From b2f706bf8389bcae9804cb0d6f7f1b8d75797457 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Fri, 25 Oct 2024 13:47:17 +0200 Subject: [PATCH] aa-alias-manager, lets go! --- .../apparmor/aa-alias-manager-package.nix | 30 +++++++++++ common/tooling/apparmor/aa-alias-module.nix | 21 ++++++++ .../tooling/apparmor/aa-alias-patterns.json | 16 ++++++ common/tooling/apparmor/apparmor-d-module.nix | 13 +++++ .../tooling/apparmor/apparmor-d-package.nix | 10 ++-- .../tooling/apparmor/apparmor-d-paths.patch | 40 -------------- .../apparmor/apparmor-d-prebuild.patch | 54 +++++++++++++++++++ common/tooling/apparmor/default.nix | 3 +- 8 files changed, 141 insertions(+), 46 deletions(-) create mode 100644 common/tooling/apparmor/aa-alias-manager-package.nix create mode 100644 common/tooling/apparmor/aa-alias-module.nix create mode 100644 common/tooling/apparmor/aa-alias-patterns.json delete mode 100644 common/tooling/apparmor/apparmor-d-paths.patch create mode 100644 common/tooling/apparmor/apparmor-d-prebuild.patch diff --git a/common/tooling/apparmor/aa-alias-manager-package.nix b/common/tooling/apparmor/aa-alias-manager-package.nix new file mode 100644 index 0000000..75e4c68 --- /dev/null +++ b/common/tooling/apparmor/aa-alias-manager-package.nix @@ -0,0 +1,30 @@ +{ lib, rustPlatform, fetchFromGitHub, makeWrapper, nix }: +rustPlatform.buildRustPackage { + pname = "aa-alias-manager"; + version = "unstable-2024-10-25"; + src = fetchFromGitHub { + owner = "LordGrimmauld"; + repo = "aa-alias-manager"; + rev = "23a0bb9ac822c80aefba4211b426d0550769f87a"; + hash = "sha256-yo+EaXZgc3BNYgoQZ/ixrJj6mllwn2YYdCtxS7T4khc="; + }; + + cargoHash = "sha256-nKAUOITYZJx9fte6qH6t9FbofTK8alhLb4A5YqRq3eA="; + + nativeBuildInputs = [ makeWrapper ]; + buildInputs = [ nix ]; + + postInstall = '' + wrapProgram $out/bin/aa-alias-manager \ + --suffix PATH : "${nix}/bin/" + ''; + + meta = { + description = "Tool to generate a file of aliases for apparmor based on current nixos generation"; + homepage = "https://github.com/LordGrimmauld/aa-alias-manager"; + license = lib.licenses.gpl3Only; + mainProgram = "aa-alias-manager"; + maintainers = with lib.maintainers; [ grimmauld ]; + platforms = lib.platforms.linux; + }; +} diff --git a/common/tooling/apparmor/aa-alias-module.nix b/common/tooling/apparmor/aa-alias-module.nix new file mode 100644 index 0000000..9f5a09f --- /dev/null +++ b/common/tooling/apparmor/aa-alias-module.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: let + inherit (lib) getExe; + aa-alias-manager = pkgs.callPackage ./aa-alias-manager-package.nix {}; + alias_dir = "/run/aliases.d"; +in { + config = { + security.apparmor.includes."tunables/alias.d/store" = '' + include if exists "${alias_dir}" + ''; + + systemd.services.aa-alias-setup = { + wantedBy = [ "apparmor.service" ]; + path = [ config.nix.package ]; # respect the users choice to use alternative nix implementations + + serviceConfig = { + Type = "oneshot"; + ExecStart = "${getExe aa-alias-manager} -o ${alias_dir} -p ${./aa-alias-patterns.json}"; + }; + }; + }; +} diff --git a/common/tooling/apparmor/aa-alias-patterns.json b/common/tooling/apparmor/aa-alias-patterns.json new file mode 100644 index 0000000..dc2f277 --- /dev/null +++ b/common/tooling/apparmor/aa-alias-patterns.json @@ -0,0 +1,16 @@ +[ + { + "name": "bin", + "target": "/bin", + "pattern": [ + "bin", + "libexec", + "sbin", + "usr/bin", + "usr/sbin" + ], + "individual": true, + "only_exe": true, + "disallowed_strings": [ "!" ] + } +] diff --git a/common/tooling/apparmor/apparmor-d-module.nix b/common/tooling/apparmor/apparmor-d-module.nix index c358d36..3aa51ed 100644 --- a/common/tooling/apparmor/apparmor-d-module.nix +++ b/common/tooling/apparmor/apparmor-d-module.nix @@ -32,6 +32,19 @@ let file; }) cfg.profiles; + security.apparmor.includes."tunables/global.d/store" = '' + @{package1}={@{w},.,-} + @{package2}=@{package1}@{package1} + @{package4}=@{package2}@{package2} + @{package8}=@{package4}@{package4} + @{package16}=@{package8}@{package8} + @{package32}=@{package16}@{package16} + @{package64}=@{package32}@{package32} + + @{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},} + @{nix_store}=/nix/store/@{rand32}-@{nix_package_name} + ''; + specialisation.no-apparmor.configuration = { security.apparmor.enable = mkForce false; }; diff --git a/common/tooling/apparmor/apparmor-d-package.nix b/common/tooling/apparmor/apparmor-d-package.nix index 65105a0..523d796 100644 --- a/common/tooling/apparmor/apparmor-d-package.nix +++ b/common/tooling/apparmor/apparmor-d-package.nix @@ -4,20 +4,20 @@ buildGoModule { version = "unstable-2024-10-12"; src = fetchFromGitHub { - rev = "93269e0596a8d416a9ee647146c983115da2f346"; + rev = "db6c94ba5ad97112bc577cb66c2e1fa66df83a29"; owner = "roddhjav"; repo = "apparmor.d"; - hash = "sha256-x8vnKEx/HZOweVX2Fu8ydGVpnS4gxsVJBbUWtKuwMUM="; + hash = "sha256-3qVSMLIzVd9hcvj2V2eaacNOjOFTUHkTslaTETYYg4U="; }; - vendorHash = "sha256-YkOcpzn5AKFMDWUYbKY8DzGMiIMSyaDfexFmXv5HNQI="; + vendorHash = null; doCheck = false; nativeBuildInputs = [ git ]; patches = [ - ./apparmor-d-paths.patch + ./apparmor-d-prebuild.patch ]; subPackages = [ @@ -30,7 +30,7 @@ buildGoModule { postInstall = '' mkdir -p $out/etc - DISTRIBUTION=arch $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available + DISTRIBUTION=nixos $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available mv .build/apparmor.d $out/etc rm $out/bin/prebuild diff --git a/common/tooling/apparmor/apparmor-d-paths.patch b/common/tooling/apparmor/apparmor-d-paths.patch deleted file mode 100644 index e7cad33..0000000 --- a/common/tooling/apparmor/apparmor-d-paths.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system -index be37123f..908951af 100644 ---- a/apparmor.d/tunables/multiarch.d/system -+++ b/apparmor.d/tunables/multiarch.d/system -@@ -106,8 +106,21 @@ - @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ - - # Common places for binaries and libraries across distributions --@{bin}=/{,usr/}{,s}bin --@{lib}=/{,usr/}lib{,exec,32,64} -+@{package1}={@{w},.,-} -+@{package2}=@{package1}@{package1} -+@{package4}=@{package2}@{package2} -+@{package8}=@{package4}@{package4} -+@{package16}=@{package8}@{package8} -+@{package32}=@{package16}@{package16} -+@{package64}=@{package32}@{package32} -+@{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},} -+ -+ -+ -+@{nix_store}=/nix/store/@{rand32}-@{nix_package_name} -+@{base_paths}={@{nix_store},/run/current-system/sw,/etc/profiles/per-user/@{user}} -+@{bin}={@{base_paths}/{bin,libexec},/{,usr/}{,s}bin} -+@{lib}=@{base_paths}/lib{exec,} - - # Common places for temporary files - @{tmp}=/tmp/ /tmp/user/@{uid}/ -diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go -index 91f77e2e..ab4b8c5e 100644 ---- a/cmd/prebuild/main.go -+++ b/cmd/prebuild/main.go -@@ -31,7 +31,6 @@ func init() { - - // Build tasks applied by default - builder.Register( -- "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 - ) - diff --git a/common/tooling/apparmor/apparmor-d-prebuild.patch b/common/tooling/apparmor/apparmor-d-prebuild.patch new file mode 100644 index 0000000..4629733 --- /dev/null +++ b/common/tooling/apparmor/apparmor-d-prebuild.patch @@ -0,0 +1,54 @@ +diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system +index 0a95d183..6be12d34 100644 +--- a/apparmor.d/tunables/multiarch.d/system ++++ b/apparmor.d/tunables/multiarch.d/system +@@ -106,8 +106,8 @@ + @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ + + # Common places for binaries and libraries across distributions +-@{bin}=/{,usr/}{,s}bin +-@{lib}=/{,usr/}lib{,exec,32,64} ++@{bin}=/bin ++@{lib}=/{nix/store/*/,}{,usr/}lib{,exec,32,64} + + # Common places for temporary files + @{tmp}=/tmp/ /tmp/user/@{uid}/ +diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go +index 3f2dd9f4..39a8b64a 100644 +--- a/cmd/prebuild/main.go ++++ b/cmd/prebuild/main.go +@@ -37,7 +37,7 @@ func init() { + + // Compatibility with AppArmor 3 + switch prebuild.Distribution { +- case "arch": ++ case "arch", "nixos": + + case "ubuntu": + if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) { +diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go +index a887d4b9..606b4643 100644 +--- a/pkg/aa/apparmor.go ++++ b/pkg/aa/apparmor.go +@@ -33,7 +33,7 @@ func DefaultTunables() *AppArmorProfileFile { + return &AppArmorProfileFile{ + Preamble: Rules{ + &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, +- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, ++ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,}{,usr/}{,s}bin"}, Define: true}, + &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, + &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, + &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, +diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go +index 4b8e11ec..11eab5f7 100644 +--- a/pkg/prebuild/prepare/configure.go ++++ b/pkg/prebuild/prepare/configure.go +@@ -28,7 +28,7 @@ func (p Configure) Apply() ([]string, error) { + res := []string{} + + switch prebuild.Distribution { +- case "arch", "opensuse": ++ case "arch", "opensuse", "nixos": + + case "ubuntu": + if err := prebuild.DebianHide.Init(); err != nil { diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix index be7e1df..fa04521 100644 --- a/common/tooling/apparmor/default.nix +++ b/common/tooling/apparmor/default.nix @@ -9,7 +9,7 @@ let inherit (lib) mkIf getExe' getExe; in { - imports = [ ./apparmor-d-module.nix ]; + imports = [ ./apparmor-d-module.nix ./aa-alias-module.nix ]; config = mkIf (enable && tooling.enable) { services.dbus.apparmor = "enabled"; @@ -116,6 +116,7 @@ in /sys/devices/@{pci}/**/id{Vendor,Product} r, /dev/ r, @{bin}/xdg-open rPx, + /bin/electron rix, ''; "local/sudo" = ''