PRs already reviewed

julm · February 25, 2024, 11:46am

apparmor-utils: fix aa-remove-unknown read check

NixOS:staging ← herrwiese:for-master/fix-273164

opened 11:25PM - 02 Feb 24 UTC

let aaru = "aa-remove-unknown"; in aaru tests whether `/sys/kernel/security/a…pparmor/profiles` can be opened. Even though the file's permissions usually are 0444, open() still might return `EPERM`, as this is a virtual filesystem. Thus, using `test -r` doesn't suffice for this check. What aaru does to solve this is (approximately) ```sh if ! read … < /sys/kernel/security/apparmor/profiles; then echo "Meh"; fi ``` In principal this works just fine. When looking closer, it doesn't (which is the root cause of #273164). Careful readers will notice that the actual access check (for `open()`) isn't actually related to the `read` invocation, but the shell's input redirection, which works totally fine: If the file can't be opened, the shell will return an error and the test fails. `read` won't even be invoked. The culprit is, the `read` shell builtin might potentially jeopardize the *successful* test result (`open()` succeeding): When no profiles are loaded, the file will be empty and `read` will return 1 for `EOF`. As the `if`'s command is only invoked after the actual test succeeded, `true` is the command of choice here. I would prefer fixing this upstream, but I refuse to register an account there because GitLab.com wants me to validate an email address (sure), a phone number (why?) and a valid payment method ([redacted]). This fixes #273164 (»Apparmor service fails to start after nixos-rebuild switch«). ## Description of changes  ## Things done - Built on platform(s) - [x] x86_64-linux - [x] aarch64-linux - [ ] x86_64-darwin - [ ] aarch64-darwin - For non-Linux: Is sandboxing enabled in `nix.conf`? (See [Nix manual](https://nixos.org/manual/nix/stable/command-ref/conf-file.html)) - [ ] `sandbox = relaxed` - [ ] `sandbox = true` - [ ] Tested, as applicable: - [NixOS test(s)](https://nixos.org/manual/nixos/unstable/index.html#sec-nixos-tests) (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests)) - and/or [package tests](https://nixos.org/manual/nixpkgs/unstable/#sec-package-tests) - or, for functions and "core" functionality, tests in [lib/tests](https://github.com/NixOS/nixpkgs/blob/master/lib/tests) or [pkgs/test](https://github.com/NixOS/nixpkgs/blob/master/pkgs/test) - made sure NixOS tests are [linked](https://nixos.org/manual/nixpkgs/unstable/#ssec-nixos-tests-linking) to the relevant packages - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage) - [x] Tested basic functionality of all binary files (usually in `./result/bin/`) - [24.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2405.section.md) (or backporting [23.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2305.section.md) and [23.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2311.section.md) Release notes) - [ ] (Package updates) Added a release notes entry if the change is major or breaking - [ ] (Module updates) Added a release notes entry if the change is significant - [ ] (Module addition) Added a release notes entry if adding a new NixOS module - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).  --- Add a :+1: [reaction] to [pull requests you find important]. [reaction]: https://github.blog/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/ [pull requests you find important]: https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc