From e3b1b09779b7575f73224695602dfe5de348651c Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Thu, 12 Mar 2015 10:10:47 +0100 Subject: [PATCH 1/3] Add AppArmor 2.9 The 2.9 series brings features such as support for dbus, unix abstract sockets, ptrace mediation, and replaces Perl tools with equivalents implemented in Python. See [1] for details. The package expression has been changed to build each component (library, parser) separately. Additionally, Perl is now only used to build man pages and locale support has been removed. The user-land tools are currently broken (fail to import the Python module), but this isn't really a regression, as only two or three of the tools installed by the previous version were functional. The most important tool, aa-status, works, however. Lastly, dbus support is compiled in, but is untested and probably requires patching of dbus. [1]: http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_0 --- .../linux/apparmor/2.9/default.nix | 196 ++++++++++++++++++ 1 file changed, 196 insertions(+) create mode 100644 pkgs/os-specific/linux/apparmor/2.9/default.nix diff --git a/pkgs/os-specific/linux/apparmor/2.9/default.nix b/pkgs/os-specific/linux/apparmor/2.9/default.nix new file mode 100644 index 000000000000..a8d8b2a9e1ce --- /dev/null +++ b/pkgs/os-specific/linux/apparmor/2.9/default.nix @@ -0,0 +1,196 @@ +{ stdenv, fetchurl, autoconf, automake, libtool, pkgconfig, perl, which +, glibc, flex, bison, python27, swig, dbus, pam +}: + +let + apparmor-series = "2.9"; + apparmor-patchver = "1"; + apparmor-version = "${apparmor-series}.${apparmor-patchver}"; + + apparmor-meta = component: with stdenv.lib; { + homepage = http://apparmor.net/; + description = "Linux application security system - ${component}"; + license = licenses.gpl2; + maintainers = with maintainers; [ phreedom thoughtpolice joachifm ]; + platforms = platforms.linux; + }; + + apparmor-sources = fetchurl { + url = "https://launchpad.net/apparmor/${apparmor-series}/${apparmor-version}/+download/apparmor-${apparmor-version}.tar.gz"; + sha256 = "a63b8724c36c29ed438c9e3ca403bfeeb6c998a45990e300aa1b10faa23a0a22"; + }; + + libapparmor = stdenv.mkDerivation { + name = "libapparmor-${apparmor-version}"; + src = apparmor-sources; + + buildInputs = [ + autoconf + automake + bison + flex + dbus # requires patch to dbus ... + glibc + libtool + perl + pkgconfig + python27 + swig + which + ]; + + prePatch = '' + ### common + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man" + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html" + substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h" + + ### libapparmor + substituteInPlace ./libraries/libapparmor/src/Makefile.am --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h" + substituteInPlace ./libraries/libapparmor/src/Makefile.in --replace "/usr/include/netinet/in.h" "${glibc}/include/netinet/in.h" + ''; + + buildPhase = '' + ### libapparmor + cd ./libraries/libapparmor + ./autogen.sh + ./configure --prefix="$out" --with-python + make + ''; + + installPhase = '' + make install + ''; + + meta = apparmor-meta "library"; + }; + + apparmor-utils = stdenv.mkDerivation { + name = "apparmor-utils-${apparmor-version}"; + src = apparmor-sources; + + buildInputs = [ + python27 + libapparmor + which + ]; + + prePatch = '' + ### common + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man" + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html" + substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h" + ''; + + buildPhase = '' + cd ./utils + make LANGS="" + ''; + + installPhase = '' + make install LANGS="" DESTDIR="$out" BINDIR="$out/bin" + ''; + + meta = apparmor-meta "user-land utilities"; + }; + + apparmor-parser = stdenv.mkDerivation { + name = "apparmor-parser-${apparmor-version}"; + src = apparmor-sources; + + buildInputs = [ + libapparmor + bison + flex + which + ]; + + prePatch = '' + ### common + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2man" "${perl}/bin/pod2man" + substituteInPlace ./common/Make.rules --replace "/usr/bin/pod2html" "${perl}/bin/pod2html" + substituteInPlace ./common/Make.rules --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h" + + ### apparmor-parser + substituteInPlace ./parser/Makefile --replace "/usr/bin/bison" "${bison}/bin/bison" + substituteInPlace ./parser/Makefile --replace "/usr/bin/flex" "${flex}/bin/flex" + substituteInPlace ./parser/Makefile --replace "/usr/include/linux/capability.h" "${glibc}/include/linux/capability.h" + ## techdoc.pdf still doesn't build ... + substituteInPlace ./parser/Makefile --replace "manpages htmlmanpages pdf" "manpages htmlmanpages" + ''; + + buildPhase = '' + cd ./parser + make LANGS="" USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include + ''; + + installPhase = '' + make install LANGS="" USE_SYSTEM=1 INCLUDEDIR=${libapparmor}/include DESTDIR="$out" DISTRO="unknown" + ''; + + meta = apparmor-meta "rule parser"; + }; + + apparmor-pam = stdenv.mkDerivation { + name = "apparmor-pam-${apparmor-version}"; + src = apparmor-sources; + + buildInputs = [ + libapparmor + pam + pkgconfig + which + ]; + + buildPhase = '' + cd ./changehat/pam_apparmor + make USE_SYSTEM=1 + ''; + + installPhase = '' + make install DESTDIR="$out" + ''; + + meta = apparmor-meta "PAM service"; + }; + + apparmor-profiles = stdenv.mkDerivation { + name = "apparmor-profiles-${apparmor-version}"; + src = apparmor-sources; + + buildInputs = [ + which + ]; + + buildPhase = '' + cd ./profiles + make + ''; + + installPhase = '' + make install DESTDIR="$out" + ''; + + meta = apparmor-meta "profiles"; + }; + + apparmor-kernel-patches = stdenv.mkDerivation { + name = "apparmor-kernel-patches-${apparmor-version}"; + src = apparmor-sources; + + phases = ''unpackPhase installPhase''; + + installPhase = '' + mkdir "$out" + cp -R ./kernel-patches "$out" + ''; + + meta = apparmor-meta "kernel patches"; + }; + +in + +{ + inherit libapparmor apparmor-utils apparmor-parser apparmor-pam + apparmor-profiles apparmor-kernel-patches; +} From 65e41b4f08f11ba153763daf263afd968ea3cc1d Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Thu, 12 Mar 2015 11:24:37 +0100 Subject: [PATCH 2/3] Add AppArmor 2.9 to packages toplevel - Each component has its own name (libapparmor, apparmor-parser, etc) - The name apparmor still refers to the old version, for compatiblity; most users of this name probably want libapparmor. --- pkgs/top-level/all-packages.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 2efc9ea27ad9..54df6449a8ad 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -8446,6 +8446,13 @@ let perl = perl516; # ${perl}/.../CORE/handy.h:124:34: error: 'bool' undeclared }; + apparmor_2_9 = callPackage ../os-specific/linux/apparmor/2.9 { }; + libapparmor = apparmor_2_9.libapparmor; + apparmor-pam = apparmor_2_9.apparmor-pam; + apparmor-parser = apparmor_2_9.apparmor-parser; + apparmor-profiles = apparmor_2_9.apparmor-profiles; + apparmor-utils = apparmor_2_9.apparmor-utils; + atop = callPackage ../os-specific/linux/atop { }; audit = callPackage ../os-specific/linux/audit { }; From 7a9a24a95e70f10ebd90eda94f08508f03942963 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Thu, 12 Mar 2015 10:11:25 +0100 Subject: [PATCH 3/3] Update AppArmor service module - Use AppArmor 2.9 - Enable PAM support --- nixos/modules/security/apparmor.nix | 84 +++++++++++++++++------------ 1 file changed, 51 insertions(+), 33 deletions(-) diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index f29e7a5ad818..92f020edce56 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,43 +1,61 @@ { config, lib, pkgs, ... }: -with lib; - let + inherit (lib) mkIf mkOption types concatMapStrings; cfg = config.security.apparmor; in + { - options = { - security.apparmor = { - enable = mkOption { - type = types.bool; - default = false; - description = "Enable the AppArmor Mandatory Access Control system."; - }; + #### interface + options = { - profiles = mkOption { - type = types.listOf types.path; - default = []; - description = "List of files containing AppArmor profiles."; - }; - }; - }; + security.apparmor = { - config = mkIf cfg.enable { - environment.systemPackages = [ pkgs.apparmor ]; - systemd.services.apparmor = { - wantedBy = [ "local-fs.target" ]; - path = [ pkgs.apparmor ]; + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the AppArmor Mandatory Access Control system."; + }; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStart = concatMapStrings (profile: - ''${pkgs.apparmor}/sbin/apparmor_parser -rKv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' - ) cfg.profiles; - ExecStop = concatMapStrings (profile: - ''${pkgs.apparmor}/sbin/apparmor_parser -Rv -I ${pkgs.apparmor}/etc/apparmor.d/ "${profile}" ; '' - ) cfg.profiles; - }; - }; - }; + profiles = mkOption { + type = types.listOf types.path; + default = []; + description = "List of files containing AppArmor profiles."; + }; + + }; + + }; + + #### implementation + config = mkIf cfg.enable { + + environment.systemPackages = [ + pkgs.apparmor-utils + ]; + + systemd.services.apparmor = { + wantedBy = [ "local-fs.target" ]; + + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = concatMapStrings (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv -I ${pkgs.apparmor-profiles}/etc/apparmor.d "${p}" ; '' + ) cfg.profiles; + ExecStop = concatMapStrings (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}" ; '' + ) cfg.profiles; + }; + }; + + security.pam.services.apparmor.text = '' + ## The AppArmor service changes hats according to order: first try + ## user, then group, and finally fall back to a hat called "DEFAULT" + ## + ## For now, enable debugging as this is an experimental feature. + session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug + ''; + + }; }