Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dbus: Add AppArmor support #102537

Merged
merged 2 commits into from
Nov 18, 2020
Merged

dbus: Add AppArmor support #102537

merged 2 commits into from
Nov 18, 2020

Conversation

dasJ
Copy link
Member

@dasJ dasJ commented Nov 2, 2020

Motivation for this change

I'd like to do AppArmor mediation on dbus.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 2, 2020
@ajs124
Copy link
Member

ajs124 commented Nov 2, 2020

cc @ju1m (#101071)

@dasJ dasJ requested a review from worldofpeace November 8, 2020 13:38
@dasJ
Copy link
Member Author

dasJ commented Nov 8, 2020

@GrahamcOfBorg build dbus

worldofpeace
worldofpeace reviewed Nov 9, 2020
View reviewed changes
nixos/modules/services/system/dbus.nix Outdated
apparmor = mkOption {
type = types.enum [ true false "required" ];
description = "AppArmor mode for dbus";
default = true;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

given that apparmor isn't on default why should this be?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default mode is "enabled". In "enabled" mode, AppArmor mediation will be performed if AppArmor support is available in the kernel. If it is not available, dbus-daemon will start but AppArmor mediation will not occur. In "disabled" mode, AppArmor mediation is disabled. In "required" mode, AppArmor mediation will be enabled if AppArmor support is available, otherwise dbus-daemon will refuse to start.

I think that is okay as a default or am I wrong here?

Copy link
Contributor

@worldofpeace worldofpeace Nov 9, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, we should for sure put that in the commit and code with some sort of link to the docs.
If we choose the default enabled, it will be the easiest for apparmor and non-apparmor users. If the support is in the kernel then it's on, which means that apparmor users don't have to switch a dbus option in configuration.nix. However, I don't see the apparmor module putting support into the kernel, from this line it shows me that the kernel already has it and just needs a kernel parameter https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/security/apparmor.nix#L32. I would think that apparmor support in the kernel would also implicate checking for that kernel parameter (along with other things), but I would like to at least check the startup is "as expected" without the apparmor module enabled.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some docs to the option.

I don't think linking to external docs is really helpful since you can either use the AppArmor GitLab which seems to be neither complete nor seems the link to be stable or you can use the dbus man page that doesn't allow direct linking to that list item since it's not a heading.

@worldofpeace worldofpeace requested a review from jtojnar November 9, 2020 02:02
@dasJ dasJ force-pushed the feat/dbus-apparmor branch from 7bc410f to 218700c Compare November 9, 2020 10:48
@ofborg ofborg bot requested a review from worldofpeace November 9, 2020 11:11
@dasJ dasJ force-pushed the feat/dbus-apparmor branch from 218700c to 3a4f2b5 Compare November 9, 2020 11:56
@dasJ dasJ changed the base branch from master to staging November 9, 2020 11:56
@dasJ
Copy link
Member Author

dasJ commented Nov 9, 2020

Rebased to staging since this seems to be a mass rebuild when it evaluates

@ofborg ofborg bot added 6.topic: GNOME GNOME desktop environment and its underlying platform 6.topic: haskell 6.topic: pantheon The Pantheon desktop environment 6.topic: python 6.topic: ruby labels Nov 9, 2020
@dasJ dasJ requested a review from ttuegel as a code owner November 17, 2020 20:57
@dasJ dasJ changed the base branch from staging-next to staging November 17, 2020 20:57
@dasJ
Copy link
Member Author

dasJ commented Nov 17, 2020

@worldofpeace Properly rebased (I hope?)

@dasJ dasJ force-pushed the feat/dbus-apparmor branch from 760e978 to e5e9887 Compare November 18, 2020 09:10
@dasJ
Copy link
Member Author

dasJ commented Nov 18, 2020

Took some time since I had to rebuild stdenv, but I successfully built this on macOS

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin and removed 10.rebuild-darwin: 501+ 10.rebuild-darwin: 1001-2500 labels Nov 18, 2020
@worldofpeace worldofpeace merged commit c7b0aeb into NixOS:staging Nov 18, 2020
@worldofpeace
Copy link
Contributor

Took some time since I had to rebuild stdenv, but I successfully built this on macOS

Thanks alot. I've merged the PR ✨

@dasJ dasJ deleted the feat/dbus-apparmor branch November 18, 2020 10:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtojnar jtojnar Awaiting requested review from jtojnar

@worldofpeace worldofpeace Awaiting requested review from worldofpeace

@alyssais alyssais Awaiting requested review from alyssais

@cdepillabout cdepillabout Awaiting requested review from cdepillabout

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314

@FRidh FRidh Awaiting requested review from FRidh

@jonringer jonringer Awaiting requested review from jonringer

@matthewbauer matthewbauer Awaiting requested review from matthewbauer

@stigtsp stigtsp Awaiting requested review from stigtsp

@ttuegel ttuegel Awaiting requested review from ttuegel

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dasJ @ajs124 @worldofpeace