apparmor: try again to fix and improve #101071
Conversation
ofborg
bot
requested review from
matthewbauer,
Phreedom,
thoughtpolice,
joachifm,
primeos and
lheckemann
|
Bump? |
|
@ju1m new conflicts Also, is there any chance you'll be able to resolve the hydra issue soon? |
ju1m
force-pushed
the
apparmor
branch
2 times, most recently
from
adb7d15
to
e82d9c7
Compare
|
Rebased after |
Good news everyone! Turns out @samueldr has been tackling this |
|
I imagine some semblance of option 1 is the most reasonable and realistic |
ju1m
force-pushed
the
apparmor
branch
3 times, most recently
from
41205f3
to
3fb7db4
Compare
|
Well, is there anything remaining to be discussed, done or tested to get this PR merged? Please tell me if I've missed something. |
|
I'm not sure, can we just merge this already? I'd be in favor of just merging this once conflicts are resolved, as I don't see any objections. I'd do that once conflicts are fixed. |
| @@ -36,6 +36,7 @@ with lib; | |||
| security.virtualisation.flushL1DataCache = mkDefault "always"; | |||
|
|
|||
| security.apparmor.enable = mkDefault true; | |||
| security.apparmor.killUnconfinedConfinables = mkDefault true; | |||
There was a problem hiding this comment.
Doesn't the doc you added say this default to false?
There was a problem hiding this comment.
Well, it does not appear to contradict the doc to me, though I've tried to clarify a bit, but tell me if I've missed somthing or if that's not clear enough. See also #101071 (comment) where I explain why I proposed to still set killUnconfinedConfinables in the hardened.nix profile.
This reverts commit 420f89c.
First because IFD (import-from-derivation) is not allowed on hydra.nixos.org, and second because without NixOS/hydra#825 hydra-eval-jobs crashes instead of skipping aggregated jobs which fail (here because they required an IFD).
|
I've rebased against latest |
|
Thank you @ju1m! I'm very excited for this to be merged |
|
@ofborg test apparmor |
|
What is the state of this PR? I see it is merged into staging, but not yet to master. Will it make it into 21-05 release? |
|
It is part of the current |
|
Ahhhh, great! Thanks for clarification. I am still learning the nixpkgs release process. |
|
We're all just learning it, as this approach to release process is new and being used for the first time :-) |
|
This PR uses BTW, there's no point in setting permissions there (except for the executable bit), as all nix store contents will be normalized anyway. |
This PR is ready to be merged. It re-introduces work done in #93457, hopefully without the import-from-derivation which was:
hydra-eval-jobsto crash because of Fix unhelpful error messages in aggregate jobs. hydra#825allow-import-from-derivationto be set.Old and wrong analysis believing
apparmorRulesFromClosureis an IFDPlease, do not merge this PR before NixOS/hydra#825 has been merged. It maintains a mergeable version of PR #93457, previously reverted due to a
(so far not understood)problem raised by the hydra evaluation.It may or may not be caused byallow-import-from-derivation = false. More investigation is needed.This problem is due to the following:
pkgs.apparmorRulesFromClosure, which leverages IFD (import-from-derivation) viapkgs.closureInfo.hydra-eval-jobsnow needs to perform builds simply to do its task of listing Hydra jobs in a big JSON object forhydra-eval-jobset. For that reason or another, @vcunat informed us that: "import-from-derivation is better avoided in the official nixpkgs repo (not sure if there's some rule on that) and it's intentionally disabled on Hydra.nixos.org", causing all NixOS tests depending on packages or services usingpkgs.apparmorRulesFromClosureto fail on hydra.nixos.org.constituentsof this aggregation fails then the overall jobset generation (in JSON) fails with:The good news is that this bug is being fixed by @samueldr in NixOS/hydra#825, such that
hydra-eval-jobsnow ignores failing aggregated jobs instead of crashing:In that example I've added
nixos.tests.transmissionamongst aggregated jobs in nixos/release-combined.nix, commenting all others in nixos/release-combined.nix to get a quick run (because running on all jobs takes… ~5 hours on my computer). By lack of time and computer power, I was unable to bisect which aggregated tests were failing, but I was able to reproduce that crashing with all tests enabled, and no more crashing with NixOS/hydra#825.The bad news is that adding AppArmor profiles using
pkgs.apparmorRulesFromClosurewill potentially disable tests on hydra.nixos.org down the road, maybe a lot of them eventually.If those cases are considered important enough to not be disabled, one could:
nixos/release-ifd.nixaggregating only those important tests.pkgs.apparmorRulesFromClosureon the concerned services/packages, by listing manually all the dependencies, though this could be very hard to maintain for many services/packages./nix/store, instead of limiting them to the packages of a closure.Motivation for this change
See PR #93457.
Things done
logprof.confgeneration by removing the import-from-derivation (IFD) caused bybuiltins.readFileon theapparmor-utilsderivation.nameattribute toapparmorRulesFromClosureto make listing/nix/store/more human readable, so that there is some context rather than hundreds of paths designated "apparmor-closure-rules".aa-unconfinednot findingnetstatnorssat runtime because it overwritesPATH.bin.transmission-daemonprofile to Nixpkgs, and customize it in NixOS withlocal/bin.transmission-daemon.nixos/tests/apparmor.nix, testing AppArmor is enabled in the kernel andapparmorRulesFromClosureworks.security.apparmor.killUnconfinedConfinablesby default, but enable it innixos/modules/profiles/hardened.nix.sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)