[Nix-dev] AppArmor

Mon May 13 18:58:34 CEST 2013

On Понедельник 13 мая 2013 15:49:49 Eelco Dolstra wrote:
> Hi,
> 
> On 11/05/13 08:10, phreedom at yandex.ru wrote:
> > Fresh AppArmor is available for further development.
> > 
> > The end result should be fully automatic confinement configuration for all
> > services configured using nixos options without extraConfig and such, a
> > feature which would be unique to NixOS.
> 
> Very cool :-)
> 
> The path-based approach of AppArmor seems a good fit for NixOS (while by
> contrast I don't see how we could ever support SELinux cleanly, given the
> properties of the Nix store).

Actually, it's even worse than that. Imagine trying to write profiles for httpd 
needing access to a random dir, git-daemon needing access to a random dir etc 
etc and what happens when these dir sets overlap.

Since SELinux only lets you assign a single label to a file, we would need to 
write a code to detect possible overlaps(and it might be nontrivial since eg 
gitdaemon only really needs to access .git subdirs in the projects it 
publishes).

Then you have to assign labels like file_accessible_by_httpd, 
file_accessible_by_httpd_and_gitdaemon, file_accessible_by_gitdaemon, 
file_accessible_by_gitdaemon and rewrite the file labelling rules and policies 
to handle all this :(

Supporting a nix store would be somewhat possible if you are ok with somewhat 
coarse enforcement like read-only access to the whole store.

I figured, I won't be able to invest enough time into a selinux rule/policy 
aggregator code, so decided to try apparmor.

> > Currently, AppArmor ships with a single profile which confines ping. If
> > you
> > comment out a line or two of the profile, ping will fail and apparmor will
> > complain to dmesg.
> 
> Actually ping doesn't work for me in the default configuration:
> 
> [root at machine:~]# ping localhost
> ping: cannot run
> `/nix/store/58gkpdj2idci0gh2380h16f8wj75gc0m-system-path/bin/ping':
> Permission denied
> 
> And the journal says:
> > May 13 15:17:35 machine kernel[1032]: [  458.080468] type=1400
> > audit(1368451055.867:7): apparmor="DENIED" operation="exec" parent=1596
> > profile="/var/setuid-wrappers/ping"
> > name="/nix/store/1k6zn3fkkarhdi7nqgvxwv4mcna09v23-iputils-20121221/bin/pi
> > ng" pid=1614 comm="ping" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Damn, I guess I screwed up the profile somewhere, since I mostly tested whether 
apparmor breaks a suid app(and therefore works) :/

> BTW, do you know if AppArmor profiles allow granting capabilities to a
> process (rather than merely allowing capabilities they already have)?  That
> way we could get rid of setuid ping entirely, simply by having a profile
> for
> ${pkgs.iputils}/bin/ping that grants net_raw capability.
> 
> > What needs to be done:
> >  * Fix systemd unit. archlinux ships apparmor as wantedBy = ["basic.target
> >  "],> 
> > but it doesn't exist in NixOS
> 
> We do have basic.target.

Somehow it didn't work when I tried wantedBy = ["basic.target"] and I saw 
basi.target.wants commented out in systemd module. I didn't have the time to 
investigate further.

I won't have the time to contribute to nixos for a few days but I'll do my 
best to improve apparmor and kde things soon.