etc: Add AppArmor profile for the daemon.

* .gitignore: Add etc/apparmor.d/tunables/guix.
* Makefile.am (nodist_apparmor_profile_DATA)
(nodist_apparmor_profile_tunables_DATA): Define it.
* configure.ac: Generate etc/apparmor.d/tunables/guix. Add
--with-apparmor-profile-dir option.
* etc/apparmor.d/guix-daemon: New file.
* etc/apparmor.d/tunables/guix.in: New file.
* doc/guix.texi: Document AppArmor profiles.
* gnu/packages/package-management.scm (guix): Add future changes commented.

Change-Id: Iac7df9d642383cc46a2d450c3badef31199ab041
Signed-off-by: Rutherther <rutherther@ditigal.xyz>

2 files changed, 93 insertions, 0 deletions

diff --git a/etc/apparmor.d/guix-daemon b/etc/apparmor.d/guix-daemon
new file mode 100644
index 00000000000..cb1ee92685c
--- /dev/null
+++ b/etc/apparmor.d/guix-daemon
@@ -0,0 +1,88 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+include <tunables/guix>
+
+profile guix-daemon @{guix_storedir}/*-{guix-daemon,guix}-*/bin/guix-daemon flags=(enforce,attach_disconnected.path=/disconnected) {
+  include <abstractions/base>
+
+  userns,
+  signal,
+  capability sys_admin,
+  capability net_admin,
+  capability sys_chroot,
+  capability setgid,
+  capability chown,
+  network dgram,
+  umount,
+  mount,
+  pivot_root,
+  # Paths inside build chroot
+  /real-root/ w,
+  / w,
+
+  @{guix_localstatedir}/guix/** rwk,
+  /var/log/guix/** w,
+  owner @{PROC}/@{pid}/{fd/,environ} r,
+  owner @{PROC}/@{pid}/oom_score_adj w,
+  owner @{PROC}/@{pid}/uid_map rw,
+  owner @{PROC}/@{pid}/gid_map rw,
+  owner @{PROC}/@{pid}/setgroups w,
+  @{guix_storedir}/ r,
+  @{guix_storedir}/** rwlmk,
+  @{guix_storedir}/*/bin/guile cx -> guix-builder,
+  @{guix_storedir}/*-guix-command cx -> guix-helper,
+  @{guix_storedir}/*-guix-*/bin/guix cx -> guix-helper,
+  @{etc_rw}/nsswitch.conf r,
+  @{etc_rw}/passwd r,
+  @{etc_rw}/group r,
+  owner /tmp/** rwl,
+  owner /var/tmp/** rwl,
+
+  /usr/bin/newgidmap Ux,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/guix-daemon>
+
+  profile guix-builder flags=(enforce,attach_disconnected.path=/disconnected) {
+    include <abstractions/base>
+
+    signal (receive),
+
+    @{guix_storedir}/** rwlmkux,
+
+    owner /tmp/** rw,
+
+    @{PROC}/@{pid}/fd/ r,
+
+    /disconnected/** rw,
+  }
+
+  # This is for any time guix is called by the daemon as a helper:
+  # - guix download
+  # - guix discover
+  # - guix gc --list-busy
+  # - probably more?
+  profile guix-helper flags=(enforce,attach_disconnected.path=/disconnected) {
+    include <abstractions/base>
+    include <abstractions/nameservice>
+
+    signal (receive),
+    ptrace (read) peer=guix-daemon,
+
+    /disconnected/run/dbus/system_bus_socket rw,
+    dbus (send, receive),
+    @{guix_localstatedir}/guix/discover/ rw,
+    @{guix_localstatedir}/guix/discover/* rw,
+
+    @{guix_localstatedir}/guix/substitute/ rw,
+    @{guix_localstatedir}/guix/substitute/** rwk,
+
+    @{guix_sysconfdir}/guix/** r,
+
+    @{guix_storedir}/** rwlmix,
+
+    @{PROC}/ r,
+    owner @{PROC}/@{pid}/{fd/,environ} r,
+  }
+}
diff --git a/etc/apparmor.d/tunables/guix.in b/etc/apparmor.d/tunables/guix.in
new file mode 100644
index 00000000000..e93f7caeb7d
--- /dev/null
+++ b/etc/apparmor.d/tunables/guix.in
@@ -0,0 +1,5 @@
+@{guix_storedir} = @storedir@
+@{guix_sysconfdir} = @guix_sysconfdir@
+@{guix_localstatedir} = @guix_localstatedir@
+
+include if exists <tunables/guix.d>
\ No newline at end of file