Merge pull request #102537 from helsinki-systems/feat/dbus-apparmor
dbus: Add AppArmor support
This commit is contained in:
WORLDofPEACE
GitHub
commit
c7b0aeb0d3
|
|
@ -11,6 +11,7 @@ let
|
||||||
homeDir = "/run/dbus";
|
homeDir = "/run/dbus";
|
||||||
|
|
||||||
configDir = pkgs.makeDBusConf {
|
configDir = pkgs.makeDBusConf {
|
||||||
|
inherit (cfg) apparmor;
|
||||||
suidHelper = "${config.security.wrapperDir}/dbus-daemon-launch-helper";
|
suidHelper = "${config.security.wrapperDir}/dbus-daemon-launch-helper";
|
||||||
serviceDirectories = cfg.packages;
|
serviceDirectories = cfg.packages;
|
||||||
};
|
};
|
||||||
|
|
@ -51,6 +52,20 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
apparmor = mkOption {
|
||||||
|
type = types.enum [ "enabled" "disabled" "required" ];
|
||||||
|
description = ''
|
||||||
|
AppArmor mode for dbus.
|
||||||
|
|
||||||
|
<literal>enabled</literal> enables mediation when it's
|
||||||
|
supported in the kernel, <literal>disabled</literal>
|
||||||
|
always disables AppArmor even with kernel support, and
|
||||||
|
<literal>required</literal> fails when AppArmor was not found
|
||||||
|
in the kernel.
|
||||||
|
'';
|
||||||
|
default = "disabled";
|
||||||
|
};
|
||||||
|
|
||||||
socketActivated = mkOption {
|
socketActivated = mkOption {
|
||||||
type = types.nullOr types.bool;
|
type = types.nullOr types.bool;
|
||||||
default = null;
|
default = null;
|
||||||
|
|
|
||||||
|
|
@ -5,6 +5,8 @@
|
||||||
, expat
|
, expat
|
||||||
, enableSystemd ? stdenv.isLinux && !stdenv.hostPlatform.isMusl
|
, enableSystemd ? stdenv.isLinux && !stdenv.hostPlatform.isMusl
|
||||||
, systemd
|
, systemd
|
||||||
|
, audit
|
||||||
|
, libapparmor
|
||||||
, libX11 ? null
|
, libX11 ? null
|
||||||
, libICE ? null
|
, libICE ? null
|
||||||
, libSM ? null
|
, libSM ? null
|
||||||
|
|
@ -70,7 +72,8 @@ stdenv.mkDerivation rec {
|
||||||
libX11
|
libX11
|
||||||
libICE
|
libICE
|
||||||
libSM
|
libSM
|
||||||
] ++ lib.optional enableSystemd systemd;
|
] ++ lib.optional enableSystemd systemd
|
||||||
|
++ lib.optionals (!stdenv.isDarwin) [ audit libapparmor ];
|
||||||
# ToDo: optional selinux?
|
# ToDo: optional selinux?
|
||||||
|
|
||||||
configureFlags = [
|
configureFlags = [
|
||||||
|
|
@ -86,7 +89,8 @@ stdenv.mkDerivation rec {
|
||||||
"--with-system-socket=/run/dbus/system_bus_socket"
|
"--with-system-socket=/run/dbus/system_bus_socket"
|
||||||
"--with-systemdsystemunitdir=${placeholder ''out''}/etc/systemd/system"
|
"--with-systemdsystemunitdir=${placeholder ''out''}/etc/systemd/system"
|
||||||
"--with-systemduserunitdir=${placeholder ''out''}/etc/systemd/user"
|
"--with-systemduserunitdir=${placeholder ''out''}/etc/systemd/user"
|
||||||
] ++ lib.optional (!x11Support) "--without-x";
|
] ++ lib.optional (!x11Support) "--without-x"
|
||||||
|
++ lib.optionals (!stdenv.isDarwin) [ "--enable-apparmor" "--enable-libaudit" ];
|
||||||
|
|
||||||
# Enable X11 autolaunch support in libdbus. This doesn't actually depend on X11
|
# Enable X11 autolaunch support in libdbus. This doesn't actually depend on X11
|
||||||
# (it just execs dbus-launch in dbus.tools), contrary to what the configure script demands.
|
# (it just execs dbus-launch in dbus.tools), contrary to what the configure script demands.
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
{ runCommand, writeText, libxslt, dbus
|
{ runCommand, writeText, libxslt, dbus
|
||||||
, serviceDirectories ? []
|
, serviceDirectories ? []
|
||||||
, suidHelper ? "/var/setuid-wrappers/dbus-daemon-launch-helper"
|
, suidHelper ? "/var/setuid-wrappers/dbus-daemon-launch-helper"
|
||||||
|
, apparmor ? "disabled" # one of enabled, disabled, required
|
||||||
}:
|
}:
|
||||||
|
|
||||||
/* DBus has two configuration parsers -- normal and "trivial", which is used
|
/* DBus has two configuration parsers -- normal and "trivial", which is used
|
||||||
|
|
@ -10,7 +11,7 @@
|
||||||
*/
|
*/
|
||||||
runCommand "dbus-1"
|
runCommand "dbus-1"
|
||||||
{
|
{
|
||||||
inherit serviceDirectories suidHelper;
|
inherit serviceDirectories suidHelper apparmor;
|
||||||
preferLocalBuild = true;
|
preferLocalBuild = true;
|
||||||
allowSubstitutes = false;
|
allowSubstitutes = false;
|
||||||
XML_CATALOG_FILES = writeText "dbus-catalog.xml" ''
|
XML_CATALOG_FILES = writeText "dbus-catalog.xml" ''
|
||||||
|
|
@ -33,10 +34,12 @@ runCommand "dbus-1"
|
||||||
xsltproc --nonet \
|
xsltproc --nonet \
|
||||||
--stringparam serviceDirectories "$serviceDirectories" \
|
--stringparam serviceDirectories "$serviceDirectories" \
|
||||||
--stringparam suidHelper "$suidHelper" \
|
--stringparam suidHelper "$suidHelper" \
|
||||||
|
--stringparam apparmor "$apparmor" \
|
||||||
${./make-system-conf.xsl} ${dbus}/share/dbus-1/system.conf \
|
${./make-system-conf.xsl} ${dbus}/share/dbus-1/system.conf \
|
||||||
> $out/system.conf
|
> $out/system.conf
|
||||||
xsltproc --nonet \
|
xsltproc --nonet \
|
||||||
--stringparam serviceDirectories "$serviceDirectories" \
|
--stringparam serviceDirectories "$serviceDirectories" \
|
||||||
|
--stringparam apparmor "$apparmor" \
|
||||||
${./make-session-conf.xsl} ${dbus}/share/dbus-1/session.conf \
|
${./make-session-conf.xsl} ${dbus}/share/dbus-1/session.conf \
|
||||||
> $out/session.conf
|
> $out/session.conf
|
||||||
''
|
''
|
||||||
|
|
|
||||||
|
|
@ -15,12 +15,16 @@
|
||||||
<xsl:output method='xml' encoding="UTF-8" doctype-system="busconfig.dtd" />
|
<xsl:output method='xml' encoding="UTF-8" doctype-system="busconfig.dtd" />
|
||||||
|
|
||||||
<xsl:param name="serviceDirectories" />
|
<xsl:param name="serviceDirectories" />
|
||||||
|
<xsl:param name="apparmor" />
|
||||||
|
|
||||||
<xsl:template match="/busconfig">
|
<xsl:template match="/busconfig">
|
||||||
<busconfig>
|
<busconfig>
|
||||||
<!-- We leave <standard_session_servicedirs/> because it includes XDG dirs and therefore user Nix profile. -->
|
<!-- We leave <standard_session_servicedirs/> because it includes XDG dirs and therefore user Nix profile. -->
|
||||||
<xsl:copy-of select="child::node()[name() != 'include' and name() != 'servicedir' and name() != 'includedir']" />
|
<xsl:copy-of select="child::node()[name() != 'include' and name() != 'servicedir' and name() != 'includedir']" />
|
||||||
|
|
||||||
|
<!-- configure AppArmor -->
|
||||||
|
<apparmor mode="{$apparmor}"/>
|
||||||
|
|
||||||
<xsl:for-each select="str:tokenize($serviceDirectories)">
|
<xsl:for-each select="str:tokenize($serviceDirectories)">
|
||||||
<servicedir><xsl:value-of select="." />/share/dbus-1/services</servicedir>
|
<servicedir><xsl:value-of select="." />/share/dbus-1/services</servicedir>
|
||||||
<includedir><xsl:value-of select="." />/etc/dbus-1/session.d</includedir>
|
<includedir><xsl:value-of select="." />/etc/dbus-1/session.d</includedir>
|
||||||
|
|
|
||||||
|
|
@ -16,11 +16,15 @@
|
||||||
|
|
||||||
<xsl:param name="serviceDirectories" />
|
<xsl:param name="serviceDirectories" />
|
||||||
<xsl:param name="suidHelper" />
|
<xsl:param name="suidHelper" />
|
||||||
|
<xsl:param name="apparmor" />
|
||||||
|
|
||||||
<xsl:template match="/busconfig">
|
<xsl:template match="/busconfig">
|
||||||
<busconfig>
|
<busconfig>
|
||||||
<xsl:copy-of select="child::node()[name() != 'include' and name() != 'standard_system_servicedirs' and name() != 'servicehelper' and name() != 'servicedir' and name() != 'includedir']" />
|
<xsl:copy-of select="child::node()[name() != 'include' and name() != 'standard_system_servicedirs' and name() != 'servicehelper' and name() != 'servicedir' and name() != 'includedir']" />
|
||||||
|
|
||||||
|
<!-- configure AppArmor -->
|
||||||
|
<apparmor mode="{$apparmor}"/>
|
||||||
|
|
||||||
<!-- set suid helper -->
|
<!-- set suid helper -->
|
||||||
<servicehelper><xsl:value-of select="$suidHelper" /></servicehelper>
|
<servicehelper><xsl:value-of select="$suidHelper" /></servicehelper>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12471,9 +12471,9 @@ in
|
||||||
dbus-sharp-glib-1_0 = callPackage ../development/libraries/dbus-sharp-glib/dbus-sharp-glib-1.0.nix { };
|
dbus-sharp-glib-1_0 = callPackage ../development/libraries/dbus-sharp-glib/dbus-sharp-glib-1.0.nix { };
|
||||||
dbus-sharp-glib-2_0 = callPackage ../development/libraries/dbus-sharp-glib { };
|
dbus-sharp-glib-2_0 = callPackage ../development/libraries/dbus-sharp-glib { };
|
||||||
|
|
||||||
makeDBusConf = { suidHelper, serviceDirectories }:
|
makeDBusConf = { suidHelper, serviceDirectories, apparmor }:
|
||||||
callPackage ../development/libraries/dbus/make-dbus-conf.nix {
|
callPackage ../development/libraries/dbus/make-dbus-conf.nix {
|
||||||
inherit suidHelper serviceDirectories;
|
inherit suidHelper serviceDirectories apparmor;
|
||||||
};
|
};
|
||||||
|
|
||||||
dee = callPackage ../development/libraries/dee { };
|
dee = callPackage ../development/libraries/dee { };
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue