2024-10-25 13:47:17 +02:00
|
|
|
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
|
2025-01-21 19:27:00 +01:00
|
|
|
index 0a95d183..4e15d5e3 100644
|
2024-10-25 13:47:17 +02:00
|
|
|
--- a/apparmor.d/tunables/multiarch.d/system
|
|
|
|
|
+++ b/apparmor.d/tunables/multiarch.d/system
|
|
|
|
|
@@ -106,8 +106,8 @@
|
|
|
|
|
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
|
|
|
|
|
|
|
|
|
|
# Common places for binaries and libraries across distributions
|
|
|
|
|
-@{bin}=/{,usr/}{,s}bin
|
|
|
|
|
-@{lib}=/{,usr/}lib{,exec,32,64}
|
2025-01-21 19:27:00 +01:00
|
|
|
+@{bin}=/{nix/store/*/,}{,usr/}bin
|
|
|
|
|
+@{lib}=/{nix/store/*/,/run/wrappers,}{,usr/}lib{,exec,32,64}
|
2024-10-25 13:47:17 +02:00
|
|
|
|
|
|
|
|
# Common places for temporary files
|
|
|
|
|
@{tmp}=/tmp/ /tmp/user/@{uid}/
|
|
|
|
|
diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
|
|
|
|
|
index 3f2dd9f4..39a8b64a 100644
|
|
|
|
|
--- a/cmd/prebuild/main.go
|
|
|
|
|
+++ b/cmd/prebuild/main.go
|
|
|
|
|
@@ -37,7 +37,7 @@ func init() {
|
|
|
|
|
|
|
|
|
|
// Compatibility with AppArmor 3
|
|
|
|
|
switch prebuild.Distribution {
|
|
|
|
|
- case "arch":
|
|
|
|
|
+ case "arch", "nixos":
|
|
|
|
|
|
|
|
|
|
case "ubuntu":
|
|
|
|
|
if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
|
|
|
|
|
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
|
2025-01-21 19:27:00 +01:00
|
|
|
index a887d4b9..eb0cc2ef 100644
|
2024-10-25 13:47:17 +02:00
|
|
|
--- a/pkg/aa/apparmor.go
|
|
|
|
|
+++ b/pkg/aa/apparmor.go
|
2025-01-21 19:27:00 +01:00
|
|
|
@@ -33,13 +33,13 @@ func DefaultTunables() *AppArmorProfileFile {
|
2024-10-25 13:47:17 +02:00
|
|
|
return &AppArmorProfileFile{
|
|
|
|
|
Preamble: Rules{
|
|
|
|
|
&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
|
|
|
|
|
- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
|
2025-01-21 19:27:00 +01:00
|
|
|
+ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,/run/wrappers,}{,usr/}{,s}bin"}, Define: true},
|
2024-10-25 13:47:17 +02:00
|
|
|
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
|
|
|
|
|
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
|
|
|
|
|
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
|
2025-01-21 19:27:00 +01:00
|
|
|
&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
|
|
|
|
|
&Variable{Name: "int2", Values: []string{"[0-9][0-9]"}, Define: true},
|
|
|
|
|
- &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
|
|
|
|
|
+ &Variable{Name: "lib", Values: []string{"/{nix/store/*/,}{,usr/}lib{,exec,32,64}"}, Define: true},
|
|
|
|
|
&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
|
|
|
|
|
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
|
|
|
|
|
&Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters
|
2024-10-25 13:47:17 +02:00
|
|
|
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
|
|
|
|
|
index 4b8e11ec..11eab5f7 100644
|
|
|
|
|
--- a/pkg/prebuild/prepare/configure.go
|
|
|
|
|
+++ b/pkg/prebuild/prepare/configure.go
|
|
|
|
|
@@ -28,7 +28,7 @@ func (p Configure) Apply() ([]string, error) {
|
|
|
|
|
res := []string{}
|
|
|
|
|
|
|
|
|
|
switch prebuild.Distribution {
|
|
|
|
|
- case "arch", "opensuse":
|
|
|
|
|
+ case "arch", "opensuse", "nixos":
|
|
|
|
|
|
|
|
|
|
case "ubuntu":
|
|
|
|
|
if err := prebuild.DebianHide.Init(); err != nil {
|
