[Nix-dev] AppArmor
phreedom at yandex.ru
phreedom at yandex.ru
Sat May 11 08:10:13 CEST 2013
Fresh AppArmor is available for further development.
The end result should be fully automatic confinement configuration for all
services configured using nixos options without extraConfig and such, a feature
which would be unique to NixOS.
Currently, AppArmor ships with a single profile which confines ping. If you
comment out a line or two of the profile, ping will fail and apparmor will
complain to dmesg.
What needs to be done:
* Fix systemd unit. archlinux ships apparmor as wantedBy = ["basic.target "],
but it doesn't exist in NixOS
* Test and possibly fix profile loading/unloading on nixos-rebuild switch
* Check if any of abstractions that AppArmor ships need NixOS-specific
customization
* Create profiles for common SUID binaries, since they are often used in
privelege escalation attacks.
* Create profiles for common proprietary nasties like skype and steam, because
we can't trust them.
* Create a profile for FireFox with an option to have dedicated
upload/download dir. Bonus points for packaging a confined TorBrowser(a fork of
FireFox)
* Create profiles for network-facing services, especially web servers since
these often host webapps which tend to be full of holes.
To enable AppArmor, add security.apparmor.enable = true to your config and use
linux_3_2_apparmor kernel(or build another version in a similar way).
Have fun!
More information about the nix-dev
mailing list