From fca06b142a92ce9aaca6f0a1759de719cfa42d68 Mon Sep 17 00:00:00 2001 From: Tony Olagbaiye Date: Thu, 3 Dec 2020 13:45:43 +0000 Subject: [PATCH] nixos/apparmor: remove an IFD First because IFD (import-from-derivation) is not allowed on hydra.nixos.org, and second because without https://github.com/NixOS/hydra/pull/825 hydra-eval-jobs crashes instead of skipping aggregated jobs which fail (here because they required an IFD). --- nixos/modules/security/apparmor.nix | 52 ++++++++++++++++------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 3bf1e0fefc35..f5d5e4a9fd11 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -111,33 +111,39 @@ in ''; # For aa-logprof environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; - environment.etc."apparmor/logprof.conf".text = '' - [settings] - # /etc/apparmor.d/ is read-only on NixOS - profiledir = /var/cache/apparmor/logprof - inactive_profiledir = /etc/apparmor.d/disable - # Use: journalctl -b --since today --grep audit: | aa-logprof - logfiles = /dev/stdin + environment.etc."apparmor/logprof.conf".source = pkgs.runCommand "logprof.conf" { + header = '' + [settings] + # /etc/apparmor.d/ is read-only on NixOS + profiledir = /var/cache/apparmor/logprof + inactive_profiledir = /etc/apparmor.d/disable + # Use: journalctl -b --since today --grep audit: | aa-logprof + logfiles = /dev/stdin - parser = ${pkgs.apparmor-parser}/bin/apparmor_parser - ldd = ${pkgs.glibc.bin}/bin/ldd - logger = ${pkgs.utillinux}/bin/logger + parser = ${pkgs.apparmor-parser}/bin/apparmor_parser + ldd = ${pkgs.glibc.bin}/bin/ldd + logger = ${pkgs.utillinux}/bin/logger - # customize how file ownership permissions are presented - # 0 - off - # 1 - default of what ever mode the log reported - # 2 - force the new permissions to be user - # 3 - force all perms on the rule to be user - default_owner_prompt = 1 + # customize how file ownership permissions are presented + # 0 - off + # 1 - default of what ever mode the log reported + # 2 - force the new permissions to be user + # 3 - force all perms on the rule to be user + default_owner_prompt = 1 - custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} + custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} - [qualifiers] - ${pkgs.runtimeShell} = icnu - ${pkgs.bashInteractive}/bin/sh = icnu - ${pkgs.bashInteractive}/bin/bash = icnu - '' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section. - (readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf")); + [qualifiers] + ${pkgs.runtimeShell} = icnu + ${pkgs.bashInteractive}/bin/sh = icnu + ${pkgs.bashInteractive}/bin/bash = icnu + ''; + footer = "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf"; + passAsFile = [ "header" ]; + } '' + cp $headerPath $out + sed -n '/\\[qualifiers\\]/,''${n;p}' $footer > $out + ''; boot.kernelParams = [ "apparmor=1" "security=apparmor" ];