grimm-nixos-laptop/hardening/apparmor/default.nix

319 lines
9 KiB
Nix
Raw Normal View History

2024-10-12 18:19:18 +02:00
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
2024-10-16 19:39:53 +02:00
inherit (lib) mkIf getExe' getExe;
2024-10-12 18:19:18 +02:00
in
{
2024-11-01 16:33:26 +01:00
imports = [ ./apparmor-d-module.nix ]; # ./aa-alias-module.nix ];
2024-11-26 19:20:10 +01:00
config = mkIf (enable && tooling.enable && config.security.apparmor.enable) {
2024-10-12 18:19:18 +02:00
services.dbus.apparmor = "enabled";
security.auditd.enable = true;
2024-11-26 19:20:10 +01:00
2024-11-23 17:06:12 +01:00
security.apparmor.enableCache = true;
2024-12-27 15:25:49 +01:00
security.apparmor.killUnconfinedConfinables = false;
2024-11-01 16:33:26 +01:00
security.apparmor.includes."tunables/alias.d/programs" = ''
2024-11-23 17:06:12 +01:00
# alias / -> @{nix_store}/,
2024-11-01 16:33:26 +01:00
alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify,
'';
2024-12-21 21:53:10 +01:00
environment.systemPackages = with pkgs; [ apparmor-parser ];
2024-11-26 19:20:10 +01:00
# security.apparmor.aa-alias-manager.enable = false;
2024-11-23 17:06:12 +01:00
2024-12-27 15:25:49 +01:00
security.audit.backlogLimit = 8192;
2024-11-01 16:33:26 +01:00
security.apparmor_d = {
enable = true;
2024-10-16 15:20:09 +02:00
profiles = {
vesktop = "enforce";
speech-dispatcher = "enforce";
thunderbird-glxtest = "enforce";
"firefox.apparmor.d" = "enforce";
pass = "enforce";
spotify = "enforce";
"thunderbird.apparmor.d" = "enforce";
2024-12-23 17:45:20 +01:00
# xdg-open = "enforce";
2024-10-16 15:20:09 +02:00
child-open-any = "enforce";
child-open = "enforce";
firefox-glxtest = "enforce";
2024-10-22 22:05:22 +02:00
firefox-vaapitest = "enforce";
2024-10-16 15:20:09 +02:00
gamemoded = "disable";
2024-10-16 19:39:53 +02:00
pkexec = "complain";
2024-10-16 15:20:09 +02:00
xdg-mime = "complain";
2024-10-17 11:12:30 +02:00
mimetype = "complain";
2024-11-23 17:06:12 +01:00
# sudo = "complain";
2024-10-17 19:12:24 +02:00
"unix-chkpwd.apparmor.d" = "complain";
2024-10-16 15:20:09 +02:00
};
};
2024-10-12 18:19:18 +02:00
security.apparmor.includes = {
2024-10-13 13:44:16 +02:00
"abstractions/base" = ''
2024-10-12 21:01:10 +02:00
/nix/store/*/bin/** mr,
/nix/store/*/lib/** mr,
/nix/store/** r,
2024-10-14 14:49:17 +02:00
${getExe' pkgs.coreutils "coreutils"} rix,
${getExe' pkgs.coreutils-full "coreutils"} rix,
2024-10-12 21:01:10 +02:00
'';
2024-10-13 13:44:16 +02:00
2024-11-26 19:20:10 +01:00
# "tunables/alias.d/store" = ''
# include <tunables/global>
# alias /bin -> @{bin},
# alias /bin/ -> /nix/store/*/bin/,
# '';
2024-10-17 19:12:24 +02:00
2024-10-13 13:44:16 +02:00
"local/speech-dispatcher" = ''
2024-10-22 22:05:22 +02:00
@{nix_store}/libexec/speech-dispatcher-modules/* ix,
2024-10-13 13:44:16 +02:00
@{PROC}/@{pid}/stat r,
@{bin}/mbrola rix,
'';
2024-10-13 14:28:46 +02:00
"local/pass" = ''
${getExe' pkgs.pass ".pass-wrapped"} rix,
2024-11-29 22:48:01 +01:00
@{nix_store}/wl-copy rUx,
@{nix_store}/wl-paste rUx,
2024-10-14 14:49:17 +02:00
'';
"local/pass_gpg" = ''
@{PROC}/@{pid}/fd/ r,
/nix/store/*/libexec/keyboxd ix,
owner /run/user/*/gnupg/S.keyboxd wr,
'';
2024-10-22 22:05:22 +02:00
"local/xdg-mime" = ''
2024-11-26 19:20:10 +01:00
# include <abstractions/app/bus>
/bin/grep rix,
/bin/gawk rix,
# /bin/dbus-send Cx -> bus,
/dev/tty* rw,
2024-10-22 22:05:22 +02:00
'';
2024-10-14 14:49:17 +02:00
"abstractions/app/udevadm.d/udevadm_is_exec" = ''
@{bin}/udevadm mrix,
2024-10-13 14:28:46 +02:00
'';
"local/firefox" = ''
2024-10-16 11:28:00 +02:00
${pkgs.passff-host}/share/passff-host/passff.py rPx -> passff,
2024-10-14 14:49:17 +02:00
@{HOME}/.mozilla/firefox/** mr,
2024-10-13 14:28:46 +02:00
'';
2024-10-13 13:44:16 +02:00
"local/thunderbird" = ''
${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,
/dev/urandom w,
'';
2024-10-16 11:28:00 +02:00
"abstractions/common/electron.d/libexec" = ''
2024-10-13 13:44:16 +02:00
/nix/store/*/libexec/electron/** rix,
2024-10-16 11:28:00 +02:00
'';
2024-10-16 19:39:53 +02:00
"local/pkexec" = ''
capability sys_ptrace,
'';
2024-10-17 19:12:24 +02:00
2024-11-01 16:33:26 +01:00
"local/xdg-open" = ''
@{bin}/grep rix,
2024-12-23 17:45:20 +01:00
/** r,
2024-11-01 16:33:26 +01:00
'';
2024-10-17 19:12:24 +02:00
"local/child-open" = ''
2024-11-26 19:20:10 +01:00
include <abstractions/app/bus>
@{bin}/grep ix,
/@{PROC}/version r,
@{bin}/gdbus Cx -> bus,
# @{bin}/gdbus Ux,
2024-10-17 19:12:24 +02:00
'';
"local/vesktop" = ''
/etc/machine-id r,
/dev/udmabuf rw,
/sys/devices/@{pci}/boot_vga r,
/sys/devices/@{pci}/**/id{Vendor,Product} r,
/dev/ r,
2024-10-17 23:23:50 +02:00
@{bin}/xdg-open rPx,
2024-10-25 13:47:17 +02:00
/bin/electron rix,
2024-10-17 19:12:24 +02:00
'';
"local/sudo" = ''
/run/wrappers/wrappers.*/unix_chkpwd rPx -> unix-chkpwd,
'';
"local/unix-chkpwd" = ''
/run/wrappers/wrappers.*/unix_chkpwd rix,
@{bin}/unix_chkpwd rix,
'';
2024-11-01 16:33:26 +01:00
2024-11-26 19:20:10 +01:00
# "local/spotify" = ''
# @{bin}/
# '';
2024-10-12 18:19:18 +02:00
};
2024-11-26 19:20:10 +01:00
2024-10-12 21:01:10 +02:00
security.apparmor.policies = {
2024-10-13 14:28:46 +02:00
passff = {
2024-10-22 22:05:22 +02:00
state = "enforce";
2024-11-26 19:20:10 +01:00
# enable = true;
# enforce = true;
2024-10-13 14:28:46 +02:00
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile passff ${pkgs.passff-host}/share/passff-host/passff.py {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
include <abstractions/python>
2024-10-16 11:28:00 +02:00
@{bin}/pass Px -> pass,
2024-10-13 14:28:46 +02:00
}
'';
};
2024-11-26 19:20:10 +01:00
2024-10-13 13:44:16 +02:00
swaymux = {
2024-10-22 22:05:22 +02:00
state = "enforce";
2024-11-26 19:20:10 +01:00
# enable = true;
# enforce = true;
2024-10-13 13:44:16 +02:00
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile swaymux ${getExe pkgs.swaymux} {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
${pkgs.swaymux}/bin/* rix, # wrapping
2024-10-16 11:28:00 +02:00
/dev/tty r,
2024-10-13 13:44:16 +02:00
owner @{user_config_dirs}/Kvantum/** r, # themeing
}
'';
};
2024-10-14 14:49:17 +02:00
2024-11-26 19:20:10 +01:00
# speech-dispatcher-test = {
# enable = true;
# enforce = true;
# profile = ''#
#
#abi <abi/4.0>,
#
#include <tunables/global>
#
#@{exec_path} = @{bin}/speech-dispatcher
#profile speech-dispatcher ${getExe' pkgs.speechd "speech-dispatcher"} flags=(complain) {
# include <abstractions/base>
# include <abstractions/audio-client>
# include <abstractions/bus-session>
# include <abstractions/consoles>
# include <abstractions/nameservice-strict>
# network inet stream,
# network inet6 stream,
# @{exec_path} mr,
# @{sh_path} ix,
# @{lib}/speech-dispatcher/** r,
# @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix,
# /etc/machine-id r,
# /etc/speech-dispatcher/{,**} r,
# owner @{run}/user/@{uid}/speech-dispatcher/ rw,
# owner @{run}/user/@{uid}/speech-dispatcher/** rwk,
# include if exists <local/speech-dispatcher>
#} '';
# };
2024-11-01 16:33:26 +01:00
sleep = {
state = "enforce";
profile = ''
2024-11-26 19:20:10 +01:00
abi <abi/4.0>,
include <tunables/global>
profile sleep ${getExe' pkgs.coreutils-full "sleep"} {
include <abstractions/base>
}
'';
2024-11-01 16:33:26 +01:00
};
2024-10-14 14:49:17 +02:00
osu-lazer = {
2024-11-23 17:06:12 +01:00
state = "disable";
2024-11-26 19:20:10 +01:00
# enable = true;
# enforce = true;
2024-10-14 14:49:17 +02:00
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile osu-lazer @{bin}/osu\! flags=(attach_disconnected) {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
include <abstractions/common/bwrap>
include <abstractions/devices-usb>
include <abstractions/nameservice-strict>
include <abstractions/app/udevadm>
include <abstractions/app/bus>
include <abstractions/common/game>
network inet dgram,
network inet6 dgram,
network inet stream,
network inet6 stream,
network netlink raw,
owner @{PROC}/@{pid}/net/dev r,
owner @{PROC}/@{pid}/net/if_inet6 r,
owner @{PROC}/@{pid}/net/ipv6_route r,
owner @{PROC}/@{pid}/net/route r,
capability mknod,
/dev/tty{@{d},} rw,
${pkgs.osu-lazer-bin}/bin/osu? ix,
${getExe pkgs.bubblewrap} rix,
/nix/store/*-osu-lazer-bin-*-bwrap ix,
/nix/store/*-osu-lazer-bin-*-init ix,
2024-10-16 15:20:09 +02:00
/nix/store/*-container-init ix,
2024-10-14 14:49:17 +02:00
/nix/store/*-osu-lazer-bin-*-extracted/** rk,
/nix/store/*-osu-lazer-bin-*-extracted/AppRun ix,
/nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix,
@{bin}/ldconfig ix,
@{bin}/appimage-exec.sh ix,
@{bin}/rev ix,
@{bin}/bash ix,
@{bin}/grep ix,
@{bin}/lsblk ix,
@{bin}/awk ix,
@{bin}/gawk ix,
@{bin}/xdg-mime Px,
2024-10-22 22:05:22 +02:00
/usr/bin/xdg-mime Px,
2024-10-14 14:49:17 +02:00
${getExe' pkgs.gamemode "gamemoderun"} ix,
owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm,
owner @{HOME}/.dotnet/** rwkm,
owner @{HOME}/@{XDG_DATA_DIR}/Sentry/** rwk,
owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk,
owner @{HOME}/@{XDG_DATA_DIR}/applications/discord-*.desktop rwk,
/nix/store/*-etc-os-release rk,
/nix/store/*/share/zoneinfo/** rk,
owner /tmp/** rwk,
/usr/lib/ r,
2024-10-14 16:54:09 +02:00
owner /var/cache/ldconfig/ rw,
2024-10-14 14:49:17 +02:00
owner /etc/ld.so* rw,
2024-10-14 16:54:09 +02:00
owner @{PROC}/@{pid}/{maps,stat} rk,
@{PROC}/sys/kernel/os{type,release} rk,
2024-10-14 14:49:17 +02:00
/dev/snd/** rw,
/dev/udmabuf wr,
/.host-etc/alsa/conf.d/{,**} r,
/.host-etc/ssl/certs/{,**} r,
/.host-etc/resolv.conf rk,
}
'';
};
2024-10-12 21:01:10 +02:00
};
2024-10-12 18:19:18 +02:00
};
}