grimm-nixos-laptop/common/tooling/apparmor/default.nix

47 lines
981 B
Nix
Raw Normal View History

2024-10-12 18:19:18 +02:00
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib) mkIf;
apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
in
{
config = mkIf (enable && tooling.enable) {
services.dbus.apparmor = "enabled";
security.auditd.enable = true;
security.apparmor.packages = [ apparmor-d ];
security.apparmor.enable = true;
security.apparmor.includes = {
2024-10-12 21:01:10 +02:00
"local/vesktop" = ''
# @{lib}/libdl.so* mr,
# @{lib}/libglapi.so* mr,
# @{lib}/libc.so* mr,
# @{lib}/pluseaudio/** mr,
@{bin}/electron rix,
/nix/store/*/libexec/electron/** rix,
/nix/store/*/bin/** mr,
/nix/store/*/lib/** mr,
/nix/store/** r,
'';
2024-10-12 18:19:18 +02:00
};
2024-10-12 21:01:10 +02:00
security.apparmor.policies = {
vesktop = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"
'';
};
};
2024-10-12 18:19:18 +02:00
};
}