nixos/apparmor: policy activation tristate and policy path support

[LordGrimmauld]

AppArmor profiles are files written to /etc/apparmor.d/<name>. Previously, profiles were defined with a string and written to a store entry, then linked into the etc path. However, this makes little sense if one wants to use profiles that are already files in the nix store, e.g. when using rules from roddhjav-apparmor-rules (which is absolutely broken currently, but that is a different topic; PR for that coming eventually). This change in the module exposes an option security.apparmor.policies.<name>.path with which a path to a profile can be directly symlinked into the apparmor directory, without first reading and rewriting that file into nix store again. This should boost nixos eval times on systems using prebuilt apparmor rules and makes prebuilding/caching apparmor rulesets via nix possible.

AppArmor profiles always fall within a tristate of enable, disable, complain. It makes no sense to have two boolean options instead of a neat enum config for the tristate. Therefore, i added that tristate, removing the two bools in the process.

The apparmor nixos test breaks often. While testing this PR, i noticed the test failing on master/nixos-unstable too. Therefore, i included a fix to the nixos test.

Yes, the two removed bools are a breaking change. However, the path option addition is inert, it does not break definitions of apparmor policies defined via string.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/apparmor-default-profiles/16780/8

[symphorien]

do you think you could test your options in the nixos test?

[LordGrimmauld]

Thank you for the feedback! I'll take a look at more explicit nixos tests also testing the new logic. Your points about wording of docs/descriptions is entirely fair.

[symphorien]

Thank you for the improved nixos test. Do you think you could add a profile in enforce mode for a third tool (say, hexdump) and check that it really gets permission denied/crashes when trying to access files beyond what its profile allows ? That would be a good integration test that apparmor works.

[LordGrimmauld]

Alright. I had a go at completely refactoring the apparmor nixos tests.
Things done:

• nixfmt on apparmor test
• move apparmor test to nixos/tests/apparmor directory
• expected profile contents are now generated in its own file to make the test file less confusing and hard to maintain
• enforce/complain is now being tested via diff of expected against aa-status
• path is now tested against diff+file checking symlink target of /etc/static/apparmor.d/<name>
• profile is now checked by diff of /etc/static/apparmor.d/<name> against original string added in nix config
• test still successfully passes

[LordGrimmauld]

fair point in seeing something crash! Will add a test case for hello succeeding and hexdump failing.

[LordGrimmauld]

Alright, i managed to add a failing test case for hexdump and a succeeding testcase for hello.

[LordGrimmauld]

Since assertions don't really exist in submodules, we can instead create these assertions from the top-level context by mapping over each policy (we can also simplify this assertion with an XOR operator)

@getchoo you are missing one relevant detail here: The current assert runs in the apply function. This is relevant, because querrying the policy path from outside will always return a path (returned by apply), either taking the path defined in path or writing the policy to store and returning that path.
This is relevant, because this means you can't easily check for null/undefined of <policy>.path outside.

The alternative is dropping the apply function and inlining it wherever the actual path is required. I did not do this because the previous module using apply. I also figured it'd break peoples configs less hard if behavior stayed roughly similar (previously, you could query the policy path by using policy.profile to read).

I am willing to change the assert to a module-global assert instead of specifically in the submodule. I did want to confirm though, because your requested changes alone wouldn't work.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/apparmor-on-nixos-roadmap/57217/1

[LordGrimmauld]

Alright, my new ram arrived, i ran nixpkgs-review (which this passed) and fixed the merge conflicts (again). I believe this is ready.

[getchoo]

LGTM. Thanks for all of your work here!

[getchoo]

@ofborg test apparmor

[LordGrimmauld]

I am confused, why are ofborg eval and eval-lib-tests failing on gnome circle things? this PR doesn't even touch those... But at least the apparmor nixos test passes, and the new github actions to replace ofborg pass too

[mweinelt]

They were probably failing on the base commit at the time that ofborg merged your changes against master to test eval.

[LordGrimmauld]

i fixed merge conflicts (again).
I also noticed the test being flaky because hexdump wouldn't match the profile properly, fixed by matching against /nix/store/*/bin/hexdump for now.

[getchoo]

@ofborg test apparmor
And feel free to ping me in a couple days if there are no other reviews :)

[symphorien]

Thank you!