diff options
| author | Vladimír Čunát <v@cunat.cz> | 2020-10-07 11:15:18 +0200 |
|---|---|---|
| committer | Vladimír Čunát <v@cunat.cz> | 2020-10-07 12:22:18 +0200 |
| commit | 420f89ceb267b461eed5d025b6c3c0e57703cc5c (patch) | |
| tree | 373179c02e9fd698fdb9c2b6fa1f4fd9b9a2dc87 /nixos/modules | |
| parent | 3b0886c9af7fadcb46fc04c28cf5b79280d38371 (diff) | |
Revert "apparmor: fix and improve the service"
This reverts commit fb6d63f3fdd95a5468d43a0693c8ca7c1894363f.
I really hope this finally fixes #99236: evaluation on Hydra.
This time I really did check basically the same commit on Hydra:
https://hydra.nixos.org/eval/1618011
Right now I don't have energy to find what exactly is wrong in the
commit, and it doesn't seem important in comparison to nixos-unstable
channel being stuck on a commit over one week old.
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/config/fonts/fontconfig.nix | 34 | ||||
| -rw-r--r-- | nixos/modules/config/malloc.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/security/apparmor-suid.nix | 49 | ||||
| -rw-r--r-- | nixos/modules/security/apparmor.nix | 241 | ||||
| -rw-r--r-- | nixos/modules/security/apparmor/includes.nix | 301 | ||||
| -rw-r--r-- | nixos/modules/security/apparmor/profiles.nix | 11 | ||||
| -rw-r--r-- | nixos/modules/security/pam.nix | 55 | ||||
| -rw-r--r-- | nixos/modules/security/wrappers/default.nix | 8 | ||||
| -rw-r--r-- | nixos/modules/services/torrent/transmission.nix | 63 | ||||
| -rw-r--r-- | nixos/modules/tasks/network-interfaces.nix | 15 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/lxc.nix | 12 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/lxd.nix | 12 |
13 files changed, 162 insertions, 647 deletions
diff --git a/nixos/modules/config/fonts/fontconfig.nix b/nixos/modules/config/fonts/fontconfig.nix index 97607134bb1d..5b681ca59464 100644 --- a/nixos/modules/config/fonts/fontconfig.nix +++ b/nixos/modules/config/fonts/fontconfig.nix @@ -448,40 +448,6 @@ in (mkIf cfg.enable { environment.systemPackages = [ pkgs.fontconfig ]; environment.etc.fonts.source = "${fontconfigEtc}/etc/fonts/"; - security.apparmor.includes."abstractions/fonts" = '' - # fonts.conf - r ${pkg.out}/etc/fonts/fonts.conf, - - # fontconfig default config files - r ${pkg.out}/etc/fonts/conf.d/*.conf, - - # 00-nixos-cache.conf - r ${cacheConf}, - - # 10-nixos-rendering.conf - r ${renderConf}, - - # 50-user.conf - ${optionalString cfg.includeUserConf '' - r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf, - ''} - - # local.conf (indirect priority 51) - ${optionalString (cfg.localConf != "") '' - r ${localConf}, - ''} - - # 52-nixos-default-fonts.conf - r ${defaultFontsConf}, - - # 53-no-bitmaps.conf - r ${rejectBitmaps}, - - ${optionalString (!cfg.allowType1) '' - # 53-nixos-reject-type1.conf - r ${rejectType1}, - ''} - ''; }) (mkIf cfg.enable { fonts.fontconfig.confPackages = [ confPkg ]; diff --git a/nixos/modules/config/malloc.nix b/nixos/modules/config/malloc.nix index 5c5752ef5153..31a659ee83fe 100644 --- a/nixos/modules/config/malloc.nix +++ b/nixos/modules/config/malloc.nix @@ -87,12 +87,5 @@ in environment.etc."ld-nix.so.preload".text = '' ${providerLibPath} ''; - security.apparmor.includes = { - "abstractions/base" = '' - r /etc/ld-nix.so.preload, - r ${config.environment.etc."ld-nix.so.preload".source}, - mr ${providerLibPath}, - ''; - }; }; } diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 76263a321383..9ed87b018a7c 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -186,6 +186,7 @@ ./rename.nix ./security/acme.nix ./security/apparmor.nix + ./security/apparmor-suid.nix ./security/audit.nix ./security/auditd.nix ./security/ca.nix diff --git a/nixos/modules/security/apparmor-suid.nix b/nixos/modules/security/apparmor-suid.nix new file mode 100644 index 000000000000..6c479e070e2b --- /dev/null +++ b/nixos/modules/security/apparmor-suid.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.security.apparmor; +in +with lib; +{ + imports = [ + (mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) + ]; + + options.security.apparmor.confineSUIDApplications = mkOption { + type = types.bool; + default = true; + description = '' + Install AppArmor profiles for commonly-used SUID application + to mitigate potential privilege escalation attacks due to bugs + in such applications. + + Currently available profiles: ping + ''; + }; + + config = mkIf (cfg.confineSUIDApplications) { + security.apparmor.profiles = [ (pkgs.writeText "ping" '' + #include <tunables/global> + /run/wrappers/bin/ping { + #include <abstractions/base> + #include <abstractions/consoles> + #include <abstractions/nameservice> + + capability net_raw, + capability setuid, + network inet raw, + + ${pkgs.stdenv.cc.libc.out}/lib/*.so mr, + ${pkgs.libcap.lib}/lib/libcap.so* mr, + ${pkgs.attr.out}/lib/libattr.so* mr, + + ${pkgs.iputils}/bin/ping mixr, + + #/etc/modules.conf r, + + ## Site-specific additions and overrides. See local/README for details. + ##include <local/bin.ping> + } + '') ]; + }; + +} diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix index 3bf1e0fefc35..cfc65b347bc6 100644 --- a/nixos/modules/security/apparmor.nix +++ b/nixos/modules/security/apparmor.nix @@ -1,198 +1,59 @@ { config, lib, pkgs, ... }: let - inherit (builtins) attrNames head map match readFile; - inherit (lib) types; - inherit (config.environment) etc; + inherit (lib) mkIf mkOption types concatMapStrings; cfg = config.security.apparmor; - mkDisableOption = name: lib.mkEnableOption name // { - default = true; - example = false; - }; - enabledPolicies = lib.filterAttrs (n: p: p.enable) cfg.policies; in { - imports = [ - (lib.mkRenamedOptionModule [ "security" "virtualization" "flushL1DataCache" ] [ "security" "virtualisation" "flushL1DataCache" ]) - (lib.mkRemovedOptionModule [ "security" "apparmor" "confineSUIDApplications" ] "Please use the new options: `security.apparmor.policies.<policy>.enable'.") - (lib.mkRemovedOptionModule [ "security" "apparmor" "profiles" ] "Please use the new option: `security.apparmor.policies'.") - apparmor/includes.nix - apparmor/profiles.nix - ]; - - options = { - security.apparmor = { - enable = lib.mkEnableOption ''the AppArmor Mandatory Access Control system. - - If you're enabling this module on a running system, - note that a reboot will be required to activate AppArmor in the kernel. - - Also, beware that enabling this module will by default - try to kill unconfined but confinable running processes, - in order to obtain a confinement matching what is declared in the NixOS configuration. - This will happen when upgrading to a NixOS revision - introducing an AppArmor profile for the executable of a running process. - This is because enabling an AppArmor profile for an executable - can only confine new or already confined processes of that executable, - but leaves already running processes unconfined. - Set <link linkend="opt-security.apparmor.killUnconfinedConfinables">killUnconfinedConfinables</link> - to <literal>false</literal> if you prefer to leave those processes running''; - policies = lib.mkOption { - description = '' - AppArmor policies. - ''; - type = types.attrsOf (types.submodule ({ name, config, ... }: { - options = { - enable = mkDisableOption "loading of the profile into the kernel"; - enforce = mkDisableOption "enforcing of the policy or only complain in the logs"; - profile = lib.mkOption { - description = "The policy of the profile."; - type = types.lines; - apply = pkgs.writeText name; - }; - }; - })); - default = {}; - }; - includes = lib.mkOption { - type = types.attrsOf types.lines; - default = {}; - description = '' - List of paths to be added to AppArmor's searched paths - when resolving <literal>include</literal> directives. - ''; - apply = lib.mapAttrs pkgs.writeText; - }; - packages = lib.mkOption { - type = types.listOf types.package; - default = []; - description = "List of packages to be added to AppArmor's include path"; - }; - enableCache = lib.mkEnableOption ''caching of AppArmor policies - in <literal>/var/cache/apparmor/</literal>. - - Beware that AppArmor policies almost always contain Nix store paths, - and thus produce at each change of these paths - a new cached version accumulating in the cache''; - killUnconfinedConfinables = mkDisableOption ''killing of processes - which have an AppArmor profile enabled - (in <link linkend="opt-security.apparmor.policies">policies</link>) - but are not confined (because AppArmor can only confine new processes). - Beware that due to a current limitation of AppArmor, - only profiles with exact paths (and no name) can enable such kills''; - }; - }; - - config = lib.mkIf cfg.enable { - assertions = map (policy: - { assertion = match ".*/.*" policy == null; - message = "`security.apparmor.policies.\"${policy}\"' must not contain a slash."; - # Because, for instance, aa-remove-unknown uses profiles_names_list() in rc.apparmor.functions - # which does not recurse into sub-directories. - } - ) (attrNames cfg.policies); - - environment.systemPackages = [ pkgs.apparmor-utils ]; - environment.etc."apparmor.d".source = pkgs.linkFarm "apparmor.d" ( - # It's important to put only enabledPolicies here and not all cfg.policies - # because aa-remove-unknown reads profiles from all /etc/apparmor.d/* - lib.mapAttrsToList (name: p: {inherit name; path=p.profile;}) enabledPolicies ++ - lib.mapAttrsToList (name: path: {inherit name path;}) cfg.includes - ); - environment.etc."apparmor/parser.conf".text = '' - ${if cfg.enableCache then "write-cache" else "skip-cache"} - cache-loc /var/cache/apparmor - Include /etc/apparmor.d - '' + - lib.concatMapStrings (p: "Include ${p}/etc/apparmor.d\n") cfg.packages; - # For aa-logprof - environment.etc."apparmor/apparmor.conf".text = '' - ''; - # For aa-logprof - environment.etc."apparmor/severity.db".source = pkgs.apparmor-utils + "/etc/apparmor/severity.db"; - environment.etc."apparmor/logprof.conf".text = '' - [settings] - # /etc/apparmor.d/ is read-only on NixOS - profiledir = /var/cache/apparmor/logprof - inactive_profiledir = /etc/apparmor.d/disable - # Use: journalctl -b --since today --grep audit: | aa-logprof - logfiles = /dev/stdin - - parser = ${pkgs.apparmor-parser}/bin/apparmor_parser - ldd = ${pkgs.glibc.bin}/bin/ldd - logger = ${pkgs.utillinux}/bin/logger - - # customize how file ownership permissions are presented - # 0 - off - # 1 - default of what ever mode the log reported - # 2 - force the new permissions to be user - # 3 - force all perms on the rule to be user - default_owner_prompt = 1 - - custom_includes = /etc/apparmor.d ${lib.concatMapStringsSep " " (p: "${p}/etc/apparmor.d") cfg.packages} - - [qualifiers] - ${pkgs.runtimeShell} = icnu - ${pkgs.bashInteractive}/bin/sh = icnu - ${pkgs.bashInteractive}/bin/bash = icnu - '' + head (match "^.*\\[qualifiers](.*)" # Drop the original [settings] section. - (readFile "${pkgs.apparmor-utils}/etc/apparmor/logprof.conf")); - - boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; - - systemd.services.apparmor = { - after = [ - "local-fs.target" - "systemd-journald-audit.socket" - ]; - before = [ "sysinit.target" ]; - wantedBy = [ "multi-user.target" ]; - unitConfig = { - Description="Load AppArmor policies"; - DefaultDependencies = "no"; - ConditionSecurity = "apparmor"; - }; - # Reloading instead of restarting enables to load new AppArmor profiles - # without necessarily restarting all services which have Requires=apparmor.service - reloadIfChanged = true; - restartTriggers = [ - etc."apparmor/parser.conf".source - etc."apparmor.d".source - ]; - serviceConfig = let - killUnconfinedConfinables = pkgs.writeShellScript "apparmor-kill" '' - set -eu - ${pkgs.apparmor-utils}/bin/aa-status --json | - ${pkgs.jq}/bin/jq --raw-output '.processes | .[] | .[] | select (.status == "unconfined") | .pid' | - xargs --verbose --no-run-if-empty --delimiter='\n' \ - kill - ''; - commonOpts = p: "--verbose --show-cache ${lib.optionalString (!p.enforce) "--complain "}${p.profile}"; - in { - Type = "oneshot"; - RemainAfterExit = "yes"; - ExecStartPre = "${pkgs.apparmor-utils}/bin/aa-teardown"; - ExecStart = lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --add ${commonOpts p}") enabledPolicies; - ExecStartPost = lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; - ExecReload = - # Add or replace into the kernel profiles in enabledPolicies - # (because AppArmor can do that without stopping the processes already confined). - lib.mapAttrsToList (n: p: "${pkgs.apparmor-parser}/bin/apparmor_parser --replace ${commonOpts p}") enabledPolicies ++ - # Remove from the kernel any profile whose name is not - # one of the names within the content of the profiles in enabledPolicies - # (indirectly read from /etc/apparmor.d/*, without recursing into sub-directory). - # Note that this does not remove profiles dynamically generated by libvirt. - [ "${pkgs.apparmor-utils}/bin/aa-remove-unknown" ] ++ - # Optionaly kill the processes which are unconfined but now have a profile loaded - # (because AppArmor can only start to confine new processes). - lib.optional cfg.killUnconfinedConfinables killUnconfinedConfinables; - ExecStop = "${pkgs.apparmor-utils}/bin/aa-teardown"; - CacheDirectory = [ "apparmor" "apparmor/logprof" ]; - CacheDirectoryMode = "0700"; - }; - }; - }; - - meta.maintainers = with lib.maintainers; [ julm ]; + options = { + security.apparmor = { + enable = mkOption { + type = types.bool; + default = false; + description = "Enable the AppArmor Mandatory Access Control system."; + }; + profiles = mkOption { + type = types.listOf types.path; + default = []; + description = "List of files containing AppArmor profiles."; + }; + packages = mkOption { + type = types.listOf types.package; + default = []; + description = "List of packages to be added to apparmor's include path"; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ pkgs.apparmor-utils ]; + + boot.kernelParams = [ "apparmor=1" "security=apparmor" ]; + + systemd.services.apparmor = let + paths = concatMapStrings (s: " -I ${s}/etc/apparmor.d") + ([ pkgs.apparmor-profiles ] ++ cfg.packages); + in { + after = [ "local-fs.target" ]; + before = [ "sysinit.target" ]; + wantedBy = [ "multi-user.target" ]; + unitConfig = { + DefaultDependencies = "no"; + }; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -rKv ${paths} "${p}"'' + ) cfg.profiles; + ExecStop = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser -Rv "${p}"'' + ) cfg.profiles; + ExecReload = map (p: + ''${pkgs.apparmor-parser}/bin/apparmor_parser --reload ${paths} "${p}"'' + ) cfg.profiles; + }; + }; + }; } diff --git a/nixos/modules/security/apparmor/includes.nix b/nixos/modules/security/apparmor/includes.nix deleted file mode 100644 index 498d7e77650a..000000000000 --- a/nixos/modules/security/apparmor/includes.nix +++ /dev/null @@ -1,301 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (builtins) attrNames hasAttr isAttrs; - inherit (lib) getLib; - inherit (config.environment) etc; - etcRule = arg: - let go = {path ? null, mode ? "r", trail ? ""}: - lib.optionalString (hasAttr path etc) - "${mode} ${config.environment.etc.${path}.source}${trail},"; - in if isAttrs arg - then go arg - else go {path=arg;}; -in -{ -# FIXME: most of the etcRule calls below have been -# written systematically by converting from apparmor-profiles's profiles -# without testing nor deep understanding of their uses, -# and thus may need more rules or can have less rules; -# this remains to be determined case by case, -# some may even be completely useless. -config.security.apparmor.includes = { - # This one is included by <tunables/global> - # which is usualy included before any profile. - "abstractions/tunables/alias" = '' - alias /bin -> /run/current-system/sw/bin, - alias /lib/modules -> /run/current-system/kernel/lib/modules, - alias /sbin -> /run/current-system/sw/sbin, - alias /usr -> /run/current-system/sw, - ''; - "abstractions/audio" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/audio" - ${etcRule "asound.conf"} - ${etcRule "esound/esd.conf"} - ${etcRule "libao.conf"} - ${etcRule {path="pulse"; trail="/";}} - ${etcRule {path="pulse"; trail="/**";}} - ${etcRule {path="sound"; trail="/";}} - ${etcRule {path="sound"; trail="/**";}} - ${etcRule {path="alsa/conf.d"; trail="/";}} - ${etcRule {path="alsa/conf.d"; trail="/*";}} - ${etcRule "openal/alsoft.conf"} - ${etcRule "wildmidi/wildmidi.conf"} - ''; - "abstractions/authentication" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/authentication" - # Defined in security.pam - include <abstractions/pam> - ${etcRule "nologin"} - ${etcRule "securetty"} - ${etcRule {path="security"; trail="/*";}} - ${etcRule "shadow"} - ${etcRule "gshadow"} - ${etcRule "pwdb.conf"} - ${etcRule "default/passwd"} - ${etcRule "login.defs"} - ''; - "abstractions/base" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/base" - r ${pkgs.stdenv.cc.libc}/share/locale/**, - r ${pkgs.stdenv.cc.libc}/share/locale.alias, - ${lib.optionalString (pkgs.glibcLocales != null) "r ${pkgs.glibcLocales}/lib/locale/locale-archive,"} - ${etcRule "localtime"} - r ${pkgs.tzdata}/share/zoneinfo/**, - r ${pkgs.stdenv.cc.libc}/share/i18n/**, - ''; - "abstractions/bash" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/bash" - # system-wide bash configuration - ${etcRule "profile.dos"} - ${etcRule "profile"} - ${etcRule "profile.d"} - ${etcRule {path="profile.d"; trail="/*";}} - ${etcRule "bashrc"} - ${etcRule "bash.bashrc"} - ${etcRule "bash.bashrc.local"} - ${etcRule "bash_completion"} - ${etcRule "bash_completion.d"} - ${etcRule {path="bash_completion.d"; trail="/*";}} - # bash relies on system-wide readline configuration - ${etcRule "inputrc"} - # bash inspects filesystems at startup - # and /etc/mtab is linked to /proc/mounts - @{PROC}/mounts - - # run out of /etc/bash.bashrc - ${etcRule "DIR_COLORS"} - ''; - "abstractions/cups-client" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/cpus-client" - ${etcRule "cups/cups-client.conf"} - ''; - "abstractions/consoles" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/consoles" - ''; - "abstractions/dbus-session-strict" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dbus-session-strict" - ${etcRule "machine-id"} - ''; - "abstractions/dconf" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dconf" - ${etcRule {path="dconf"; trail="/**";}} - ''; - "abstractions/dri-common" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/dri-common" - ${etcRule "drirc"} - ''; - # The config.fonts.fontconfig NixOS module adds many files to /etc/fonts/ - # by symlinking them but without exporting them outside of its NixOS module, - # those are therefore added there to this "abstractions/fonts". - "abstractions/fonts" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/fonts" - ${etcRule {path="fonts"; trail="/**";}} - ''; - "abstractions/gnome" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/gnome" - ${etcRule {path="gnome"; trail="/gtkrc*";}} - ${etcRule {path="gtk"; trail="/*";}} - ${etcRule {path="gtk-2.0"; trail="/*";}} - ${etcRule {path="gtk-3.0"; trail="/*";}} - ${etcRule "orbitrc"} - include <abstractions/fonts> - ${etcRule {path="pango"; trail="/*";}} - ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/";}} - ${etcRule {path="/etc/gnome-vfs-2.0"; trail="/modules/*";}} - ${etcRule "papersize"} - ${etcRule {path="cups"; trail="/lpoptions";}} - ${etcRule {path="gnome"; trail="/defaults.list";}} - ${etcRule {path="xdg"; trail="/{,*-}mimeapps.list";}} - ${etcRule "xdg/mimeapps.list"} - ''; - "abstractions/kde" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kde" - ${etcRule {path="qt3"; trail="/kstylerc";}} - ${etcRule {path="qt3"; trail="/qt_plugins_3.3rc";}} - ${etcRule {path="qt3"; trail="/qtrc";}} - ${etcRule "kderc"} - ${etcRule {path="kde3"; trail="/*";}} - ${etcRule "kde4rc"} - ${etcRule {path="xdg"; trail="/kdeglobals";}} - ${etcRule {path="xdg"; trail="/Trolltech.conf";}} - ''; - "abstractions/kerberosclient" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/kerberosclient" - ${etcRule {path="krb5.keytab"; mode="rk";}} - ${etcRule "krb5.conf"} - ${etcRule "krb5.conf.d"} - ${etcRule {path="krb5.conf.d"; trail="/*";}} - - # config files found via strings on libs - ${etcRule "krb.conf"} - ${etcRule "krb.realms"} - ${etcRule "srvtab"} - ''; - "abstractions/ldapclient" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ldapclient" - ${etcRule "ldap.conf"} - ${etcRule "ldap.secret"} - ${etcRule {path="openldap"; trail="/*";}} - ${etcRule {path="openldap"; trail="/cacerts/*";}} - ${etcRule {path="sasl2"; trail="/*";}} - ''; - "abstractions/likewise" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/likewise" - ''; - "abstractions/mdns" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/mdns" - ${etcRule "nss_mdns.conf"} - ''; - "abstractions/nameservice" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nameservice" - - # Many programs wish to perform nameservice-like operations, such as - # looking up users by name or id, groups by name or id, hosts by name - # or IP, etc. These operations may be performed through files, dns, - # NIS, NIS+, LDAP, hesiod, wins, etc. Allow them all here. - ${etcRule "group"} - ${etcRule "host.conf"} - ${etcRule "hosts"} - ${etcRule "nsswitch.conf"} - ${etcRule "gai.conf"} - ${etcRule "passwd"} - ${etcRule "protocols"} - - # libtirpc (used for NIS/YP login) needs this - ${etcRule "netconfig"} - - ${etcRule "resolv.conf"} - - ${etcRule {path="samba"; trail="/lmhosts";}} - ${etcRule "services"} - - ${etcRule "default/nss"} - - # libnl-3-200 via libnss-gw-name - ${etcRule {path="libnl"; trail="/classid";}} - ${etcRule {path="libnl-3"; trail="/classid";}} - - mr ${getLib pkgs.nss}/lib/libnss_*.so*, - mr ${getLib pkgs.nss}/lib64/libnss_*.so*, - ''; - "abstractions/nis" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nis" - ''; - "abstractions/nvidia" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/nvidia" - ${etcRule "vdpau_wrapper.cfg"} - ''; - "abstractions/opencl-common" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-common" - ${etcRule {path="OpenCL"; trail="/**";}} - ''; - "abstractions/opencl-mesa" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/opencl-mesa" - ${etcRule "default/drirc"} - ''; - "abstractions/openssl" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/openssl" - ${etcRule {path="ssl"; trail="/openssl.cnf";}} - ''; - "abstractions/p11-kit" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/p11-kit" - ${etcRule {path="pkcs11"; trail="/";}} - ${etcRule {path="pkcs11"; trail="/pkcs11.conf";}} - ${etcRule {path="pkcs11"; trail="/modules/";}} - ${etcRule {path="pkcs11"; trail="/modules/*";}} - ''; - "abstractions/perl" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/perl" - ${etcRule {path="perl"; trail="/**";}} - ''; - "abstractions/php" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/php" - ${etcRule {path="php"; trail="/**/";}} - ${etcRule {path="php5"; trail="/**/";}} - ${etcRule {path="php7"; trail="/**/";}} - ${etcRule {path="php"; trail="/**.ini";}} - ${etcRule {path="php5"; trail="/**.ini";}} - ${etcRule {path="php7"; trail="/**.ini";}} - ''; - "abstractions/postfix-common" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/postfix-common" - ${etcRule "mailname"} - ${etcRule {path="postfix"; trail="/*.cf";}} - ${etcRule "postfix/main.cf"} - ${etcRule "postfix/master.cf"} - ''; - "abstractions/python" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/python" - ''; - "abstractions/qt5" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/qt5" - ${etcRule {path="xdg"; trail="/QtProject/qtlogging.ini";}} - ${etcRule {path="xdg/QtProject"; trail="/qtlogging.ini";}} - ${etcRule "xdg/QtProject/qtlogging.ini"} - ''; - "abstractions/samba" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/samba" - ${etcRule {path="samba"; trail="/*";}} - ''; - "abstractions/ssl_certs" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/ssl_certs" - ${etcRule "ssl/certs/ca-certificates.crt"} - ${etcRule "ssl/certs/ca-bundle.crt"} - ${etcRule "pki/tls/certs/ca-bundle.crt"} - - ${etcRule {path="ssl/trust"; trail="/";}} - ${etcRule {path="ssl/trust"; trail="/*";}} - ${etcRule {path="ssl/trust/anchors"; trail="/";}} - ${etcRule {path="ssl/trust/anchors"; trail="/**";}} - ${etcRule {path="pki/trust"; trail="/";}} - ${etcRule {path="pki/trust"; trail="/*";}} - ${etcRule {path="pki/trust/anchors"; trail="/";}} - ${etcRule {path="pki/trust/anchors"; trail="/**";}} - - # security.acme NixOS module - r /var/lib/acme/*/cert.pem, - r /var/lib/acme/*/chain.pem, - r /var/lib/acme/*/fullchain.pem, - ''; - "abstractions/ssl_keys" = '' - # security.acme NixOS module - r /var/lib/acme/*/full.pem, - r /var/lib/acme/*/key.pem, - ''; - "abstractions/vulkan" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/vulkan" - ${etcRule {path="vulkan/icd.d"; trail="/";}} - ${etcRule {path="vulkan/icd.d"; trail="/*.json";}} - ''; - "abstractions/winbind" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/winbind" - ${etcRule {path="samba"; trail="/smb.conf";}} - ${etcRule {path="samba"; trail="/dhcp.conf";}} - ''; - "abstractions/X" = '' - include "${pkgs.apparmor-profiles}/etc/apparmor.d/abstractions/X" - ${etcRule {path="X11/cursors"; trail="/";}} - ${etcRule {path="X11/cursors"; trail="/**";}} - ''; -}; -} diff --git a/nixos/modules/security/apparmor/profiles.nix b/nixos/modules/security/apparmor/profiles.nix deleted file mode 100644 index 8eb630b5a48a..000000000000 --- a/nixos/modules/security/apparmor/profiles.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, lib, pkgs, ... }: -let apparmor = config.security.apparmor; in -{ -config.security.apparmor.packages = [ pkgs.apparmor-profiles ]; -config.security.apparmor.policies."bin.ping".profile = lib.mkIf apparmor.policies."bin.ping".enable '' - include "${pkgs.iputils.apparmor}/bin.ping" - include "${pkgs.inetutils.apparmor}/bin.ping" - # Note that including those two profiles in the same profile - # would not work if the second one were to re-include <tunables/global>. -''; -} diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 4e1bec91ff32..7ae26804317b 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -834,61 +834,6 @@ in runuser-l = { rootOK = true; unixAuth = false; }; }; - security.apparmor.includes."abstractions/pam" = let - isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); - in '' - ${lib.concatMapStringsSep "\n" - (name: "r ${config.environment.etc."pam.d/${name}".source},") - (attrNames config.security.pam.services)} - mr ${getLib pkgs.pam}/lib/security/pam_filter/*, - mr ${getLib pkgs.pam}/lib/security/pam_*.so, - r ${getLib pkgs.pam}/lib/security/, - ${optionalString use_ldap - "mr ${pam_ldap}/lib/security/pam_ldap.so,"} - ${optionalString config.services.sssd.enable - "mr ${pkgs.sssd}/lib/security/pam_sss.so,"} - ${optionalString config.krb5.enable '' - mr ${pam_krb5}/lib/security/pam_krb5.so, - mr ${pam_ccreds}/lib/security/pam_ccreds.so, - ''} - ${optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so, - mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so, - ''} - ${optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) - "mr ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so,"} - ${optionalString (config.security.pam.enableSSHAgentAuth && isEnabled (cfg: cfg.sshAgentAuth)) - "mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,"} - ${optionalString (isEnabled (cfg: cfg.fprintAuth)) - "mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,"} - ${optionalString (isEnabled (cfg: cfg.u2fAuth)) - "mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,"} - ${optionalString (isEnabled (cfg: cfg.usbAuth)) - "mr ${pkgs.pam_usb}/lib/security/pam_usb.so,"} - ${optionalString (isEnabled (cfg: cfg.oathAuth)) - "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,"} - ${optionalString (isEnabled (cfg: cfg.yubicoAuth)) - "mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,"} - ${optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) - "mr ${pkgs.duo-unix}/lib/security/pam_duo.so,"} - ${optionalString (isEnabled (cfg: cfg.otpwAuth)) - "mr ${pkgs.otpw}/lib/security/pam_otpw.so,"} - ${optionalString config.security.pam.enableEcryptfs - "mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,"} - ${optionalString (isEnabled (cfg: cfg.pamMount)) - "mr ${pkgs.pam_mount}/lib/security/pam_mount.so,"} - ${optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) - "mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,"} - ${optionalString (isEnabled (cfg: cfg.startSession)) - "mr ${pkgs.systemd}/lib/security/pam_systemd.so,"} - ${optionalString (isEnabled (cfg: cfg.enableAppArmor) && config.security.apparmor.enable) - "mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,"} - ${optionalString (isEnabled (cfg: cfg.enableKwallet)) - "mr ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so,"} - ${optionalString config.virtualisation.lxc.lxcfs.enable - "mr ${pkgs.lxc}/lib/security/pam_cgfs.so"} - ''; - }; } diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index f560f5c7628f..52de21bca9bf 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -179,14 +179,6 @@ in export PATH="${wrapperDir}:$PATH" ''; - security.apparmor.includes."nixos/security.wrappers" = '' - include "${pkgs.apparmorRulesFromClosure {} [ - securityWrapper - pkgs.stdenv.cc.cc - pkgs.stdenv.cc.libc - ]}" - ''; - ###### setcap activation script system.activationScripts.wrappers = lib.stringAfter [ "specialfs" "users" ] diff --git a/nixos/modules/services/torrent/transmission.nix b/nixos/modules/services/torrent/transmission.nix index 57982c20ccdf..014a22bb5a8d 100644 --- a/nixos |