Fixed apparmor module issue #26463 #82659
Conversation
|
|
||
| # Pretty much everything in here, is there to | ||
| # prevent apparmor utilities from crashing. | ||
| environment.etc."apparmor/logprof.conf".text = |
There was a problem hiding this comment.
Where does these configuration comes from? Could we directly take it from the package instead of copying it to here?
There was a problem hiding this comment.
Well the apparmor and apparmor-profiles package does not provide these files. I have them from here https://gitlab.com/apparmor/apparmor/-/tree/master/utils%2Ftest should we create a package only for these files? Seems a bit overkill to me.
| "/usr" | ||
| ] | ||
| [ | ||
| "/nix/store/*" |
There was a problem hiding this comment.
I am not yet sure about the implications of this.
In NixOS not just root can install stuff to the /nix/store...
There was a problem hiding this comment.
These configuration files do not affect the behaviour of apparmor itself and only affect the apparmor-utils. They use the [globs] in parser.conf to add asterisks where needed when they generate a rule for you through aa-logprof.
The severity.db will be used by aa-logprof to grade the severity of binaries and display them to the user.
| ${cfg.extraLogConfig} | ||
| ''; | ||
|
|
||
| environment.etc."/apparmor/severity.db".text = |
There was a problem hiding this comment.
Same here, can we take this from apparmor directly?
There was a problem hiding this comment.
Yes but no but yes, see above ^^
| # Enable logging to /var/log/messages so that | ||
| # aa-logprof can parse the text logfiles | ||
| services.journald.forwardToSyslog = true; | ||
| services.rsyslogd = { | ||
| enable = true; | ||
| extraConfig = '' | ||
| $ModLoad imklog | ||
| kern.* -/var/log/messages | ||
| ''; | ||
| }; |
There was a problem hiding this comment.
Wouldn't it be preferable to use the Audit framework?
And what if audit(d) is already enabled, and the user explicitly enables Apparmor? Won't this change break existing setups?
|
Superceded by #93457 |
Motivation for this change
Making apparmor useful in NixOS by allowing apparmor-utils to work properly.
Fixing bug #26463
Things done
The apparmor utils expect some configuration files to be present in /etc/apparmor and /etc/apparmor.d
Additionally all paths beginnging with
/usrin severity.db and logprof.conf have benn replaced by/nix/store/*to make them viable under NixOS.Two more options have been added mainly:
extraParserConfigAppend configuration lines to /etc/apparmor/parser.conf
extraLogConfigAppend configuration lines to /etc/apparmor/logprof.conf
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)