Merge pull request #102537 from helsinki-systems/feat/dbus-apparmor
dbus: Add AppArmor support
This commit is contained in:
commit
c7b0aeb0d3
6 changed files with 35 additions and 5 deletions
|
@ -11,6 +11,7 @@ let
|
|||
homeDir = "/run/dbus";
|
||||
|
||||
configDir = pkgs.makeDBusConf {
|
||||
inherit (cfg) apparmor;
|
||||
suidHelper = "${config.security.wrapperDir}/dbus-daemon-launch-helper";
|
||||
serviceDirectories = cfg.packages;
|
||||
};
|
||||
|
@ -51,6 +52,20 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
apparmor = mkOption {
|
||||
type = types.enum [ "enabled" "disabled" "required" ];
|
||||
description = ''
|
||||
AppArmor mode for dbus.
|
||||
|
||||
<literal>enabled</literal> enables mediation when it's
|
||||
supported in the kernel, <literal>disabled</literal>
|
||||
always disables AppArmor even with kernel support, and
|
||||
<literal>required</literal> fails when AppArmor was not found
|
||||
in the kernel.
|
||||
'';
|
||||
default = "disabled";
|
||||
};
|
||||
|
||||
socketActivated = mkOption {
|
||||
type = types.nullOr types.bool;
|
||||
default = null;
|
||||
|
|
|
@ -5,6 +5,8 @@
|
|||
, expat
|
||||
, enableSystemd ? stdenv.isLinux && !stdenv.hostPlatform.isMusl
|
||||
, systemd
|
||||
, audit
|
||||
, libapparmor
|
||||
, libX11 ? null
|
||||
, libICE ? null
|
||||
, libSM ? null
|
||||
|
@ -70,7 +72,8 @@ stdenv.mkDerivation rec {
|
|||
libX11
|
||||
libICE
|
||||
libSM
|
||||
] ++ lib.optional enableSystemd systemd;
|
||||
] ++ lib.optional enableSystemd systemd
|
||||
++ lib.optionals (!stdenv.isDarwin) [ audit libapparmor ];
|
||||
# ToDo: optional selinux?
|
||||
|
||||
configureFlags = [
|
||||
|
@ -86,7 +89,8 @@ stdenv.mkDerivation rec {
|
|||
"--with-system-socket=/run/dbus/system_bus_socket"
|
||||
"--with-systemdsystemunitdir=${placeholder ''out''}/etc/systemd/system"
|
||||
"--with-systemduserunitdir=${placeholder ''out''}/etc/systemd/user"
|
||||
] ++ lib.optional (!x11Support) "--without-x";
|
||||
] ++ lib.optional (!x11Support) "--without-x"
|
||||
++ lib.optionals (!stdenv.isDarwin) [ "--enable-apparmor" "--enable-libaudit" ];
|
||||
|
||||
# Enable X11 autolaunch support in libdbus. This doesn't actually depend on X11
|
||||
# (it just execs dbus-launch in dbus.tools), contrary to what the configure script demands.
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
{ runCommand, writeText, libxslt, dbus
|
||||
, serviceDirectories ? []
|
||||
, suidHelper ? "/var/setuid-wrappers/dbus-daemon-launch-helper"
|
||||
, apparmor ? "disabled" # one of enabled, disabled, required
|
||||
}:
|
||||
|
||||
/* DBus has two configuration parsers -- normal and "trivial", which is used
|
||||
|
@ -10,7 +11,7 @@
|
|||
*/
|
||||
runCommand "dbus-1"
|
||||
{
|
||||
inherit serviceDirectories suidHelper;
|
||||
inherit serviceDirectories suidHelper apparmor;
|
||||
preferLocalBuild = true;
|
||||
allowSubstitutes = false;
|
||||
XML_CATALOG_FILES = writeText "dbus-catalog.xml" ''
|
||||
|
@ -33,10 +34,12 @@ runCommand "dbus-1"
|
|||
xsltproc --nonet \
|
||||
--stringparam serviceDirectories "$serviceDirectories" \
|
||||
--stringparam suidHelper "$suidHelper" \
|
||||
--stringparam apparmor "$apparmor" \
|
||||
${./make-system-conf.xsl} ${dbus}/share/dbus-1/system.conf \
|
||||
> $out/system.conf
|
||||
xsltproc --nonet \
|
||||
--stringparam serviceDirectories "$serviceDirectories" \
|
||||
--stringparam apparmor "$apparmor" \
|
||||
${./make-session-conf.xsl} ${dbus}/share/dbus-1/session.conf \
|
||||
> $out/session.conf
|
||||
''
|
||||
|
|
|
@ -15,12 +15,16 @@
|
|||
<xsl:output method='xml' encoding="UTF-8" doctype-system="busconfig.dtd" />
|
||||
|
||||
<xsl:param name="serviceDirectories" />
|
||||
<xsl:param name="apparmor" />
|
||||
|
||||
<xsl:template match="/busconfig">
|
||||
<busconfig>
|
||||
<!-- We leave <standard_session_servicedirs/> because it includes XDG dirs and therefore user Nix profile. -->
|
||||
<xsl:copy-of select="child::node()[name() != 'include' and name() != 'servicedir' and name() != 'includedir']" />
|
||||
|
||||
<!-- configure AppArmor -->
|
||||
<apparmor mode="{$apparmor}"/>
|
||||
|
||||
<xsl:for-each select="str:tokenize($serviceDirectories)">
|
||||
<servicedir><xsl:value-of select="." />/share/dbus-1/services</servicedir>
|
||||
<includedir><xsl:value-of select="." />/etc/dbus-1/session.d</includedir>
|
||||
|
|
|
@ -16,11 +16,15 @@
|
|||
|
||||
<xsl:param name="serviceDirectories" />
|
||||
<xsl:param name="suidHelper" />
|
||||
<xsl:param name="apparmor" />
|
||||
|
||||
<xsl:template match="/busconfig">
|
||||
<busconfig>
|
||||
<xsl:copy-of select="child::node()[name() != 'include' and name() != 'standard_system_servicedirs' and name() != 'servicehelper' and name() != 'servicedir' and name() != 'includedir']" />
|
||||
|
||||
<!-- configure AppArmor -->
|
||||
<apparmor mode="{$apparmor}"/>
|
||||
|
||||
<!-- set suid helper -->
|
||||
<servicehelper><xsl:value-of select="$suidHelper" /></servicehelper>
|
||||
|
||||
|
|
|
@ -12471,9 +12471,9 @@ in
|
|||
dbus-sharp-glib-1_0 = callPackage ../development/libraries/dbus-sharp-glib/dbus-sharp-glib-1.0.nix { };
|
||||
dbus-sharp-glib-2_0 = callPackage ../development/libraries/dbus-sharp-glib { };
|
||||
|
||||
makeDBusConf = { suidHelper, serviceDirectories }:
|
||||
makeDBusConf = { suidHelper, serviceDirectories, apparmor }:
|
||||
callPackage ../development/libraries/dbus/make-dbus-conf.nix {
|
||||
inherit suidHelper serviceDirectories;
|
||||
inherit suidHelper serviceDirectories apparmor;
|
||||
};
|
||||
|
||||
dee = callPackage ../development/libraries/dee { };
|
||||
|
|
Loading…
Reference in a new issue