Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

aa-alias-manager, lets go!

Browse Source
This commit is contained in:
Grimmauld 2024-10-25 13:47:17 +02:00
parent e841abdf9d
commit b2f706bf83
Signed by: Grimmauld
GPG Key ID: C2946668769F91FB
8 changed files with 141 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
common/tooling/apparmor/aa-alias-manager-package.nix Normal file
View File

@ -0,0 +1,30 @@
{ lib, rustPlatform, fetchFromGitHub, makeWrapper, nix }:
rustPlatform.buildRustPackage {
pname = "aa-alias-manager";
version = "unstable-2024-10-25";
src = fetchFromGitHub {
owner = "LordGrimmauld";
repo = "aa-alias-manager";
rev = "23a0bb9ac822c80aefba4211b426d0550769f87a";
hash = "sha256-yo+EaXZgc3BNYgoQZ/ixrJj6mllwn2YYdCtxS7T4khc=";
};
cargoHash = "sha256-nKAUOITYZJx9fte6qH6t9FbofTK8alhLb4A5YqRq3eA=";
nativeBuildInputs = [ makeWrapper ];
buildInputs = [ nix ];
postInstall = ''
wrapProgram $out/bin/aa-alias-manager \
--suffix PATH : "${nix}/bin/"
'';
meta = {
description = "Tool to generate a file of aliases for apparmor based on current nixos generation";
homepage = "https://github.com/LordGrimmauld/aa-alias-manager";
license = lib.licenses.gpl3Only;
mainProgram = "aa-alias-manager";
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.linux;
};
}

21
common/tooling/apparmor/aa-alias-module.nix Normal file
View File

@ -0,0 +1,21 @@
{ config, lib, pkgs, ... }: let
inherit (lib) getExe;
aa-alias-manager = pkgs.callPackage ./aa-alias-manager-package.nix {};
alias_dir = "/run/aliases.d";
in {
config = {
security.apparmor.includes."tunables/alias.d/store" = ''
include if exists "${alias_dir}"
'';
systemd.services.aa-alias-setup = {
wantedBy = [ "apparmor.service" ];
path = [ config.nix.package ]; # respect the users choice to use alternative nix implementations
serviceConfig = {
Type = "oneshot";
ExecStart = "${getExe aa-alias-manager} -o ${alias_dir} -p ${./aa-alias-patterns.json}";
};
};
};
}

16
common/tooling/apparmor/aa-alias-patterns.json Normal file
View File

@ -0,0 +1,16 @@
[
{
"name": "bin",
"target": "/bin",
"pattern": [
"bin",
"libexec",
"sbin",
"usr/bin",
"usr/sbin"
],
"individual": true,
"only_exe": true,
"disallowed_strings": [ "!" ]
}
]

13
common/tooling/apparmor/apparmor-d-module.nix
View File

@ -32,6 +32,19 @@ let
file; file;
}) cfg.profiles; }) cfg.profiles;
security.apparmor.includes."tunables/global.d/store" = ''
@{package1}={@{w},.,-}
@{package2}=@{package1}@{package1}
@{package4}=@{package2}@{package2}
@{package8}=@{package4}@{package4}
@{package16}=@{package8}@{package8}
@{package32}=@{package16}@{package16}
@{package64}=@{package32}@{package32}
@{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},}
@{nix_store}=/nix/store/@{rand32}-@{nix_package_name}
'';
specialisation.no-apparmor.configuration = { specialisation.no-apparmor.configuration = {
security.apparmor.enable = mkForce false; security.apparmor.enable = mkForce false;
}; };

10
common/tooling/apparmor/apparmor-d-package.nix
View File

@ -4,20 +4,20 @@ buildGoModule {
version = "unstable-2024-10-12"; version = "unstable-2024-10-12";
src = fetchFromGitHub { src = fetchFromGitHub {
rev = "93269e0596a8d416a9ee647146c983115da2f346"; rev = "db6c94ba5ad97112bc577cb66c2e1fa66df83a29";
owner = "roddhjav"; owner = "roddhjav";
repo = "apparmor.d"; repo = "apparmor.d";
hash = "sha256-x8vnKEx/HZOweVX2Fu8ydGVpnS4gxsVJBbUWtKuwMUM="; hash = "sha256-3qVSMLIzVd9hcvj2V2eaacNOjOFTUHkTslaTETYYg4U=";
}; };
vendorHash = "sha256-YkOcpzn5AKFMDWUYbKY8DzGMiIMSyaDfexFmXv5HNQI="; vendorHash = null;
doCheck = false; doCheck = false;
nativeBuildInputs = [ git ]; nativeBuildInputs = [ git ];
patches = [ patches = [
./apparmor-d-paths.patch ./apparmor-d-prebuild.patch
]; ];
subPackages = [ subPackages = [
@ -30,7 +30,7 @@ buildGoModule {
postInstall = '' postInstall = ''
mkdir -p $out/etc mkdir -p $out/etc
DISTRIBUTION=arch $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available DISTRIBUTION=nixos $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
mv .build/apparmor.d $out/etc mv .build/apparmor.d $out/etc
rm $out/bin/prebuild rm $out/bin/prebuild

40
common/tooling/apparmor/apparmor-d-paths.patch
View File

@ -1,40 +0,0 @@
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index be37123f..908951af 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,21 @@
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
# Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64}
+@{package1}={@{w},.,-}
+@{package2}=@{package1}@{package1}
+@{package4}=@{package2}@{package2}
+@{package8}=@{package4}@{package4}
+@{package16}=@{package8}@{package8}
+@{package32}=@{package16}@{package16}
+@{package64}=@{package32}@{package32}
+@{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},}
+
+
+
+@{nix_store}=/nix/store/@{rand32}-@{nix_package_name}
+@{base_paths}={@{nix_store},/run/current-system/sw,/etc/profiles/per-user/@{user}}
+@{bin}={@{base_paths}/{bin,libexec},/{,usr/}{,s}bin}
+@{lib}=@{base_paths}/lib{exec,}
# Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/
diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 91f77e2e..ab4b8c5e 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -31,7 +31,6 @@ func init() {
// Build tasks applied by default
builder.Register(
- "userspace", // Resolve variable in profile attachments
"hotfix", // Temporary fix for #74, #80 & #235
)

54
common/tooling/apparmor/apparmor-d-prebuild.patch Normal file
View File

@ -0,0 +1,54 @@
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 0a95d183..6be12d34 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,8 @@
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
# Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64}
+@{bin}=/bin
+@{lib}=/{nix/store/*/,}{,usr/}lib{,exec,32,64}
# Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/
diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 3f2dd9f4..39a8b64a 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -37,7 +37,7 @@ func init() {
// Compatibility with AppArmor 3
switch prebuild.Distribution {
- case "arch":
+ case "arch", "nixos":
case "ubuntu":
if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
index a887d4b9..606b4643 100644
--- a/pkg/aa/apparmor.go
+++ b/pkg/aa/apparmor.go
@@ -33,7 +33,7 @@ func DefaultTunables() *AppArmorProfileFile {
return &AppArmorProfileFile{
Preamble: Rules{
&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,}{,usr/}{,s}bin"}, Define: true},
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index 4b8e11ec..11eab5f7 100644
--- a/pkg/prebuild/prepare/configure.go
+++ b/pkg/prebuild/prepare/configure.go
@@ -28,7 +28,7 @@ func (p Configure) Apply() ([]string, error) {
res := []string{}
switch prebuild.Distribution {
- case "arch", "opensuse":
+ case "arch", "opensuse", "nixos":
case "ubuntu":
if err := prebuild.DebianHide.Init(); err != nil {

3
common/tooling/apparmor/default.nix
View File

@ -9,7 +9,7 @@ let
inherit (lib) mkIf getExe' getExe; inherit (lib) mkIf getExe' getExe;
in in
{ {
imports = [ ./apparmor-d-module.nix ]; imports = [ ./apparmor-d-module.nix ./aa-alias-module.nix ];
config = mkIf (enable && tooling.enable) { config = mkIf (enable && tooling.enable) {
services.dbus.apparmor = "enabled"; services.dbus.apparmor = "enabled";
@ -116,6 +116,7 @@ in
/sys/devices/@{pci}/**/id{Vendor,Product} r, /sys/devices/@{pci}/**/id{Vendor,Product} r,
/dev/ r, /dev/ r,
@{bin}/xdg-open rPx, @{bin}/xdg-open rPx,
/bin/electron rix,
''; '';
"local/sudo" = '' "local/sudo" = ''