dbus: Enable AppArmor mediation support
This commit is contained in:
Janne Heß
parent
e949d75899
commit
060d20de24
|
|
@ -5,6 +5,8 @@
|
||||||
, expat
|
, expat
|
||||||
, enableSystemd ? stdenv.isLinux && !stdenv.hostPlatform.isMusl
|
, enableSystemd ? stdenv.isLinux && !stdenv.hostPlatform.isMusl
|
||||||
, systemd
|
, systemd
|
||||||
|
, audit
|
||||||
|
, libapparmor
|
||||||
, libX11 ? null
|
, libX11 ? null
|
||||||
, libICE ? null
|
, libICE ? null
|
||||||
, libSM ? null
|
, libSM ? null
|
||||||
|
|
@ -70,7 +72,8 @@ stdenv.mkDerivation rec {
|
||||||
libX11
|
libX11
|
||||||
libICE
|
libICE
|
||||||
libSM
|
libSM
|
||||||
] ++ lib.optional enableSystemd systemd;
|
] ++ lib.optional enableSystemd systemd
|
||||||
|
++ lib.optionals (!stdenv.isDarwin) [ audit libapparmor ];
|
||||||
# ToDo: optional selinux?
|
# ToDo: optional selinux?
|
||||||
|
|
||||||
configureFlags = [
|
configureFlags = [
|
||||||
|
|
@ -86,7 +89,8 @@ stdenv.mkDerivation rec {
|
||||||
"--with-system-socket=/run/dbus/system_bus_socket"
|
"--with-system-socket=/run/dbus/system_bus_socket"
|
||||||
"--with-systemdsystemunitdir=${placeholder ''out''}/etc/systemd/system"
|
"--with-systemdsystemunitdir=${placeholder ''out''}/etc/systemd/system"
|
||||||
"--with-systemduserunitdir=${placeholder ''out''}/etc/systemd/user"
|
"--with-systemduserunitdir=${placeholder ''out''}/etc/systemd/user"
|
||||||
] ++ lib.optional (!x11Support) "--without-x";
|
] ++ lib.optional (!x11Support) "--without-x"
|
||||||
|
++ lib.optionals (!stdenv.isDarwin) [ "--enable-apparmor" "--enable-libaudit" ];
|
||||||
|
|
||||||
# Enable X11 autolaunch support in libdbus. This doesn't actually depend on X11
|
# Enable X11 autolaunch support in libdbus. This doesn't actually depend on X11
|
||||||
# (it just execs dbus-launch in dbus.tools), contrary to what the configure script demands.
|
# (it just execs dbus-launch in dbus.tools), contrary to what the configure script demands.
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
{ runCommand, writeText, libxslt, dbus
|
{ runCommand, writeText, libxslt, dbus
|
||||||
, serviceDirectories ? []
|
, serviceDirectories ? []
|
||||||
, suidHelper ? "/var/setuid-wrappers/dbus-daemon-launch-helper"
|
, suidHelper ? "/var/setuid-wrappers/dbus-daemon-launch-helper"
|
||||||
|
, apparmor ? "disabled" # one of enabled, disabled, required
|
||||||
}:
|
}:
|
||||||
|
|
||||||
/* DBus has two configuration parsers -- normal and "trivial", which is used
|
/* DBus has two configuration parsers -- normal and "trivial", which is used
|
||||||
|
|
@ -10,7 +11,7 @@
|
||||||
*/
|
*/
|
||||||
runCommand "dbus-1"
|
runCommand "dbus-1"
|
||||||
{
|
{
|
||||||
inherit serviceDirectories suidHelper;
|
inherit serviceDirectories suidHelper apparmor;
|
||||||
preferLocalBuild = true;
|
preferLocalBuild = true;
|
||||||
allowSubstitutes = false;
|
allowSubstitutes = false;
|
||||||
XML_CATALOG_FILES = writeText "dbus-catalog.xml" ''
|
XML_CATALOG_FILES = writeText "dbus-catalog.xml" ''
|
||||||
|
|
@ -33,10 +34,12 @@ runCommand "dbus-1"
|
||||||
xsltproc --nonet \
|
xsltproc --nonet \
|
||||||
--stringparam serviceDirectories "$serviceDirectories" \
|
--stringparam serviceDirectories "$serviceDirectories" \
|
||||||
--stringparam suidHelper "$suidHelper" \
|
--stringparam suidHelper "$suidHelper" \
|
||||||
|
--stringparam apparmor "$apparmor" \
|
||||||
${./make-system-conf.xsl} ${dbus}/share/dbus-1/system.conf \
|
${./make-system-conf.xsl} ${dbus}/share/dbus-1/system.conf \
|
||||||
> $out/system.conf
|
> $out/system.conf
|
||||||
xsltproc --nonet \
|
xsltproc --nonet \
|
||||||
--stringparam serviceDirectories "$serviceDirectories" \
|
--stringparam serviceDirectories "$serviceDirectories" \
|
||||||
|
--stringparam apparmor "$apparmor" \
|
||||||
${./make-session-conf.xsl} ${dbus}/share/dbus-1/session.conf \
|
${./make-session-conf.xsl} ${dbus}/share/dbus-1/session.conf \
|
||||||
> $out/session.conf
|
> $out/session.conf
|
||||||
''
|
''
|
||||||
|
|
|
||||||
|
|
@ -15,12 +15,16 @@
|
||||||
<xsl:output method='xml' encoding="UTF-8" doctype-system="busconfig.dtd" />
|
<xsl:output method='xml' encoding="UTF-8" doctype-system="busconfig.dtd" />
|
||||||
|
|
||||||
<xsl:param name="serviceDirectories" />
|
<xsl:param name="serviceDirectories" />
|
||||||
|
<xsl:param name="apparmor" />
|
||||||
|
|
||||||
<xsl:template match="/busconfig">
|
<xsl:template match="/busconfig">
|
||||||
<busconfig>
|
<busconfig>
|
||||||
<!-- We leave <standard_session_servicedirs/> because it includes XDG dirs and therefore user Nix profile. -->
|
<!-- We leave <standard_session_servicedirs/> because it includes XDG dirs and therefore user Nix profile. -->
|
||||||
<xsl:copy-of select="child::node()[name() != 'include' and name() != 'servicedir' and name() != 'includedir']" />
|
<xsl:copy-of select="child::node()[name() != 'include' and name() != 'servicedir' and name() != 'includedir']" />
|
||||||
|
|
||||||
|
<!-- configure AppArmor -->
|
||||||
|
<apparmor mode="{$apparmor}"/>
|
||||||
|
|
||||||
<xsl:for-each select="str:tokenize($serviceDirectories)">
|
<xsl:for-each select="str:tokenize($serviceDirectories)">
|
||||||
<servicedir><xsl:value-of select="." />/share/dbus-1/services</servicedir>
|
<servicedir><xsl:value-of select="." />/share/dbus-1/services</servicedir>
|
||||||
<includedir><xsl:value-of select="." />/etc/dbus-1/session.d</includedir>
|
<includedir><xsl:value-of select="." />/etc/dbus-1/session.d</includedir>
|
||||||
|
|
|
||||||
|
|
@ -16,11 +16,15 @@
|
||||||
|
|
||||||
<xsl:param name="serviceDirectories" />
|
<xsl:param name="serviceDirectories" />
|
||||||
<xsl:param name="suidHelper" />
|
<xsl:param name="suidHelper" />
|
||||||
|
<xsl:param name="apparmor" />
|
||||||
|
|
||||||
<xsl:template match="/busconfig">
|
<xsl:template match="/busconfig">
|
||||||
<busconfig>
|
<busconfig>
|
||||||
<xsl:copy-of select="child::node()[name() != 'include' and name() != 'standard_system_servicedirs' and name() != 'servicehelper' and name() != 'servicedir' and name() != 'includedir']" />
|
<xsl:copy-of select="child::node()[name() != 'include' and name() != 'standard_system_servicedirs' and name() != 'servicehelper' and name() != 'servicedir' and name() != 'includedir']" />
|
||||||
|
|
||||||
|
<!-- configure AppArmor -->
|
||||||
|
<apparmor mode="{$apparmor}"/>
|
||||||
|
|
||||||
<!-- set suid helper -->
|
<!-- set suid helper -->
|
||||||
<servicehelper><xsl:value-of select="$suidHelper" /></servicehelper>
|
<servicehelper><xsl:value-of select="$suidHelper" /></servicehelper>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12471,9 +12471,9 @@ in
|
||||||
dbus-sharp-glib-1_0 = callPackage ../development/libraries/dbus-sharp-glib/dbus-sharp-glib-1.0.nix { };
|
dbus-sharp-glib-1_0 = callPackage ../development/libraries/dbus-sharp-glib/dbus-sharp-glib-1.0.nix { };
|
||||||
dbus-sharp-glib-2_0 = callPackage ../development/libraries/dbus-sharp-glib { };
|
dbus-sharp-glib-2_0 = callPackage ../development/libraries/dbus-sharp-glib { };
|
||||||
|
|
||||||
makeDBusConf = { suidHelper, serviceDirectories }:
|
makeDBusConf = { suidHelper, serviceDirectories, apparmor }:
|
||||||
callPackage ../development/libraries/dbus/make-dbus-conf.nix {
|
callPackage ../development/libraries/dbus/make-dbus-conf.nix {
|
||||||
inherit suidHelper serviceDirectories;
|
inherit suidHelper serviceDirectories apparmor;
|
||||||
};
|
};
|
||||||
|
|
||||||
dee = callPackage ../development/libraries/dee { };
|
dee = callPackage ../development/libraries/dee { };
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue