nixpkgs/pkgs/os-specific/linux/apparmor/default.nix

264 lines
8.5 KiB
Nix
Raw Normal View History

{ stdenv, lib, fetchurl, fetchpatch, makeWrapper, autoreconfHook
, pkg-config, which
, flex, bison
, linuxHeaders ? stdenv.cc.libc.linuxHeaders
, gawk
, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) perl.meta.platforms, perl
, withPython ? stdenv.hostPlatform == stdenv.buildPlatform && lib.any (lib.meta.platformMatch stdenv.hostPlatform) python.meta.platforms, python
, swig
, ncurses
, pam
, libnotify
2018-02-25 14:38:55 +00:00
, buildPackages
}:
let
2018-10-16 10:53:14 +01:00
apparmor-series = "2.13";
2020-12-08 18:44:42 +00:00
apparmor-patchver = "6";
2017-12-30 13:28:40 +00:00
apparmor-version = apparmor-series + "." + apparmor-patchver;
2021-01-15 14:45:37 +00:00
apparmor-meta = component: with lib; {
homepage = "https://apparmor.net/";
description = "A mandatory access control system - ${component}";
license = licenses.gpl2;
maintainers = with maintainers; [ phreedom thoughtpolice joachifm ];
platforms = platforms.linux;
};
apparmor-sources = fetchurl {
2018-10-16 10:53:14 +01:00
url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz";
2020-12-08 18:44:42 +00:00
sha256 = "13xshy7905d9q9n8d8i0jmdi9m36wr525g4wlsp8k21n7yvvh9j4";
};
prePatchCommon = ''
chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh
patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh
2018-02-25 14:38:55 +00:00
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${buildPackages.perl}/bin/pod2man"
substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${buildPackages.perl}/bin/pod2html"
substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
substituteInPlace ./common/Make.rules --replace "/usr/share/man" "share/man"
'';
2021-01-15 14:45:37 +00:00
patches = lib.optionals stdenv.hostPlatform.isMusl [
(fetchpatch {
url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0003-Added-missing-typedef-definitions-on-parser.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
name = "0003-Added-missing-typedef-definitions-on-parser.patch";
sha256 = "0yyaqz8jlmn1bm37arggprqz0njb4lhjni2d9c8qfqj0kll0bam0";
})
(fetchpatch {
url = "https://git.alpinelinux.org/aports/plain/testing/apparmor/0007-Do-not-build-install-vim-file-with-utils-package.patch?id=74b8427cc21f04e32030d047ae92caa618105b53";
name = "0007-Do-not-build-install-vim-file-with-utils-package.patch";
sha256 = "1m4dx901biqgnr4w4wz8a2z9r9dxyw7wv6m6mqglqwf2lxinqmp4";
})
# (alpine patches {1,4,5,6,8} are needed for apparmor 2.11, but not 2.12)
2019-06-29 12:17:21 +01:00
];
# Set to `true` after the next FIXME gets fixed or this gets some
# common derivation infra. Too much copy-paste to fix one by one.
doCheck = false;
# FIXME: convert these to a single multiple-outputs package?
libapparmor = stdenv.mkDerivation {
name = "libapparmor-${apparmor-version}";
src = apparmor-sources;
nativeBuildInputs = [
2015-07-15 08:31:40 +01:00
autoreconfHook
bison
flex
pkg-config
swig
ncurses
which
2018-02-25 14:38:55 +00:00
perl
];
buildInputs = []
2021-01-15 14:45:37 +00:00
++ lib.optional withPerl perl
++ lib.optional withPython python;
2015-07-15 08:31:40 +01:00
# required to build apparmor-parser
dontDisableStatic = true;
prePatch = prePatchCommon + ''
substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.am --replace install_vendor install_site
substituteInPlace ./libraries/libapparmor/swig/perl/Makefile.in --replace install_vendor install_site
2021-01-15 14:45:37 +00:00
substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${lib.getDev stdenv.cc.libc}/include/netinet/in.h"
substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${lib.getDev stdenv.cc.libc}/include/netinet/in.h"
'';
inherit patches;
2015-07-15 08:31:40 +01:00
postPatch = "cd ./libraries/libapparmor";
2018-02-25 14:38:55 +00:00
# https://gitlab.com/apparmor/apparmor/issues/1
configureFlags = [
2021-01-15 14:45:37 +00:00
(lib.withFeature withPerl "perl")
(lib.withFeature withPython "python")
];
2021-01-15 14:45:37 +00:00
outputs = [ "out" ] ++ lib.optional withPython "python";
2021-01-15 14:45:37 +00:00
postInstall = lib.optionalString withPython ''
mkdir -p $python/lib
mv $out/lib/python* $python/lib/
'';
inherit doCheck;
meta = apparmor-meta "library";
};
apparmor-utils = stdenv.mkDerivation {
name = "apparmor-utils-${apparmor-version}";
src = apparmor-sources;
nativeBuildInputs = [ makeWrapper which ];
buildInputs = [
perl
python
libapparmor
libapparmor.python
];
prePatch = prePatchCommon + ''
substituteInPlace ./utils/apparmor/easyprof.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
substituteInPlace ./utils/apparmor/aa.py --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
substituteInPlace ./utils/logprof.conf --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser"
'';
inherit patches;
2015-07-15 08:31:40 +01:00
postPatch = "cd ./utils";
2019-10-28 09:17:49 +00:00
makeFlags = [ "LANGS=" ];
installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ];
postInstall = ''
for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-status aa-unconfined ; do
wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/lib/${python.libPrefix}/site-packages:$PYTHONPATH"
done
substituteInPlace $out/bin/aa-notify --replace /usr/bin/notify-send ${libnotify}/bin/notify-send
# aa-notify checks its name and does not work named ".aa-notify-wrapped"
mv $out/bin/aa-notify $out/bin/aa-notify-wrapped
makeWrapper ${perl}/bin/perl $out/bin/aa-notify --set PERL5LIB ${libapparmor}/${perl.libPrefix} --add-flags $out/bin/aa-notify-wrapped
'';
inherit doCheck;
meta = apparmor-meta "user-land utilities" // {
broken = !(withPython && withPerl);
};
};
apparmor-bin-utils = stdenv.mkDerivation {
name = "apparmor-bin-utils-${apparmor-version}";
src = apparmor-sources;
nativeBuildInputs = [
pkg-config
libapparmor
gawk
which
];
buildInputs = [
libapparmor
];
prePatch = prePatchCommon;
postPatch = "cd ./binutils";
2019-10-28 09:17:49 +00:00
makeFlags = [ "LANGS=" "USE_SYSTEM=1" ];
installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" ];
inherit doCheck;
meta = apparmor-meta "binary user-land utilities";
};
apparmor-parser = stdenv.mkDerivation {
name = "apparmor-parser-${apparmor-version}";
src = apparmor-sources;
nativeBuildInputs = [ bison flex which ];
buildInputs = [ libapparmor ];
prePatch = prePatchCommon + ''
substituteInPlace ./parser/Makefile --replace "/usr/bin/bison" "${bison}/bin/bison"
substituteInPlace ./parser/Makefile --replace "/usr/bin/flex" "${flex}/bin/flex"
substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
## techdoc.pdf still doesn't build ...
substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages"
'';
inherit patches;
2015-07-15 08:31:40 +01:00
postPatch = "cd ./parser";
2019-10-28 09:17:49 +00:00
makeFlags = [
"LANGS=" "USE_SYSTEM=1" "INCLUDEDIR=${libapparmor}/include"
"AR=${stdenv.cc.bintools.targetPrefix}ar"
];
installFlags = [ "DESTDIR=$(out)" "DISTRO=unknown" ];
inherit doCheck;
meta = apparmor-meta "rule parser";
};
apparmor-pam = stdenv.mkDerivation {
name = "apparmor-pam-${apparmor-version}";
src = apparmor-sources;
nativeBuildInputs = [ pkg-config which ];
buildInputs = [ libapparmor pam ];
2015-07-15 08:31:40 +01:00
postPatch = "cd ./changehat/pam_apparmor";
2019-10-28 09:17:49 +00:00
makeFlags = [ "USE_SYSTEM=1" ];
installFlags = [ "DESTDIR=$(out)" ];
inherit doCheck;
meta = apparmor-meta "PAM service";
};
apparmor-profiles = stdenv.mkDerivation {
name = "apparmor-profiles-${apparmor-version}";
src = apparmor-sources;
nativeBuildInputs = [ which ];
2015-07-15 08:31:40 +01:00
postPatch = "cd ./profiles";
2019-10-28 09:17:49 +00:00
installFlags = [ "DESTDIR=$(out)" "EXTRAS_DEST=$(out)/share/apparmor/extra-profiles" ];
inherit doCheck;
meta = apparmor-meta "profiles";
};
apparmor-kernel-patches = stdenv.mkDerivation {
name = "apparmor-kernel-patches-${apparmor-version}";
src = apparmor-sources;
phases = "unpackPhase installPhase";
installPhase = ''
mkdir "$out"
cp -R ./kernel-patches/* "$out"
'';
inherit doCheck;
meta = apparmor-meta "kernel patches";
};
in
{
inherit
libapparmor
apparmor-utils
apparmor-bin-utils
apparmor-parser
apparmor-pam
apparmor-profiles
apparmor-kernel-patches;
}