nixos/incus: add AppArmor rules (#386060)

2025-04-01 12:51:34 -04:00 · 2025-04-01 12:51:34 -04:00 · 62d611a22b
commit 62d611a22b
parent bd85f316be f6128c6050
3 changed files with 44 additions and 1 deletions
--- a/nixos/modules/virtualisation/incus.nix
+++ b/nixos/modules/virtualisation/incus.nix
@ -338,7 +338,40 @@ in
        "lxc-containers".profile = ''
          include ${cfg.lxcPackage}/etc/apparmor.d/lxc-containers
        '';
+        "incusd".profile = ''
+          # This profile allows everything and only exists to give the
+          # application a name instead of having the label "unconfined"
+
+          abi <abi/4.0>,
+          include <tunables/global>
+
+          profile incusd ${lib.getExe' config.virtualisation.incus.package "incusd"} flags=(unconfined) {
+            userns,
+            </var/lib/incus/security/apparmor/cache>
+            </var/lib/incus/security/apparmor/profiles>
+
+            # Site-specific additions and overrides. See local/README for details.
+            include if exists <local/incusd>
+          }
+        '';
      };
+      includes."abstractions/base" =
+        ''
+          # Allow incusd's various AA profiles to load dynamic libraries from Nix store
+          # https://discuss.linuxcontainers.org/t/creating-new-containers-vms-blocked-by-apparmor-on-nixos/21908/6
+          mr /nix/store/*/lib/*.so*,
+          r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules,
+          r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/,
+          r ${pkgs.stdenv.cc.libc}/lib/gconv/gconv-modules.d/gconv-modules-extra.conf,
+
+          # Support use of VM instance
+          mrix ${pkgs.qemu_kvm}/bin/*,
+          k ${OVMF2MB.fd}/FV/*.fd,
+          k ${pkgs.OVMFFull.fd}/FV/*.fd,
+        ''
+        + lib.optionalString pkgs.stdenv.hostPlatform.isx86_64 ''
+          k ${pkgs.seabios-qemu}/share/seabios/bios.bin,
+        '';
    };

    systemd.services.incus = {
--- a/nixos/tests/incus/default.nix
+++ b/nixos/tests/incus/default.nix
@ -44,6 +44,12 @@ in

  zfs = incusTest {
    inherit lts pkgs system;
-    storageLvm = true;
+    storageZfs = true;
+  };
+
+  appArmor = incusTest {
+    inherit lts pkgs system;
+    appArmor = true;
+    allTests = true;
  };
 }
--- a/nixos/tests/incus/incus-tests.nix
+++ b/nixos/tests/incus/incus-tests.nix
@ -7,6 +7,7 @@ import ../make-test-python.nix (

    allTests ? false,

+    appArmor ? false,
    featureUser ? allTests,
    initLegacy ? true,
    initSystemd ? true,
@ -139,6 +140,9 @@ import ../make-test-python.nix (
      networking.hostId = "01234567";
      networking.firewall.trustedInterfaces = [ "incusbr0" ];

+      security.apparmor.enable = appArmor;
+      services.dbus.apparmor = (if appArmor then "enabled" else "disabled");
+
      services.lvm = {
        boot.thin.enable = storageLvm;
        dmeventd.enable = storageLvm;