apparmor: 4.0.3 -> 4.1.0, rewrite by LordGrimmauld · Pull Request #400430 · NixOS/nixpkgs

LordGrimmauld · 2025-04-21T01:03:24Z

Upstream release: https://gitlab.com/apparmor/apparmor/-/releases/v4.1.0

Notable changes made to the packaging:

apparmor-kernel-patches: drop. This was outdated and unused, and wouldn't even apply to any kernel anymore.
aa-teardown: migrate to writeShellAPplication
apparmor-*: migrate to by-name
apparmor-*: enable checks and actually run checks
libapparmor: test python module imports correctly
libapparmor: no seperate $python output (makes no sense)

This should be basically compatible with any preexisting setup using apparmor. I tried my best to keep ABI.

Tested build types

pkgsCross.gnu64.libapparmor (aarch64-linux builder)
pkgsCross.gnu64.apparmor-* (aarch64-linux builder)
pkgsCross.aarch64-multiplatform.libapparmor (x86_64-linux builder)
pkgsMusl.libapparmor (x86_64-linux builder)
pkgsMusl.apparmor-* (x86_64-linux builder)
pkgsLLVM.libapparmor (x86_64-linux builder)

This does unbreak a couple cross builds that were previously broken.

Things done

Add a 👍 reaction to pull requests you find important.

grimmauld-bot · 2025-04-21T05:01:55Z

`nixpkgs-review` result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 400430 --package libapparmor --package dbus --package apparmor-parser --package apparmor-bin-utils --package nixosTests.apparmor --package apparmor-pam --package apparmor-teardown --package apparmor-utils --package systemd

`aarch64-linux`

✅ 1 test built:

nixosTests.apparmor

✅ 16 packages built:

apparmor-bin-utils
apparmor-pam
apparmor-parser
apparmor-teardown
apparmor-utils
dbus
dbus.debug (dbus.debug.debug, dbus.debug.dev, dbus.debug.doc, dbus.debug.lib, dbus.debug.man)
dbus.dev (dbus.dev.debug, dbus.dev.dev, dbus.dev.doc, dbus.dev.lib, dbus.dev.man)
dbus.doc (dbus.doc.debug, dbus.doc.dev, dbus.doc.doc, dbus.doc.lib, dbus.doc.man)
dbus.lib (dbus.lib.debug, dbus.lib.dev, dbus.lib.doc, dbus.lib.lib, dbus.lib.man)
dbus.man (dbus.man.debug, dbus.man.dev, dbus.man.doc, dbus.man.lib, dbus.man.man)
libapparmor
systemd
systemd.debug (systemd.debug.debug, systemd.debug.dev, systemd.debug.man)
systemd.dev (systemd.dev.debug, systemd.dev.dev, systemd.dev.man)
systemd.man (systemd.man.debug, systemd.man.dev, systemd.man.man)

LordGrimmauld · 2025-04-21T06:47:27Z

@ofborg build libapparmor libapparmor.passthru.tests

LordGrimmauld · 2025-04-21T07:04:11Z

@ofborg build libapparmor libapparmor.passthru.tests

pkgs/by-name/ap/apparmor-teardown/package.nix

pkgs/by-name/ap/apparmor-pam/package.nix

pkgs/by-name/li/libapparmor/package.nix

pkgs/by-name/ap/apparmor-pam/package.nix

nixos-discourse · 2025-04-21T13:05:05Z

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/apparmor-on-nixos-roadmap/57217/18

LordGrimmauld · 2025-04-21T14:02:59Z

@ofborg build libapparmor libapparmor.passthru.tests

LordGrimmauld · 2025-04-21T15:20:53Z

The ofborg build is timing out, so i suppose the nixpkgs-review needs to suffice here

nyabinary · 2025-04-22T03:05:59Z

`nixpkgs-review` result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 400430 --package nixosTests.apparmor --package libapparmor

`x86_64-linux`

❌ 1 package failed to build:

libapparmor

✅ 1 test built:

nixosTests.apparmor

nyabinary · 2025-04-22T03:06:56Z

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 400430 --package nixosTests.apparmor --package libapparmor

x86_64-linux

❌ 1 package failed to build:
* libapparmor
✅ 1 test built:
* nixosTests.apparmor

Failed because of a HTTP 404 (so safe to ignore)

LordGrimmauld · 2025-04-22T07:31:01Z

I have just reported the parser test fails on musl upstream: https://gitlab.com/apparmor/apparmor/-/issues/513

LordGrimmauld · 2025-04-22T18:24:17Z

While the parser on musl is still somewhat broken, it can't be correct to hard-code glibc here. Asking stdenv for the correct libc for logprof is (hopefully) a little less broken.

Replacing the parser with the musl based parser via overlay does still pass our VM test, so it is probably not completely broken.

LordGrimmauld · 2025-04-22T19:54:02Z

https://gitlab.com/apparmor/apparmor/-/issues/513#note_2462939579

So while our parser tests are semi-broken, the VM tests do still pass with musl based parser. This is most likely less broken than it was before this PR. I am happy with this current state and would just say musl+apparmor users are on their own if they do end up running into edge cases with the parser here.

Upstream release: https://gitlab.com/apparmor/apparmor/-/releases/v4.1.0 Notable changes made to the packaging: - apparmor-kernel-patches: drop. This was outdated and unused, and wouldn't even apply to any kernel anymore. - aa-teardown: migrate to writeShellAPplication - apparmor-*: migrate to by-name - apparmor-*: enable checks and actually run checks - libapparmor: test python module imports correctly - libapparmor: no seperate $python output (makes no sense)

LordGrimmauld force-pushed the apparmor-update branch from 6b5b9da to 357951c Compare April 21, 2025 01:11

nix-owners bot requested review from bjornfor, ju1m, prusnak and thoughtpolice April 21, 2025 01:11

LordGrimmauld force-pushed the apparmor-update branch from 357951c to 0b9a2cc Compare April 21, 2025 01:21

LordGrimmauld requested review from K900, marcin-serwin, mweinelt and nyabinary April 21, 2025 06:48

LordGrimmauld force-pushed the apparmor-update branch from 0b9a2cc to ba6ea8e Compare April 21, 2025 07:00

LordGrimmauld force-pushed the apparmor-update branch 5 times, most recently from 600b63d to b448118 Compare April 21, 2025 08:09

marcin-serwin requested changes Apr 21, 2025

View reviewed changes

LordGrimmauld force-pushed the apparmor-update branch from b448118 to 4ff79a5 Compare April 21, 2025 08:42

marcin-serwin reviewed Apr 21, 2025

View reviewed changes

pkgs/by-name/li/libapparmor/package.nix Outdated Show resolved Hide resolved

This comment was marked as resolved.

Sign in to view

LordGrimmauld force-pushed the apparmor-update branch from 4ff79a5 to 9ec5cbc Compare April 21, 2025 09:21

LordGrimmauld commented Apr 21, 2025

View reviewed changes

pkgs/by-name/ap/apparmor-pam/package.nix Outdated Show resolved Hide resolved

LordGrimmauld force-pushed the apparmor-update branch 2 times, most recently from 41c3ccc to a0872d1 Compare April 21, 2025 10:25

LordGrimmauld added the 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. label Apr 21, 2025

marcin-serwin approved these changes Apr 21, 2025

View reviewed changes

wegank added the 12.approvals: 1 This PR was reviewed and approved by one person. label Apr 22, 2025

nyabinary approved these changes Apr 22, 2025

View reviewed changes

LordGrimmauld force-pushed the apparmor-update branch from 156651d to d47c4d3 Compare April 22, 2025 18:08

github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Apr 22, 2025

LordGrimmauld force-pushed the apparmor-update branch from d47c4d3 to 457c0ed Compare April 22, 2025 18:14

LordGrimmauld added 2 commits April 22, 2025 23:48

nixos/apparmor: don't hardcode glibc for logprof

f8a3ea0

LordGrimmauld force-pushed the apparmor-update branch from 457c0ed to 4f34d46 Compare April 22, 2025 21:51

github-actions bot added the 6.topic: teams Relating to team creation, updates, other management actions label Apr 22, 2025

LordGrimmauld force-pushed the apparmor-update branch from 4f34d46 to 8be53b0 Compare April 22, 2025 21:54

LordGrimmauld added 3 commits April 22, 2025 23:56

maintainers/team-list: apparmor: init

5bfcede

libapparmor: transfer maintenance to team

1d315c8

nixos/apparmor: transfer maintenance to team

5467162

LordGrimmauld force-pushed the apparmor-update branch from 8be53b0 to 5467162 Compare April 22, 2025 21:56

wegank removed the 12.approvals: 1 This PR was reviewed and approved by one person. label Apr 23, 2025

LordGrimmauld requested review from marcin-serwin and nyabinary April 23, 2025 20:18

mweinelt merged commit 65f179f into NixOS:staging Apr 23, 2025
27 of 29 checks passed

Majiir mentioned this pull request May 10, 2025

Build failure: libapparmor (armv7l cross) #405780

Closed

Uh oh!

Conversation

LordGrimmauld commented Apr 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Tested build types

Things done

Uh oh!

grimmauld-bot commented Apr 21, 2025

nixpkgs-review result

aarch64-linux

Uh oh!

LordGrimmauld commented Apr 21, 2025

Uh oh!

LordGrimmauld commented Apr 21, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

This comment was marked as resolved.

Uh oh!

nixos-discourse commented Apr 21, 2025

Uh oh!

LordGrimmauld commented Apr 21, 2025

Uh oh!

LordGrimmauld commented Apr 21, 2025

Uh oh!

nyabinary commented Apr 22, 2025

nixpkgs-review result

x86_64-linux

Uh oh!

nyabinary commented Apr 22, 2025

nixpkgs-review result

x86_64-linux

Uh oh!

LordGrimmauld commented Apr 22, 2025

Uh oh!

LordGrimmauld commented Apr 22, 2025

Uh oh!

LordGrimmauld commented Apr 22, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

LordGrimmauld commented Apr 21, 2025 •

edited

Loading

`nixpkgs-review` result

`aarch64-linux`

`nixpkgs-review` result

`x86_64-linux`

`nixpkgs-review` result

`x86_64-linux`