Skip to content

dbus: Add AppArmor support#102537

Merged
worldofpeace merged 2 commits intoNixOS:stagingfrom
helsinki-systems:feat/dbus-apparmor
Nov 18, 2020
Merged

dbus: Add AppArmor support#102537
worldofpeace merged 2 commits intoNixOS:stagingfrom
helsinki-systems:feat/dbus-apparmor

Conversation

@dasJ
Copy link
Member

@dasJ dasJ commented Nov 2, 2020

Motivation for this change

I'd like to do AppArmor mediation on dbus.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 2, 2020
@ajs124
Copy link
Member

ajs124 commented Nov 2, 2020

cc @ju1m (#101071)

@dasJ dasJ requested a review from worldofpeace November 8, 2020 13:38
@dasJ
Copy link
Member Author

dasJ commented Nov 8, 2020

@GrahamcOfBorg build dbus

worldofpeace
worldofpeace reviewed Nov 9, 2020
View reviewed changes
nixos/modules/services/system/dbus.nix Outdated
Copy link
Contributor

@worldofpeace worldofpeace Nov 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given that apparmor isn't on default why should this be?

Copy link
Member Author

@dasJ dasJ Nov 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default mode is "enabled". In "enabled" mode, AppArmor mediation will be performed if AppArmor support is available in the kernel. If it is not available, dbus-daemon will start but AppArmor mediation will not occur. In "disabled" mode, AppArmor mediation is disabled. In "required" mode, AppArmor mediation will be enabled if AppArmor support is available, otherwise dbus-daemon will refuse to start.

I think that is okay as a default or am I wrong here?

Copy link
Contributor

@worldofpeace worldofpeace Nov 9, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, we should for sure put that in the commit and code with some sort of link to the docs.
If we choose the default enabled, it will be the easiest for apparmor and non-apparmor users. If the support is in the kernel then it's on, which means that apparmor users don't have to switch a dbus option in configuration.nix. However, I don't see the apparmor module putting support into the kernel, from this line it shows me that the kernel already has it and just needs a kernel parameter https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/apparmor.nix#L32. I would think that apparmor support in the kernel would also implicate checking for that kernel parameter (along with other things), but I would like to at least check the startup is "as expected" without the apparmor module enabled.

Copy link
Member Author

@dasJ dasJ Nov 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some docs to the option.

I don't think linking to external docs is really helpful since you can either use the AppArmor GitLab which seems to be neither complete nor seems the link to be stable or you can use the dbus man page that doesn't allow direct linking to that list item since it's not a heading.

worldofpeace
worldofpeace reviewed Nov 9, 2020
View reviewed changes
worldofpeace
worldofpeace reviewed Nov 9, 2020
View reviewed changes
@worldofpeace worldofpeace requested a review from jtojnar November 9, 2020 02:02
worldofpeace
worldofpeace reviewed Nov 9, 2020
View reviewed changes
@dasJ dasJ force-pushed the feat/dbus-apparmor branch from 7bc410f to 218700c Compare November 9, 2020 10:48
@ofborg ofborg bot requested a review from worldofpeace November 9, 2020 11:11
@ofborg ofborg bot added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 1001-2500 This PR causes many rebuilds on Darwin and should most likely target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Nov 9, 2020
@dasJ dasJ force-pushed the feat/dbus-apparmor branch from 218700c to 3a4f2b5 Compare November 9, 2020 11:56
@dasJ dasJ changed the base branch from master to staging November 9, 2020 11:56
@dasJ
Copy link
Member Author

dasJ commented Nov 9, 2020

Rebased to staging since this seems to be a mass rebuild when it evaluates

@ofborg ofborg bot added 6.topic: GNOME GNOME desktop environment and its underlying platform 6.topic: haskell General-purpose, statically typed, purely functional programming language 6.topic: pantheon The Pantheon desktop environment 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: ruby A dynamic, open source programming language with a focus on simplicity and productivity. labels Nov 9, 2020
@dasJ dasJ requested a review from ttuegel as a code owner November 17, 2020 20:57
@dasJ dasJ changed the base branch from staging-next to staging November 17, 2020 20:57
@dasJ
Copy link
Member Author

dasJ commented Nov 17, 2020

@worldofpeace Properly rebased (I hope?)

@ofborg ofborg bot added 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: qt/kde Object-oriented framework for GUI creation 6.topic: ruby A dynamic, open source programming language with a focus on simplicity and productivity. 6.topic: stdenv Standard environment 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin: 1001-2500 This PR causes many rebuilds on Darwin and should most likely target the staging branches. and removed 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: qt/kde Object-oriented framework for GUI creation 6.topic: ruby A dynamic, open source programming language with a focus on simplicity and productivity. 6.topic: stdenv Standard environment 8.has: documentation This PR adds or changes documentation 10.rebuild-darwin: 1001-2500 This PR causes many rebuilds on Darwin and should most likely target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. labels Nov 17, 2020
@dasJ dasJ force-pushed the feat/dbus-apparmor branch from 760e978 to e5e9887 Compare November 18, 2020 09:10
@dasJ
Copy link
Member Author

dasJ commented Nov 18, 2020

Took some time since I had to rebuild stdenv, but I successfully built this on macOS

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. and removed 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 1001-2500 This PR causes many rebuilds on Darwin and should most likely target the staging branches. labels Nov 18, 2020
@worldofpeace worldofpeace merged commit c7b0aeb into NixOS:staging Nov 18, 2020
@worldofpeace
Copy link
Contributor

worldofpeace commented Nov 18, 2020

Took some time since I had to rebuild stdenv, but I successfully built this on macOS

Thanks alot. I've merged the PR ✨

@dasJ dasJ deleted the feat/dbus-apparmor branch November 18, 2020 10:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jtojnar jtojnar Awaiting requested review from jtojnar

@worldofpeace worldofpeace Awaiting requested review from worldofpeace

@alyssais alyssais Awaiting requested review from alyssais

@cdepillabout cdepillabout Awaiting requested review from cdepillabout

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314

@FRidh FRidh Awaiting requested review from FRidh

@jonringer jonringer Awaiting requested review from jonringer

@matthewbauer matthewbauer Awaiting requested review from matthewbauer

@stigtsp stigtsp Awaiting requested review from stigtsp

@ttuegel ttuegel Awaiting requested review from ttuegel

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dasJ @ajs124 @worldofpeace