apparmor: fix and improve the service #93457
Conversation
|
Looks like wonderful work @ju1m :) I can't judge or review because I don't use apparmor. Don't forget to add release notes once all reviews are done. |
ju1m
force-pushed
the
apparmor
branch
3 times, most recently
from
70c4099
to
bce3e77
Compare
| ${etcRule {path="python3.6"; trail="/**";}} | ||
| ${etcRule {path="python3.7"; trail="/**";}} | ||
| ${etcRule {path="python3.8"; trail="/**";}} | ||
| ${etcRule {path="python3.9"; trail="/**";}} |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
I would say that this profile falls under the introductive comment saying that I generally don't know the rules which are relevant, and likely that those current rules are incorrect or useless. Hence I would not add a comment to say what to do except investigate on how /etc/pythonX.Y is generated on NixOS, if it ever is. Those present rules match a configuration where /etc/pythonX.Y is a symlink, like it is for instance the case with /etc/systemd/system -> /etc/static/systemd/system, but maybe NixOS/Python people would generate it otherwise, eg. environment.etc."pythonX.Y/foo".text = "bar". Maybe we should simply remove those rules and let correct ones be added by a later PR once the /etc/pythonX.Y setup has been elucidated.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
No we don't use /etc/pythonX.Y. What kind of system-wide Python configuration could one expect?
There was a problem hiding this comment.
I don't know why this is needed, but at least remove all old Python versions.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/sandboxing-all-programs-by-default/7792/6 |
ju1m
force-pushed
the
apparmor
branch
3 times, most recently
from
43363d6
to
ecad566
Compare
|
@ju1m, I see it looks like the email address with which you're committing doesn't appear to be linked to your GitHub account. |
nixos/modules/security/apparmor.nix
Outdated
| # (because AppArmor can do that without stopping the processes already confined). | ||
| # - Removing from the kernel any profile whose name is not | ||
| # one of the names within the content of the profiles in cfg.policies. | ||
| # - Killing the processes which are unconfined but now have a profile loaded |
There was a problem hiding this comment.
How does this work? It seems a bit scary to me to kill processes.
There was a problem hiding this comment.
It seems scarier to me to have processes around actively circumventing the profiles, without that being obvious to the user
There was a problem hiding this comment.
I suppose killing the unconfined confinable processes by default poses a certain risk of causing people who casually enable AppArmor (without looking at all of the module's options) and get their processes killed unexpectedly to forsake AppArmor with an unnecessarily poor opinion of it. As a compromise, I propose that killUnconfinedConfinables be disabled by default but the main security.apparmor.enable option's documentation recommend enabling it.
There was a problem hiding this comment.
Also asking upstream: @stevebeattie @cboltz This procedure seems a bit unorthodox, what is your recommendation here?
There was a problem hiding this comment.
It's indeed a bit unorthodox ;-)
I'm not familiar with NixOS, which makes recommending something a bit difficult. Please read the following lines with a grain of salt.
My recommendation not to use aa-teardown (and therefore not unloading any profiles) in my other comment is probably the most important part, because it will avoid that processes become accidently unconfined if someone runs systemctl restart apparmor.
That will however still leave the case of newly added profiles for already running processes, where killing/restarting the process is the only way to get them confined. Killing them by default is a secure way, but I'm not sure if the users will like it ;-)
There was a problem hiding this comment.
I think the biggest difference from a apparmor perspective between NixOS and other Linux distributions here is that new versions executables will get a new path in the nix store, while common Linux distributions will update executables in place.
There was a problem hiding this comment.
@8573 I've set killUnconfinedConfinables to true by default because it's how to get the running system to match the expectations declared in the NixOS configuration, and somehow "a secure way" as @cboltz put it. I've added warnings in the relase notes and the enable description. Also, AFAIK, when enabling AppArmor the first time, the system must be rebooted anyway to enable AppArmor in the kernel, and AFAICS the other main case that could trigger kills is in the rare situation when an AppArmor profile will be introduced/enabled for the first time into Nixpkgs.
I've also mentionned that killUnconfinedConfinables will unfortunately won't even work if we give names to the profiles in addition to their attachment paths because then /sys/kernel/security/apparmor/profiles will not expose the attachment paths and thus aa-status will not report processes from these paths as unconfined, and AFAICS it the same problem for attachment paths using regex, but because aa-status lacks support for these.
@cboltz Thanks for mentionning aa-remove-unknown, I've reinvented the wheel not knowing it existed ^^. Concerning my use of ˋaa-teardownˋ in ExecStop= I thing it's more faithful to what stopping means and is not problematic here because I'm using NixOS' reloadIfChanged= feature so that reconfiguring AppArmor shall only run ExecReload=. I'm also using ˋaa-teardownˋ in ExecStart= as a precaution because I want to be sure that only what is declared in the NixOS configuration is actually loaded into the kernel, I've had bad surprises in the previous AppArmor service with profiles lingering in the kernel and still active in addition to the profiles I wanted (in that case it happenned because apparmor_parser --remove had failed because of a missing included file, now this precise case should no longer happen but since the ExecStart= is normally only run at boot and only ExecReload= after, I prefer to be sure and remove all profiles upfront). So as I see it, a NixOS user should never have to run systemd start/stop/restart apparmor, and nixos-rebuild shall only run systemd reload apparmor.
|
Gosh, this has blown up |
This reverts commit 2259fbd.
|
Updated to revert #96034 in favor of this PR. Also, having a |
|
Is there any reason this isn't being looked at or merged? It's fairly trivial again |
|
This was reverted in 420f89c due to very hard evaluation problems (see cross-linked info). I expect it's a task for someone of you to prepare a fixed version of this and file a new PR. |
|
@vcunat sorry for the troubles, I'm trying to understand what's going wrong. #99236 (comment) reports the following error related to AppArmor, which I can't make sense of: But #99236 (comment) reports an other error, which makes more sense to me: So the error appears to be located into the I'm not aware of this PR requiring I'm trying to learn to use I've never done it, I don't have a clear view of what it's trying to do, and I'm expecting many hours of buildtime considering the low power of my computer, or more if I have to restart it for whatever reason. |
|
At a quick glance, usage of |
|
To clarify, import-from-derivation is disallowed on Hydra.nixos.org but normally that should just kill only the jobs requiring it and not the whole evaluation (I see at least one report for another job in successful eval). So, the biggest problem in this PR might be something else than IFD. |
|
@vcunat is that to say you're not actually sure what part of this breaks hydra so comprehensively, but you're sure some part of it does? Because I can't see anything overly complicated here |
This comment has been minimized.
This comment has been minimized.
|
|
|
Correct, I do not know (for sure at least). Still, import-from-derivation is better avoided in the official nixpkgs repo (not sure if there's some rule on that) and it's intentionally disabled on Hydra.nixos.org. |
|
When trying to reproduce on fb6d63f, I get: And when removing the call to No clue of what I can do to get more feedback on what's going wrong. |
@vcunat, using AFAICS But in the AppArmor case it makes more sense to call closureInfo when building the packages (hence in Nixpkgs) because:
|
|
I don't think EDIT: I suspect you can test with |
This is an attempt to improve the integration of
AppArmorintoNixOS.It's still a code which needs testing, but it is ready for review.
Motivation for this change
The current
security.apparmorservice has several problems :ExecStopis missing the included paths used inExecStarttherefore most profiles using#includeare not removed and when a profile changes this leaves the old version loaded into the kernel, causing potential troubles./etc/apparmor.dis not populated as expected byaa-*tools.<abstractions/base>) use the FHS (Filesystem Hierarchy Standard) but the FHS does not match paths in the Nix store.security.apparmorto be restarted and thus also all other services which haveRequires=apparmor.service.enforcemode, there is no way to select betweenenforceandcomplainconfinement modes for each profile.Things done
apparmor.service, and enablereloadIfChanged(see comment next to this setting for the why and how).aliaswhen it makes sense to use the FHS in order to reuse AppArmor's upstream profiles.profilesin favor of optionpoliciesallowing to disable individual profiles, or disable their enforcing (aka.complainmode).includesto be able to fix or modify included profiles (like<abstractions/base>).ping.enableCacheto enable caching of compiled profiles (note that it works withtransmission's profile but notping's profile, I don't know why).aa-teardown, and use it inExecStartPreandExecStop.aa-remove-unknown, and use it inExecReload.killUnconfinedConfinablesto kill processes which are not confined but have a profile.apparmor_parserthrough/etc/apparmor/parser.conf.aa-logprofthrough/etc/apparmor/logprof.conf.virtualisation.lxc,virtualisation.lxdandservices.torrent.transmission.aa-enforceand ˋaa-complainˋ work?sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)