diff --git a/flake.nix b/flake.nix index 2ca5a96..f6287ce 100644 --- a/flake.nix +++ b/flake.nix @@ -56,7 +56,7 @@ ]; }; in { - inherit (pkgs) gamescope; + inherit (pkgs) gamescope custom-apparmor-utils; }; }); } diff --git a/packages/default.nix b/packages/default.nix index ec6df6f..17a3a2f 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -90,4 +90,6 @@ in { sddm-sugar-dark = prev.callPackage themes/sddm/sugar-dark {}; gamescope = prev.callPackage temp/gamescope.nix {}; + + custom-apparmor-utils = prev.callPackage temp/apparmor-utils.nix {}; } diff --git a/packages/temp/apparmor-utils.nix b/packages/temp/apparmor-utils.nix new file mode 100644 index 0000000..5190c2c --- /dev/null +++ b/packages/temp/apparmor-utils.nix @@ -0,0 +1,101 @@ +{ + fetchFromGitLab +, stdenv, lib +, makeWrapper, writeShellScript +, which, bash, libapparmor, apparmor-parser, libnotify, perl, gawk, python3 +, coreutils, gnused, gnugrep +}: + +let + apparmor-version = "3.0.4"; + apparmor-sources = fetchFromGitLab { + owner = "apparmor"; + repo = "apparmor"; + rev = "v${apparmor-version}"; + sha256 = "1a217j28rgfq4lsmpn0wv1xgmdr9ba8iysv9i6q477kj6z77zrb9"; + }; + apparmor-meta = component: with lib; { + homepage = "https://apparmor.net/"; + description = "A mandatory access control system - ${component}"; + license = licenses.gpl2; + maintainers = with maintainers; [ joachifm julm thoughtpolice ]; + platforms = platforms.linux; + }; + aa-teardown = writeShellScript "aa-teardown" '' + PATH="${lib.makeBinPath [coreutils gnused gnugrep]}:$PATH" + . ${apparmor-parser}/lib/apparmor/rc.apparmor.functions + remove_profiles + ''; + + setupPython = python3.withPackages (ps: with ps; [ setuptools ]); + prePatchCommon = '' + chmod a+x ./common/list_capabilities.sh ./common/list_af_names.sh + patchShebangs ./common/list_capabilities.sh ./common/list_af_names.sh + substituteInPlace ./common/Make.rules \ + --replace "/usr/bin/pod2man" "${perl}/bin/pod2man" \ + --replace "/usr/bin/pod2html" "${perl}/bin/pod2html" \ + --replace "/usr/share/man" "share/man" + substituteInPlace ./utils/Makefile \ + --replace "/usr/include/linux/capability.h" "${stdenv.cc.libc.linuxHeaders}/include/linux/capability.h" + + sed --in-place ./utils/Makefile -e 's|''${PYTHON}|${setupPython}/bin/python|g' + + cat ./utils/Makefile + ''; +in stdenv.mkDerivation { + pname = "apparmor-utils"; + version = apparmor-version; + + src = apparmor-sources; + + strictDeps = true; + + nativeBuildInputs = [ makeWrapper which python3 ]; + + buildInputs = [ + bash + perl + python3 + libapparmor + libapparmor.python + ]; + + prePatch = prePatchCommon + + # Do not build vim file + '' + sed -i ./utils/Makefile -e "/\/d" + '' + '' + for file in utils/apparmor/easyprof.py utils/apparmor/aa.py utils/logprof.conf; do + substituteInPlace $file --replace "/sbin/apparmor_parser" "${apparmor-parser}/bin/apparmor_parser" + done + ''; + postPatch = "cd ./utils"; + makeFlags = [ "LANGS=" ]; + installFlags = [ "DESTDIR=$(out)" "BINDIR=$(out)/bin" "VIM_INSTALL_PATH=$(out)/share" "PYPREFIX=" ]; + + preInstall = '' + ls -l + ''; + + postInstall = '' + sed -i $out/bin/aa-unconfined -e "/my_env\['PATH'\]/d" + for prog in aa-audit aa-autodep aa-cleanprof aa-complain aa-disable aa-enforce aa-genprof aa-logprof aa-mergeprof aa-unconfined ; do + wrapProgram $out/bin/$prog --prefix PYTHONPATH : "$out/${python3.sitePackages}:$PYTHONPATH" + done + + substituteInPlace $out/bin/aa-notify \ + --replace /usr/bin/notify-send ${libnotify}/bin/notify-send \ + --replace /usr/bin/perl "${perl}/bin/perl -I ${libapparmor}/${perl.libPrefix}" + + substituteInPlace $out/bin/aa-remove-unknown \ + --replace "/lib/apparmor/rc.apparmor.functions" "${apparmor-parser}/lib/apparmor/rc.apparmor.functions" + wrapProgram $out/bin/aa-remove-unknown \ + --prefix PATH : ${lib.makeBinPath [ gawk ]} + + ln -s ${aa-teardown} $out/bin/aa-teardown + ''; + + doCheck = false; + + meta = apparmor-meta "user-land utilities"; +}