[Nix-dev] AppArmor

[Eelco Dolstra]

Hi,

On 11/05/13 08:10, phreedom at yandex.ru wrote:

> Fresh AppArmor is available for further development.
> 
> The end result should be fully automatic confinement configuration for all 
> services configured using nixos options without extraConfig and such, a feature 
> which would be unique to NixOS.

Very cool :-)

The path-based approach of AppArmor seems a good fit for NixOS (while by
contrast I don't see how we could ever support SELinux cleanly, given the
properties of the Nix store).

> Currently, AppArmor ships with a single profile which confines ping. If you 
> comment out a line or two of the profile, ping will fail and apparmor will 
> complain to dmesg.

Actually ping doesn't work for me in the default configuration:

[root at machine:~]# ping localhost
ping: cannot run
`/nix/store/58gkpdj2idci0gh2380h16f8wj75gc0m-system-path/bin/ping': Permission
denied

And the journal says:

> May 13 15:17:35 machine kernel[1032]: [  458.080468] type=1400 audit(1368451055.867:7): apparmor="DENIED" operation="exec" parent=1596 profile="/var/setuid-wrappers/ping" name="/nix/store/1k6zn3fkkarhdi7nqgvxwv4mcna09v23-iputils-20121221/bin/ping" pid=1614 comm="ping" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

BTW, do you know if AppArmor profiles allow granting capabilities to a process
(rather than merely allowing capabilities they already have)?  That way we could
get rid of setuid ping entirely, simply by having a profile for
${pkgs.iputils}/bin/ping that grants net_raw capability.

> What needs to be done:
>  * Fix systemd unit. archlinux ships apparmor as wantedBy = ["basic.target "], 
> but it doesn't exist in NixOS

We do have basic.target.

-- 
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/