.nix ]; options = { security.apparmor = { - enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system. + enable = mkEnableOption '' + the AppArmor Mandatory Access Control system. If you're enabling this module on a running system, note that a reboot will be required to activate AppArmor in the kernel. @@ -38,7 +40,7 @@ in but leaves already running processes unconfined. Set killUnconfinedConfinables to false if you prefer to leave those processes running''; - policies = lib.mkOption { + policies = mkOption { description = '' AppArmor policies. ''; @@ -46,7 +48,7 @@ in options = { enable = mkDisableOption "loading of the profile into the kernel"; enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; - profile = lib.mkOption { + profile = mkOption { description = "The policy of the profile."; type = types.lines; apply = pkgs.writeText name; @@ -55,28 +57,29 @@ in })); default = {}; }; - includes = lib.mkOption { + includes = mkOption { type = types.attrsOf types.lines; default = {}; description = '' List of paths to be added to AppArmor's searched paths when resolving include directives. ''; - apply = lib.mapAttrs pkgs.writeText; + apply = mapAttrs pkgs.writeText; }; - packages = lib.mkOption { + packages = mkOption { type = types.listOf types.package; default = []; description = "List of packages to be added to AppArmor's include path"; }; - enableCache = lib.mkEnableOption ''caching of AppArmor policies + enableCache = mkEnableOption '' + caching of AppArmor policies in /var/cache/apparmor/. Beware that AppArmor policies almost always contain Nix store paths, and thus produce at each change of these paths a new cached version accumulating in the cache''; - killUnconfinedConfinables = mkDisableOption ''killing of processes - which have an AppArmor profile enabled + killUnconfinedConfinables = mkDisableOption '' + killing of processes which have an AppArmor profile enabled (in policies) but are not confined (because AppArmor can only confine new processes). Beware that due to a current limitation of AppArmor, @@ -84,7 +87,7 @@ in }; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { assertions = map (policy: { assertion = match ".*/.*" policy == null; message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; @@ -100,15 +103,15 @@ in environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( # It's important to put only enabledPolicies here and not all cfg.policies # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* - lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++ - lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes + mapAttrsToList (name: p: { inherit name; path = p.profile; }) enabledPolicies ++ + mapAttrsToList (name: path: { inherit name path; }) cfg.includes ); environment.etc."apparmor/parser.conf".text = '' - ${if cfg.enableCache then "write-cache" else "skip-cache"} - cache-loc /var/cache/apparmor - Include /etc/apparmor.d - '' + - lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; + ${if cfg.enableCache then "write-cache" else "skip-cache"} + cache-loc /var/cache/apparmor + Include /etc/apparmor.d + '' + + concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; # For aa-logprof environment.etc."apparmor/apparmor.conf".text = '' ''; @@ -134,12 +137,13 @@ in # 3 - force all perms on the rule to be user default_owner_prompt = 1 - custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} + custom_includes = /etc/apparmor.d ${concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} [qualifiers] ${pkgs.runtimeShell} = icnu ${pkgs.bashInteractive}/bin/sh = icnu ${pkgs.bashInteractive}/bin/bash = icnu + ${config.users.defaultUserShell} = icnu ''; footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"; passAsFile = [ "header" ]; @@ -177,17 +181,17 @@ in xargs --verbose --no-run-if-empty --delimiter='\n' \ kill ''; - commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}"; + commonOpts = p: "--verbose --show-cache ${optionalString (!p.enforce) "--complain "}${p.profile}"; in { Type = "oneshot"; RemainAfterExit = "yes"; ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; - ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; - ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + ExecStart = mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; + ExecStartPost = optional cfg.killUnconfinedConfinables killUnconfinedConfinables; ExecReload = # Add or replace into the kernel profiles in enabledPolicies # (because AppArmor can do that without stopping the processes already confined). - lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ + mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ # Remove from the kernel any profile whose name is not # one of the names within the content of the profiles in enabledPolicies # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). @@ -195,7 +199,7 @@ in [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ # Optionaly kill the processes which are unconfined but now have a profile loaded # (because AppArmor can only start to confine new processes). - lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; + optional cfg.killUnconfinedConfinables killUnconfinedConfinables; ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; CacheDirectory = [ "apparmor" "apparmor/logprof" ]; CacheDirectoryMode = "0700"; @@ -203,5 +207,5 @@ in }; }; - meta.maintainers = with lib.maintainers; [ julm ]; + meta.maintainers = with maintainers; [ julm ]; } diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix index 498d7e77650..e3dd410b3bb 100644 --- a/nixos/modules/security/apparmor/includes.nix +++ b/nixos/modules/security/apparmor/includes.nix @@ -3,13 +3,15 @@ let inherit (builtins) attrNames hasAttr isAttrs; inherit (lib) getLib; inherit (config.environment) etc; + # Utility to generate an AppArmor rule + # only when the given path exists in config.environment.etc etcRule = arg: - let go = {path ? null, mode ? "r", trail ? ""}: + let go = { path ? null, mode ? "r", trail ? "" }: lib.optionalString (hasAttr path etc) "${mode} ${config.environment.etc.${path}.source}${trail},"; in if isAttrs arg then go arg - else go {path=arg;}; + else go { path = arg; }; in { # FIXME: most of the etcRule calls below have been @@ -29,76 +31,80 @@ config.security.apparmor.includes = { ''; "abstractions/audio" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" - ${etcRule "asound.conf"} - ${etcRule "esound/esd.conf"} - ${etcRule "libao.conf"} - ${etcRule {path="pulse"; trail="/";}} - ${etcRule {path="pulse"; trail="/**";}} - ${etcRule {path="sound"; trail="/";}} - ${etcRule {path="sound"; trail="/**";}} - ${etcRule {path="alsa/conf.d"; trail="/";}} - ${etcRule {path="alsa/conf.d"; trail="/*";}} - ${etcRule "openal/alsoft.conf"} - ${etcRule "wildmidi/wildmidi.conf"} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + "asound.conf" + "esound/esd.conf" + "libao.conf" + { path = "pulse"; trail = "/"; } + { path = "pulse"; trail = "/**"; } + { path = "sound"; trail = "/"; } + { path = "sound"; trail = "/**"; } + { path = "alsa/conf.d"; trail = "/"; } + { path = "alsa/conf.d"; trail = "/*"; } + "openal/alsoft.conf" + "wildmidi/wildmidi.conf" + ]; "abstractions/authentication" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" # Defined in security.pam include - ${etcRule "nologin"} - ${etcRule "securetty"} - ${etcRule {path="security"; trail="/*";}} - ${etcRule "shadow"} - ${etcRule "gshadow"} - ${etcRule "pwdb.conf"} - ${etcRule "default/passwd"} - ${etcRule "login.defs"} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + "nologin" + "securetty" + { path = "security"; trail = "/*"; } + "shadow" + "gshadow" + "pwdb.conf" + "default/passwd" + "login.defs" + ]; "abstractions/base" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" - r ${pkgs.stdenv.cc.libc}/share/locale/**, - r ${pkgs.stdenv.cc.libc}/share/locale.alias, - ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} - ${etcRule "localtime"} - r ${pkgs.tzdata}/share/zoneinfo/**, - r ${pkgs.stdenv.cc.libc}/share/i18n/**, + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" + r ${pkgs.stdenv.cc.libc}/share/locale/**, + r ${pkgs.stdenv.cc.libc}/share/locale.alias, + ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} + ${etcRule "localtime"} + r ${pkgs.tzdata}/share/zoneinfo/**, + r ${pkgs.stdenv.cc.libc}/share/i18n/**, ''; "abstractions/bash" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" - # system-wide bash configuration - ${etcRule "profile.dos"} - ${etcRule "profile"} - ${etcRule "profile.d"} - ${etcRule {path="profile.d"; trail="/*";}} - ${etcRule "bashrc"} - ${etcRule "bash.bashrc"} - ${etcRule "bash.bashrc.local"} - ${etcRule "bash_completion"} - ${etcRule "bash_completion.d"} - ${etcRule {path="bash_completion.d"; trail="/*";}} - # bash relies on system-wide readline configuration - ${etcRule "inputrc"} + # bash inspects filesystems at startup # and /etc/mtab is linked to /proc/mounts @{PROC}/mounts - # run out of /etc/bash.bashrc - ${etcRule "DIR_COLORS"} + # system-wide bash configuration + '' + lib.concatMapStringsSep "\n" etcRule [ + "profile.dos" + "profile" + "profile.d" + { path = "profile.d"; trail = "/*"; } + "bashrc" + "bash.bashrc" + "bash.bashrc.local" + "bash_completion" + "bash_completion.d" + { path = "bash_completion.d"; trail = "/*"; } + # bash relies on system-wide readline configuration + "inputrc" + # run out of /etc/bash.bashrc + "DIR_COLORS" + ]; + "abstractions/consoles" = '' + include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" ''; "abstractions/cups-client" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client" ${etcRule "cups/cups-client.conf"} ''; - "abstractions/consoles" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" - ''; "abstractions/dbus-session-strict" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" ${etcRule "machine-id"} ''; "abstractions/dconf" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" - ${etcRule {path="dconf"; trail="/**";}} + ${etcRule { path = "dconf"; trail = "/**"; }} ''; "abstractions/dri-common" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" @@ -109,62 +115,66 @@ config.security.apparmor.includes = { # those are therefore added there to this "abstractions/fonts". "abstractions/fonts" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" - ${etcRule {path="fonts"; trail="/**";}} + ${etcRule { path = "fonts"; trail = "/**"; }} ''; "abstractions/gnome" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" - ${etcRule {path="gnome"; trail="/gtkrc*";}} - ${etcRule {path="gtk"; trail="/*";}} - ${etcRule {path="gtk-2.0"; trail="/*";}} - ${etcRule {path="gtk-3.0"; trail="/*";}} - ${etcRule "orbitrc"} include - ${etcRule {path="pango"; trail="/*";}} - ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}} - ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}} - ${etcRule "papersize"} - ${etcRule {path="cups"; trail="/lpoptions";}} - ${etcRule {path="gnome"; trail="/defaults.list";}} - ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}} - ${etcRule "xdg/mimeapps.list"} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "gnome"; trail = "/gtkrc*"; } + { path = "gtk"; trail = "/*"; } + { path = "gtk-2.0"; trail = "/*"; } + { path = "gtk-3.0"; trail = "/*"; } + "orbitrc" + { path = "pango"; trail = "/*"; } + { path = "/etc/gnome-vfs-2.0"; trail = "/modules/"; } + { path = "/etc/gnome-vfs-2.0"; trail = "/modules/*"; } + "papersize" + { path = "cups"; trail = "/lpoptions"; } + { path = "gnome"; trail = "/defaults.list"; } + { path = "xdg"; trail = "/{,*-}mimeapps.list"; } + "xdg/mimeapps.list" + ]; "abstractions/kde" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" - ${etcRule {path="qt3"; trail="/kstylerc";}} - ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}} - ${etcRule {path="qt3"; trail="/qtrc";}} - ${etcRule "kderc"} - ${etcRule {path="kde3"; trail="/*";}} - ${etcRule "kde4rc"} - ${etcRule {path="xdg"; trail="/kdeglobals";}} - ${etcRule {path="xdg"; trail="/Trolltech.conf";}} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "qt3"; trail = "/kstylerc"; } + { path = "qt3"; trail = "/qt_plugins_3.3rc"; } + { path = "qt3"; trail = "/qtrc"; } + "kderc" + { path = "kde3"; trail = "/*"; } + "kde4rc" + { path = "xdg"; trail = "/kdeglobals"; } + { path = "xdg"; trail = "/Trolltech.conf"; } + ]; "abstractions/kerberosclient" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" - ${etcRule {path="krb5.keytab"; mode="rk";}} - ${etcRule "krb5.conf"} - ${etcRule "krb5.conf.d"} - ${etcRule {path="krb5.conf.d"; trail="/*";}} + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "krb5.keytab"; mode="rk"; } + "krb5.conf" + "krb5.conf.d" + { path = "krb5.conf.d"; trail = "/*"; } # config files found via strings on libs - ${etcRule "krb.conf"} - ${etcRule "krb.realms"} - ${etcRule "srvtab"} - ''; + "krb.conf" + "krb.realms" + "srvtab" + ]; "abstractions/ldapclient" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" - ${etcRule "ldap.conf"} - ${etcRule "ldap.secret"} - ${etcRule {path="openldap"; trail="/*";}} - ${etcRule {path="openldap"; trail="/cacerts/*";}} - ${etcRule {path="sasl2"; trail="/*";}} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + "ldap.conf" + "ldap.secret" + { path = "openldap"; trail = "/*"; } + { path = "openldap"; trail = "/cacerts/*"; } + { path = "sasl2"; trail = "/*"; } + ]; "abstractions/likewise" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" ''; "abstractions/mdns" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" - ${etcRule "nss_mdns.conf"} + ${etcRule "nss_mdns.conf"} ''; "abstractions/nameservice" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" @@ -173,31 +183,31 @@ config.security.apparmor.includes = { # looking up users by name or id, groups by name or id, hosts by name # or IP, etc. These operations may be performed through files, dns, # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. - ${etcRule "group"} - ${etcRule "host.conf"} - ${etcRule "hosts"} - ${etcRule "nsswitch.conf"} - ${etcRule "gai.conf"} - ${etcRule "passwd"} - ${etcRule "protocols"} - - # libtirpc (used for NIS/YP login) needs this - ${etcRule "netconfig"} + mr ${getLib pkgs.nss}/lib/libnss_*.so*, + mr ${getLib pkgs.nss}/lib64/libnss_*.so*, + '' + lib.concatMapStringsSep "\n" etcRule [ + "group" + "host.conf" + "hosts" + "nsswitch.conf" + "gai.conf" + "passwd" + "protocols" - ${etcRule "resolv.conf"} + # libtirpc (used for NIS/YP login) needs this + "netconfig" - ${etcRule {path="samba"; trail="/lmhosts";}} - ${etcRule "services"} + "resolv.conf" - ${etcRule "default/nss"} + { path = "samba"; trail = "/lmhosts"; } + "services" - # libnl-3-200 via libnss-gw-name - ${etcRule {path="libnl"; trail="/classid";}} - ${etcRule {path="libnl-3"; trail="/classid";}} + "default/nss" - mr ${getLib pkgs.nss}/lib/libnss_*.so*, - mr ${getLib pkgs.nss}/lib64/libnss_*.so*, - ''; + # libnl-3-200 via libnss-gw-name + { path = "libnl"; trail = "/classid"; } + { path = "libnl-3"; trail = "/classid"; } + ]; "abstractions/nis" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" ''; @@ -207,7 +217,7 @@ config.security.apparmor.includes = { ''; "abstractions/opencl-common" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" - ${etcRule {path="OpenCL"; trail="/**";}} + ${etcRule { path = "OpenCL"; trail = "/**"; }} ''; "abstractions/opencl-mesa" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" @@ -215,68 +225,74 @@ config.security.apparmor.includes = { ''; "abstractions/openssl" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" - ${etcRule {path="ssl"; trail="/openssl.cnf";}} + ${etcRule { path = "ssl"; trail = "/openssl.cnf"; }} ''; "abstractions/p11-kit" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" - ${etcRule {path="pkcs11"; trail="/";}} - ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}} - ${etcRule {path="pkcs11"; trail="/modules/";}} - ${etcRule {path="pkcs11"; trail="/modules/*";}} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "pkcs11"; trail = "/"; } + { path = "pkcs11"; trail = "/pkcs11.conf"; } + { path = "pkcs11"; trail = "/modules/"; } + { path = "pkcs11"; trail = "/modules/*"; } + ]; "abstractions/perl" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" - ${etcRule {path="perl"; trail="/**";}} + ${etcRule { path = "perl"; trail = "/**"; }} ''; "abstractions/php" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" - ${etcRule {path="php"; trail="/**/";}} - ${etcRule {path="php5"; trail="/**/";}} - ${etcRule {path="php7"; trail="/**/";}} - ${etcRule {path="php"; trail="/**.ini";}} - ${etcRule {path="php5"; trail="/**.ini";}} - ${etcRule {path="php7"; trail="/**.ini";}} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "php"; trail = "/**/"; } + { path = "php5"; trail = "/**/"; } + { path = "php7"; trail = "/**/"; } + { path = "php"; trail = "/**.ini"; } + { path = "php5"; trail = "/**.ini"; } + { path = "php7"; trail = "/**.ini"; } + ]; "abstractions/postfix-common" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" - ${etcRule "mailname"} - ${etcRule {path="postfix"; trail="/*.cf";}} - ${etcRule "postfix/main.cf"} - ${etcRule "postfix/master.cf"} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + "mailname" + { path = "postfix"; trail = "/*.cf"; } + "postfix/main.cf" + "postfix/master.cf" + ]; "abstractions/python" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" ''; "abstractions/qt5" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" - ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}} - ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}} - ${etcRule "xdg/QtProject/qtlogging.ini"} - ''; + '' + lib.concatMapStringsSep "\n" etcRule [ + { path = "xdg"; trail = "/QtProject/qtlogging.ini"; } + { path = "xdg/QtProject"; trail = "/qtlogging.ini"; } + "xdg/QtProject/qtlogging.ini" + ]; "abstractions/samba" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" - ${etcRule {path="samba"; trail="/*";}} + ${etcRule { path = "samba"; trail = "/*"; }} ''; "abstractions/ssl_certs" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" - ${etcRule "ssl/certs/ca-certificates.crt"} - ${etcRule "ssl/certs/ca-bundle.crt"} - ${etcRule "pki/tls/certs/ca-bundle.crt"} - ${etcRule {path="ssl/trust"; trail="/";}} - ${etcRule {path="ssl/trust"; trail="/*";}} - ${etcRule {path="ssl/trust/anchors"; trail="/";}} - ${etcRule {path="ssl/trust/anchors"; trail="/**";}} - ${etcRule {path="pki/trust"; trail="/";}} - ${etcRule {path="pki/trust"; trail="/*";}} - ${etcRule {path="pki/trust/anchors"; trail="/";}} - ${etcRule {path="pki/trust/anchors"; trail="/**";}} - - # security.acme NixOS module + # For the NixOS module: security.acme r /var/lib/acme/*/cert.pem, r /var/lib/acme/*/chain.pem, r /var/lib/acme/*/fullchain.pem, - ''; + + '' + lib.concatMapStringsSep "\n" etcRule [ + "ssl/certs/ca-certificates.crt" + "ssl/certs/ca-bundle.crt" + "pki/tls/certs/ca-bundle.crt" + + { path = "ssl/trust"; trail = "/"; } + { path = "ssl/trust"; trail = "/*"; } + { path = "ssl/trust/anchors"; trail = "/"; } + { path = "ssl/trust/anchors"; trail = "/**"; } + { path = "pki/trust"; trail = "/"; } + { path = "pki/trust"; trail = "/*"; } + { path = "pki/trust/anchors"; trail = "/"; } + { path = "pki/trust/anchors"; trail = "/**"; } + ]; "abstractions/ssl_keys" = '' # security.acme NixOS module r /var/lib/acme/*/full.pem, @@ -284,18 +300,18 @@ config.security.apparmor.includes = { ''; "abstractions/vulkan" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" - ${etcRule {path="vulkan/icd.d"; trail="/";}} - ${etcRule {path="vulkan/icd.d"; trail="/*.json";}} + ${etcRule { path = "vulkan/icd.d"; trail = "/"; }} + ${etcRule { path = "vulkan/icd.d"; trail = "/*.json"; }} ''; "abstractions/winbind" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" - ${etcRule {path="samba"; trail="/smb.conf";}} - ${etcRule {path="samba"; trail="/dhcp.conf";}} + ${etcRule { path = "samba"; trail = "/smb.conf"; }} + ${etcRule { path = "samba"; trail = "/dhcp.conf"; }} ''; "abstractions/X" = '' include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" - ${etcRule {path="X11/cursors"; trail="/";}} - ${etcRule {path="X11/cursors"; trail="/**";}} + ${etcRule { path = "X11/cursors"; trail = "/"; }} + ${etcRule { path = "X11/cursors"; trail = "/**"; }} ''; }; } diff --git a/nixos/modules/security/misc.nix b/nixos/modules/security/misc.nix index d51dbbb77f7..e7abc1e0d59 100644 --- a/nixos/modules/security/misc.nix +++ b/nixos/modules/security/misc.nix @@ -7,6 +7,10 @@ with lib; maintainers = [ maintainers.joachifm ]; }; + imports = [ + (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) + ]; + options = { security.allowUserNamespaces = mkOption { type = types.bool; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 8216c03795a..1c49131d789 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -897,59 +897,79 @@ in security.apparmor.includes."abstractions/pam" = let isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); - in '' - ${lib.concatMapStringsSep "\n" - (name: "r ${config.environment.etc."pam.d/${name}".source},") - (attrNames config.security.pam.services)} + in + lib.concatMapStringsSep "\n" + (name: "r ${config.environment.etc."pam.d/${name}".source},") + (attrNames config.security.pam.services) + + '' mr ${getLib pkgs.pam}/lib/security/pam_filter/*, mr ${getLib pkgs.pam}/lib/security/pam_*.so, r ${getLib pkgs.pam}/lib/security/, - ${optionalString use_ldap - "mr ${pam_ldap}/lib/security/pam_ldap.so,"} - ${optionalString config.services.sssd.enable - "mr ${pkgs.sssd}/lib/security/pam_sss.so,"} - ${optionalString config.krb5.enable '' + '' + + optionalString use_ldap '' + mr ${pam_ldap}/lib/security/pam_ldap.so, + '' + + optionalString config.services.sssd.enable '' + mr ${pkgs.sssd}/lib/security/pam_sss.so, + '' + + optionalString config.krb5.enable '' mr ${pam_krb5}/lib/security/pam_krb5.so, mr ${pam_ccreds}/lib/security/pam_ccreds.so, - ''} - ${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' + '' + + optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, - ''} - ${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) - "mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"} - ${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth)) - "mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"} - ${optionalString (isEnabled (cfg: cfg.fprintAuth)) - "mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"} - ${optionalString (isEnabled (cfg: cfg.u2fAuth)) - "mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"} - ${optionalString (isEnabled (cfg: cfg.usbAuth)) - "mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"} - ${optionalString (isEnabled (cfg: cfg.oathAuth)) - "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"} - ${optionalString (isEnabled (cfg: cfg.yubicoAuth)) - "mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"} - ${optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) - "mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"} - ${optionalString (isEnabled (cfg: cfg.otpwAuth)) - "mr ${pkgs.otpw}/lib/security/pam_otpw.so,"} - ${optionalString config.security.pam.enableEcryptfs - "mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"} - ${optionalString (isEnabled (cfg: cfg.pamMount)) - "mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"} - ${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) - "mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"} - ${optionalString (isEnabled (cfg: cfg.startSession)) - "mr ${pkgs.systemd}/lib/security/pam_systemd.so,"} - ${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable) - "mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"} - ${optionalString (isEnabled (cfg: cfg.enableKwallet)) - "mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"} - ${optionalString config.virtualisation.lxc.lxcfs.enable - "mr ${pkgs.lxc}/lib/security/pam_cgfs.so"} - ''; - + '' + + optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' + mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, + '' + + optionalString (config.security.pam.enableSSHAgentAuth + && isEnabled (cfg: cfg.sshAgentAuth)) '' + mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so, + '' + + optionalString (isEnabled (cfg: cfg.fprintAuth)) '' + mr ${pkgs.fprintd}/lib/security/pam_fprintd.so, + '' + + optionalString (isEnabled (cfg: cfg.u2fAuth)) '' + mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so, + '' + + optionalString (isEnabled (cfg: cfg.usbAuth)) '' + mr ${pkgs.pam_usb}/lib/security/pam_usb.so, + '' + + optionalString (isEnabled (cfg: cfg.oathAuth)) '' + "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so, + '' + + optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' + mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, + '' + + optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) '' + mr ${pkgs.duo-unix}/lib/security/pam_duo.so, + '' + + optionalString (isEnabled (cfg: cfg.otpwAuth)) '' + mr ${pkgs.otpw}/lib/security/pam_otpw.so, + '' + + optionalString config.security.pam.enableEcryptfs '' + mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so, + '' + + optionalString (isEnabled (cfg: cfg.pamMount)) '' + mr ${pkgs.pam_mount}/lib/security/pam_mount.so, + '' + + optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) '' + mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so, + '' + + optionalString (isEnabled (cfg: cfg.startSession)) '' + mr ${pkgs.systemd}/lib/security/pam_systemd.so, + '' + + optionalString (isEnabled (cfg: cfg.enableAppArmor) + && config.security.apparmor.enable) '' + mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so, + '' + + optionalString (isEnabled (cfg: cfg.enableKwallet)) '' + mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so, + '' + + optionalString config.virtualisation.lxc.lxcfs.enable '' + mr ${pkgs.lxc}/lib/security/pam_cgfs.so + ''; }; } diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index 67d354b42bc..5804a33c485 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -290,7 +290,7 @@ let , name ? "" }: rootPaths: runCommand ( "apparmor-closure-rules" - + lib.optionalString (name != "") "-${name}") {} '' + + lib.optionalString (name != "") "-${name}" ) {} '' touch $out while read -r path do printf >>$out "%s,\n" ${lib.concatMapStringsSep " " (x: "\"${x}\"") (baseRules ++ additionalRules)} -- cgit 1.4.1