etc: Add AppArmor profile for the daemon.

* .gitignore: Add etc/apparmor.d/tunables/guix. * Makefile.am (nodist_apparmor_profile_DATA) (nodist_apparmor_profile_tunables_DATA): Define it. * configure.ac: Generate etc/apparmor.d/tunables/guix. Add --with-apparmor-profile-dir option. * etc/apparmor.d/guix-daemon: New file. * etc/apparmor.d/tunables/guix.in: New file. * doc/guix.texi: Document AppArmor profiles. * gnu/packages/package-management.scm (guix): Add future changes commented. Change-Id: Iac7df9d642383cc46a2d450c3badef31199ab041 Signed-off-by: Rutherther <rutherther@ditigal.xyz>
2026-04-06 21:20:33 +02:00 · 2025-12-08 16:39:11 +01:00
parent 9a78e76076
commit 587fd2dad4
7 changed files with 156 additions and 0 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -146,6 +146,7 @@ Copyright @copyright{} 2025 Artur Wroblewski@*
 Copyright @copyright{} 2025 Edouard Klein@*
 Copyright @copyright{} 2025 Rodion Goritskov@*
 Copyright @copyright{} 2025 dan@*
+Copyright @copyright{} 2025 Noé Lopez@*

 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -919,6 +920,7 @@ pre-built binaries.
 * Build Environment Setup::     Preparing the isolated build environment.
 * Daemon Offload Setup::        Offloading builds to remote machines.
 * SELinux Support::             Using an SELinux policy for the daemon.
+* AppArmor Support::            Using an AppArmor profile for the daemon.
@end menu

@node Build Environment Setup
@@ -1097,6 +1099,8 @@ systemctl daemon-reload
 systemctl start guix-daemon
@end example

+If your system has AppArmor enabled, @pxref{AppArmor Support}.
+
@quotation Warning
 The commands above assume that @command{guix pull} was run for the root
 user.  You can check whether this is the case by running this command:
@@ -1526,6 +1530,43 @@ installation time whenever the Guix package that provides the
 effectively running @code{guix-daemon} executable is upgraded.
@end enumerate

+@node AppArmor Support
+@subsection AppArmor Support
+
+@cindex AppArmor
+
+Guix includes an AppArmor profile for the build daemon in
+@file{etc/apparmor.d/guix-daemon} that can be installed on systems with
+strict AppArmor policies to allow it to run unprivileged
+(@pxref{Build Environment Setup}).  Indeed, the unprivileged daemon makes
+use of Linux user namespaces but these are disallowed
+without an AppArmor policy on some systems like Ubuntu.
+
+To know if this applies to you, check if the
+@code{kernel.apparmor_restrict_unprivileged_userns} kernel parameter is
+enabled.
+
+@subsubsection Installing the AppArmor profile
+@cindex AppArmor, profile installation
+
+@quotation Note
+The @code{guix-install.sh} binary installation script offers to perform
+the steps below for you (@pxref{Binary Installation}).
+@end quotation
+
+Run these commands as root to install the profile:
+
+@example
+export apparmor_sources=/var/guix/profiles/per-user/root/current-guix/etc/apparmor.d
+cp -f -t /etc/apparmor.d/tunables "$apparmor_sources/tunables/guix"
+cp -f -t /etc/apparmor.d "$apparmor_sources/guix-daemon"
+cp -f -t /etc/apparmor.d "$apparmor_sources/guix"
+apparmor_parser -r /etc/apparmor.d/guix-daemon
+apparmor_parser -r /etc/apparmor.d/guix
+@end example
+
+After this, the build daemon will be able to function correctly.
+
@node Invoking guix-daemon
@section Invoking @command{guix-daemon}
@cindex @command{guix-daemon}