apparmor: try again to fix and improve

maintainers/maintainer-list.nix

@@ -4937,7 +4937,7 @@
     name = "Julien Dehos";
   };
   julm = {
-    email = "julm+nix@sourcephile.fr";
+    email = "julm+nixpkgs@sourcephile.fr";
     github = "ju1m";
     githubId = 21160136;
     name = "Julien Moutinho";

nixos/doc/manual/release-notes/rl-2105.xml

@@ -857,6 +857,23 @@ environment.systemPackages = [
       Note that users defined with an explicit UID below 500 are exempted from this check, as <xref linkend="opt-users.users._name_.isSystemUser" /> has no effect for those.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     The <literal>security.apparmor</literal> module,
+     for the <link xlink:href="https://gitlab.com/apparmor/apparmor/-/wikis/Documentation">AppArmor</link>
+     Mandatory Access Control system,
+     has been substantialy improved along with related tools,
+     so that module maintainers can now more easily write AppArmor profiles for NixOS.
+     The most notable change on the user-side is the new option <xref linkend="opt-security.apparmor.policies"/>,
+     replacing the previous <literal>profiles</literal> option
+     to provide a way to disable a profile
+     and to select whether to confine in enforce mode (default)
+     or in complain mode (see <literal>journalctl -b --grep apparmor</literal>).
+     Security-minded users may also want to enable <xref linkend="opt-security.apparmor.killUnconfinedConfinables"/>,
+     at the cost of having some of their processes killed
+     when updating to a NixOS version introducing new AppArmor profiles.
+    </para>
+   </listitem>
    <listitem>
      <para>
        The GNOME desktop manager once again installs <package>gnome3.epiphany</package> by default.

nixos/modules/config/fonts/fontconfig.nix

@@ -448,6 +448,40 @@ in
     (mkIf cfg.enable {
       environment.systemPackages    = [ pkgs.fontconfig ];
       environment.etc.fonts.source  = "${fontconfigEtc}/etc/fonts/";
+      security.apparmor.includes."abstractions/fonts" = ''
+        # fonts.conf
+        r ${pkg.out}/etc/fonts/fonts.conf,
+
+        # fontconfig default config files
+        r ${pkg.out}/etc/fonts/conf.d/*.conf,
+
+        # 00-nixos-cache.conf
+        r ${cacheConf},
+
+        # 10-nixos-rendering.conf
+        r ${renderConf},
+
+        # 50-user.conf
+        ${optionalString cfg.includeUserConf ''
+        r ${pkg.out}/etc/fonts/conf.d.bak/50-user.conf,
+        ''}
+
+        # local.conf (indirect priority 51)
+        ${optionalString (cfg.localConf != "") ''
+        r ${localConf},
+        ''}
+
+        # 52-nixos-default-fonts.conf
+        r ${defaultFontsConf},
+
+        # 53-no-bitmaps.conf
+        r ${rejectBitmaps},
+
+        ${optionalString (!cfg.allowType1) ''
+        # 53-nixos-reject-type1.conf
+        r ${rejectType1},
+        ''}
+      '';
     })
     (mkIf cfg.enable {
       fonts.fontconfig.confPackages = [ confPkg ];

nixos/modules/config/malloc.nix

@@ -87,5 +87,12 @@ in
     environment.etc."ld-nix.so.preload".text = ''
       ${providerLibPath}
     '';
+    security.apparmor.includes = {
+      "abstractions/base" = ''
+        r /etc/ld-nix.so.preload,
+        r ${config.environment.etc."ld-nix.so.preload".source},
+        mr ${providerLibPath},
+      '';
+    };
   };
 }

nixos/modules/module-list.nix

@@ -205,7 +205,6 @@
   ./rename.nix
   ./security/acme.nix
   ./security/apparmor.nix
-  ./security/apparmor-suid.nix
   ./security/audit.nix
   ./security/auditd.nix
   ./security/ca.nix

nixos/modules/profiles/hardened.nix

@@ -36,6 +36,7 @@ with lib;
   security.virtualisation.flushL1DataCache = mkDefault "always";
 
   security.apparmor.enable = mkDefault true;
+  security.apparmor.killUnconfinedConfinables = mkDefault true;
 
   boot.kernelParams = [
     # Slab/slub sanity checks, redzoning, and poisoning