Apparmor breaks SDDM

BoredSquirrel · April 14, 2025, 9:18pm

I am setting up my system and have made a security.nix config file, with a bunch of stuff.

When enabling Apparmor there, SDDM does not launch anymore, instead I get into TTY.

### AppArmor
security.apparmor.enable = true;
# kill processes not confined with Apparmor, when a profile exists
# security.apparmor.killUnconfinedConfinables = true;
# mediation with dbus when not found
services.dbus.apparmor = "required";

Is SDDM ran as a sddm user or as root? This might be an issue and the former would be the recommended way. Not sure if this works as there is no sddm user declared in my config?

I will get logs and more tomorrow.

It might be the “kill unconfined confinables”? But this should be set I think.

NixOS 24.11

Sandro · April 15, 2025, 2:59pm

Should be sddm, see nixpkgs/nixos/modules/services/display-managers/sddm.nix at 05c5bdcc7864347c0b4cdb1fa0cdaefe2d143c43 · NixOS/nixpkgs · GitHub

BoredSquirrel · April 15, 2025, 9:17pm

That was a long module, I didnt yet find the user. Does this mean the option enables the user on its own, and I dont need to change anything?

Also, are there other SDDM users with Apparmor enabled? Not having MAC is a pretty big issue

Sandro · April 16, 2025, 4:32pm

The user is created here nixpkgs/nixos/modules/services/display-managers/sddm.nix at 05c5bdcc7864347c0b4cdb1fa0cdaefe2d143c43 · NixOS/nixpkgs · GitHub

The user is already enabled and used per default.

I don’t have it enabled because there are barely any rules for it which makes it not very useful.

Not having MAC is a pretty big issue

MAC?

waffle8946 · April 16, 2025, 4:46pm

MAC = Apparmor.
I wouldn’t say MAC is well-supported on NixOS atm, but Apparmor is more viable than SELinux.

bme · April 16, 2025, 8:15pm

Depending on how big of an issue this (mandatory access control of some flavour) is you might want to run a different distro until support is further along. You can follow work on apparmor over in this thread: AppArmor on NixOS Roadmap

573 · April 16, 2025, 8:36pm

Asked myself same thing: Mandatory Access Control

BoredSquirrel · April 16, 2025, 9:30pm

Thanks! This is pretty crazy, as all major distros have SELinux or AppArmor setup.

I know that Fedoras rules for SELinux for example are not really strong, and all the user processes are completely unconfined. So the use of that MAC for a typical desktop system is pretty small.

Current sandboxing techniques like Flatpak (bubblewrap), bubblejail (not on nixpkgs yet) and others (fortify, minijail, go-judge, …) can be good as well.

Grimmauld · April 21, 2025, 1:08pm

I run apparmor and sddm together just fine. However, i only set services.dbus.apparmor = "enabled"; and run services.dbus.implementation = "broker";, not sure if this changes things.

My config:

Grimmauld · April 21, 2025, 1:10pm

NixOS is mostly systemd services. As such it makes sense to use the systemd hardening for system components, as opposed to a more traditional MAC.

Tracking: systemd hardening in NixOS

opened 10:03PM - 29 Jan 25 UTC

LordGrimmauld

6.topic: nixos 1.severity: security 6.topic: systemd 5. scope: tracking

# Idea Systemd allows for hardening services using service config options docume…nted in [`man systemd.exec`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html) Currently, these hardening features are barely used, with even a minimal installation of NixOS having many many services running completely without confinement. This issue is my attempt to track progress in this effort, make related issues and PRs searchable, and generally improve the situation. # Methodology - Install NixOS with few system services - run `systemd-analyze security` - select an important service that has bad confinement - improve it by setting `systemd.services.<name>.serviceConfig.<hardening options>` - if possible and feasible, run (and potentially add) nixos tests to ensure correct functionality - open PRs adding these improvements to the service modules already existing within nixos. The goal is to have these hardening features sensible and stable enough to "just work". There should be no need for an opt-in toggle that is as inaccessible as the weirdness with current hardened profile. NixOS should be (more) secure by default. # Help wanted Testing these things is hard, and some of these changes are likely to cause regressions by accident. While ideally all the PRs see testing before a merge, it is naive to assume no mistakes will happen. Please report regressions (potentially linking this tracking issue) if bad confinements make their way into unstable. To help prevent bad changes ending up in unstable, please test and review PRs linked in this list. Yes, these will be module update PRs. However, testing is relatively simple: it is sufficient to just add the hardening options to `systemd.services.<name>.serviceConfig` explicitly on a local config. # Progress and related PRs/Issues - [ ] acpid: https://github.com/NixOS/nixpkgs/pull/377786 - [ ] auditd (critical to not have regressions) - [ ] bluetooth: https://github.com/NixOS/nixpkgs/pull/377927 - [ ] dbus-broker - [ ] getty (quite complex) - [ ] homepage-dashboard: https://github.com/NixOS/nixpkgs/pull/377886 - [ ] minio: https://github.com/NixOS/nixpkgs/pull/377887 - [ ] NetworkManager{,-dispatcher} - [ ] nix-daemon (critical to not have regressions): https://github.com/NixOS/nixpkgs/issues/141991 - [ ] nscd - [ ] ntpd-rs: https://github.com/NixOS/nixpkgs/pull/372009 - [ ] open-webui: https://github.com/NixOS/nixpkgs/pull/377884 - [ ] postfix: https://github.com/NixOS/nixpkgs/pull/76604 - [ ] singbox: https://github.com/NixOS/nixpkgs/pull/379316 - [ ] sshd (critical to not have regressions) - [ ] systemd-ask-password-* - [ ] wpa_supplicant - [ ] zpool-trim This list is intended to be updated as more PRs and Issues pop up.