NixOS · mweinelt · Apr 23, 2025 · Apr 21, 2025 · Apr 22, 2025 · Apr 22, 2025
diff --git a/maintainers/team-list.nix b/maintainers/team-list.nix
@@ -68,6 +68,16 @@ with lib.maintainers;
     ];
   };
 
+  apparmor = {
+    scope = "AppArmor-related modules, userspace tool packages and profiles";
+    shortName = "apparmor";
+    members = [
+      julm
+      thoughtpolice
+      grimmauld
+    ];
+  };
+
   bazel = {
     members = [
       mboes

diff --git a/nixos/modules/security/apparmor.nix b/nixos/modules/security/apparmor.nix
@@ -172,7 +172,7 @@ in
               logfiles = /dev/stdin
 
               parser = ${pkgs.apparmor-parser}/bin/apparmor_parser
-              ldd = ${pkgs.glibc.bin}/bin/ldd
+              ldd = ${lib.getExe' pkgs.stdenv.cc.libc "ldd"}
               logger = ${pkgs.util-linux}/bin/logger
 
               # customize how file ownership permissions are presented
@@ -275,8 +275,5 @@ in
     };
   };
 
-  meta.maintainers = with lib.maintainers; [
-    julm
-    grimmauld
-  ];
+  meta.maintainers = lib.teams.apparmor.members;
 }
diff --git a/pkgs/by-name/ap/apparmor-bin-utils/package.nix b/pkgs/by-name/ap/apparmor-bin-utils/package.nix
@@ -0,0 +1,53 @@
+{
+  lib,
+  stdenv,
+  pkg-config,
+  which,
+  buildPackages,
+
+  # apparmor deps
+  libapparmor,
+
+  # testing
+  perl,
+}:
+stdenv.mkDerivation {
+  pname = "apparmor-bin-utils";
+  inherit (libapparmor)
+    version
+    src
+    ;
+
+  sourceRoot = "${libapparmor.src.name}/binutils";
+
+  nativeBuildInputs = [
+    pkg-config
+    libapparmor
+    which
+  ];
+
+  buildInputs = [
+    libapparmor
+  ];
+
+  makeFlags = [
+    "LANGS="
+    "USE_SYSTEM=1"
+    "POD2MAN=${lib.getExe' buildPackages.perl "pod2man"}"
+    "POD2HTML=${lib.getExe' buildPackages.perl "pod2html"}"
+    "MANDIR=share/man"
+  ];
+
+  doCheck = true;
+  checkInputs = [ perl ];
+
+  installFlags = [
+    "DESTDIR=$(out)"
+    "BINDIR=$(out)/bin"
+    "SBINDIR=$(out)/bin"
+  ];
+
+  meta = libapparmor.meta // {
+    description = "Mandatory access control system - binary user-land utilities";
+  };
+}
diff --git a/pkgs/by-name/ap/apparmor-pam/package.nix b/pkgs/by-name/ap/apparmor-pam/package.nix
@@ -0,0 +1,40 @@
+{
+  stdenv,
+  pkg-config,
+  which,
+  pam,
+
+  # apparmor deps
+  libapparmor,
+}:
+stdenv.mkDerivation {
+  pname = "apparmor-pam";
+  inherit (libapparmor)
+    version
+    src
+    ;
+
+  postPatch = ''
+    substituteInPlace Makefile \
+      --replace-fail "pkg-config" "$PKG_CONFIG"
+  '';
+
+  nativeBuildInputs = [
+    pkg-config
+    which
+  ];
+
+  buildInputs = [
+    libapparmor
+    pam
+  ];
+
+  sourceRoot = "${libapparmor.src.name}/changehat/pam_apparmor";
+
+  makeFlags = [ "USE_SYSTEM=1" ];
+  installFlags = [ "DESTDIR=$(out)" ];
+
+  meta = libapparmor.meta // {
+    description = "Mandatory access control system - PAM service";
+  };
+}
diff --git a/...nux/apparmor/fix-rc.apparmor.functions.sh → ...armor-parser/fix-rc.apparmor.functions.sh b/...nux/apparmor/fix-rc.apparmor.functions.sh → ...armor-parser/fix-rc.apparmor.functions.sh
diff --git a/pkgs/by-name/ap/apparmor-parser/package.nix b/pkgs/by-name/ap/apparmor-parser/package.nix
@@ -0,0 +1,75 @@
+{
+  lib,
+  stdenv,
+  which,
+  flex,
+  bison,
+  linuxHeaders ? stdenv.cc.libc.linuxHeaders,
+  buildPackages,
+
+  # apparmor deps
+  libapparmor,
+
+  # testing
+  perl,
+  python3,
+  bashInteractive,
+}:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "apparmor-parser";
+  inherit (libapparmor) version src;
+
+  postPatch = ''
+    patchShebangs .
+    cd parser
+
+    substituteInPlace Makefile \
+      --replace-fail "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
+    substituteInPlace rc.apparmor.functions \
+      --replace-fail "/sbin/apparmor_parser" "$out/bin/apparmor_parser" # FIXME
+    substituteInPlace rc.apparmor.functions \
+      --replace-fail "/usr/sbin/aa-status" '$(which aa-status)'
+    sed -i rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
+  '';
+
+  nativeBuildInputs = [
+    bison
+    flex
+    which
+  ];
+
+  buildInputs = [ libapparmor ];
+
+  makeFlags = [
+    "LANGS="
+    "USE_SYSTEM=1"
+    "INCLUDEDIR=${libapparmor}/include"
+    "AR=${stdenv.cc.bintools.targetPrefix}ar"
+    "POD2MAN=${lib.getExe' buildPackages.perl "pod2man"}"
+    "POD2HTML=${lib.getExe' buildPackages.perl "pod2html"}"
+    "MANDIR=share/man"
+  ] ++ lib.optional finalAttrs.doCheck "PROVE=${lib.getExe' perl "prove"}";
+
+  installFlags = [
+    "DESTDIR=$(out)"
+    "DISTRO=unknown"
+  ];
+
+  preCheck = "pushd ./tst";
+
+  checkTarget = "tests";
+
+  postCheck = "popd";
+
+  doCheck = stdenv.hostPlatform == stdenv.buildPlatform && !stdenv.hostPlatform.isMusl;
+  checkInputs = [
+    bashInteractive
+    perl
+    python3
+  ];
+
+  meta = libapparmor.meta // {
+    description = "Mandatory access control system - core library";
+    mainProgram = "apparmor_parser";
+  };
+})
diff --git a/pkgs/by-name/ap/apparmor-profiles/package.nix b/pkgs/by-name/ap/apparmor-profiles/package.nix
@@ -0,0 +1,42 @@
+{
+  stdenv,
+  which,
+  callPackage,
+
+  # apparmor deps
+  libapparmor,
+  apparmor-parser,
+  apparmor-utils,
+}:
+stdenv.mkDerivation {
+  pname = "apparmor-profiles";
+  inherit (libapparmor) version src;
+
+  sourceRoot = "${libapparmor.src.name}/profiles";
+
+  nativeBuildInputs = [ which ];
+
+  installFlags = [
+    "DESTDIR=$(out)"
+    "EXTRAS_DEST=$(out)/share/apparmor/extra-profiles"
+  ];
+
+  checkTarget = "check";
+
+  checkInputs = [
+    apparmor-parser
+    apparmor-utils
+  ];
+
+  preCheck = ''
+    export USE_SYSTEM=1
+    export LOGPROF="aa-logprof --configdir ${callPackage ./test_config.nix { }} --no-check-mountpoint"
+  '';
+
+  doCheck = true;
+
+  meta = libapparmor.meta // {
+    description = "Mandatory access control system - profiles";
+    mainProgram = "apparmor_parser";
+  };
+}
diff --git a/pkgs/by-name/ap/apparmor-profiles/test_config.nix b/pkgs/by-name/ap/apparmor-profiles/test_config.nix
@@ -0,0 +1,47 @@
+{
+  lib,
+  runCommand,
+  util-linux,
+  stdenv,
+  runtimeShell,
+  bashInteractive,
+
+  # apparmor deps
+  libapparmor,
+  apparmor-parser,
+}:
+(runCommand "logprof_conf"
+  {
+    header = ''
+      [settings]
+        # /etc/apparmor.d/ is read-only on NixOS
+        profiledir = /var/cache/apparmor/logprof
+        inactive_profiledir = /etc/apparmor.d/disable
+        # Use: journalctl -b --since today --grep audit: | aa-logprof
+        logfiles = /dev/stdin
+
+        parser = ${lib.getExe apparmor-parser}
+        ldd = ${lib.getExe' stdenv.cc.libc "ldd"}
+        logger = ${util-linux}/bin/logger
+
+        # customize how file ownership permissions are presented
+        # 0 - off
+        # 1 - default of what ever mode the log reported
+        # 2 - force the new permissions to be user
+        # 3 - force all perms on the rule to be user
+        default_owner_prompt = 1
+
+      [qualifiers]
+        ${runtimeShell} = icnu
+        ${bashInteractive}/bin/sh = icnu
+        ${bashInteractive}/bin/bash = icnu
+    '';
+    passAsFile = [ "header" ];
+  }
+  ''
+    mkdir $out
+    cp $headerPath $out/logprof.conf
+    ln -s ${libapparmor.src}/utils/severity.db $out/severity.db
+    sed '1,/\[qualifiers\]/d' ${libapparmor.src}/utils/logprof.conf >> $out/logprof.conf
+  ''
+)
diff --git a/pkgs/by-name/ap/apparmor-teardown/package.nix b/pkgs/by-name/ap/apparmor-teardown/package.nix
@@ -0,0 +1,33 @@
+{
+  writeShellApplication,
+  coreutils,
+  gnused,
+  gnugrep,
+  which,
+
+  # apparmor deps
+  apparmor-parser,
+  apparmor-bin-utils,
+  libapparmor,
+}:
+writeShellApplication {
+  name = "apparmor-teardown";
+  runtimeInputs = [
+    apparmor-parser
+    apparmor-bin-utils
+    coreutils
+    gnused
+    gnugrep
+    which
+  ];
+
+  text = ''
+    set +e # the imported script tries to `read` an empty line
+    # shellcheck source=/dev/null
+    . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions
+    remove_profiles
+    exit 0
+  '';
+
+  inherit (libapparmor) meta;
+}