grimm-nixos-laptop/common/tooling/apparmor/default.nix

{
  pkgs,
  config,
  lib,
  ...
}:
let
  inherit (config.grimmShared) enable tooling;
  inherit (lib) mkIf optionalString getExe' getExe;
  apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
  allowFingerprinting = true;
in
{
  config = mkIf (enable && tooling.enable) {
    services.dbus.apparmor = "enabled";
    security.auditd.enable = true;
    
    security.apparmor.packages = [ apparmor-d ];
    security.apparmor.enable = true;
    

    security.apparmor.includes = {
      "abstractions/base" = ''
        /nix/store/*/bin/** mr,
        /nix/store/*/lib/** mr,
        /nix/store/** r,
        ${getExe' pkgs.coreutils "coreutils"} rix,
        ${getExe' pkgs.coreutils-full "coreutils"} rix,
      '';

      "local/speech-dispatcher" = ''
        ${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix,
        @{PROC}/@{pid}/stat r,
        @{bin}/mbrola rix,
      '';

      "local/pass" = ''
        ${getExe' pkgs.pass ".pass-wrapped"} rix,
      '';

      "local/pass_gpg" = ''
        @{PROC}/@{pid}/fd/ r,
        /nix/store/*/libexec/keyboxd ix,
        owner /run/user/*/gnupg/S.keyboxd wr,
      '';

      "abstractions/app/udevadm.d/udevadm_is_exec" = ''
        @{bin}/udevadm mrix,
      '';

      "local/firefox" = ''
        ${pkgs.passff-host}/share/** rPx -> passff,
        @{HOME}/.mozilla/firefox/** mr,
      '';

      "local/thunderbird" = ''
        ${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,
        /dev/urandom w,
      '';

      "local/xdg-open" = ''
        @{PROC}/version r,
      '';

      "local/xdg-mime" = ''
        owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk,
        @{PROC}/version r,
      '';
    
      "local/vesktop" = ''
        @{bin}/electron rix,
        /nix/store/*/libexec/electron/** rix,
        @{bin}/speech-dispatcher rPx,
        @{bin}/xdg-open rPx,
      '' + (optionalString allowFingerprinting ''
        /etc/machine-id r,
        /dev/udmabuf rw,
        /dev/ r,
        @{sys}/devices/@{pci}boot_vga r,
        @{sys}/devices/@{pci}idVendor r,
        @{sys}/devices/@{pci}idProduct r,
      '');
    };
    
    security.apparmor.policies = {
      passff = {
        enable = true;
        enforce = true;
        profile = ''
          abi <abi/4.0>,
          include <tunables/global>
          profile passff ${pkgs.passff-host}/share/passff-host/passff.py {
            include <abstractions/base> # read access to /nix/store, basic presets for most apps
            include <abstractions/python>
            ${getExe pkgs.pass} Px,
          }
        '';
      };
      
      swaymux = {
        enable = true;
        enforce = true;
        profile = ''
          abi <abi/4.0>,
          include <tunables/global>
          profile swaymux ${getExe pkgs.swaymux} {
            include <abstractions/base> # read access to /nix/store, basic presets for most apps
            ${pkgs.swaymux}/bin/* rix, # wrapping
            owner @{user_config_dirs}/Kvantum/** r, # themeing
          }
        '';
      };

      osu-lazer = {
        enable = true;
        enforce = true;
        profile = ''
          abi <abi/4.0>,
          include <tunables/global>
          profile osu-lazer @{bin}/osu\! flags=(attach_disconnected) {
            include <abstractions/base> # read access to /nix/store, basic presets for most apps

            include <abstractions/common/bwrap>
            include <abstractions/devices-usb>
            include <abstractions/nameservice-strict>
            include <abstractions/app/udevadm>
            include <abstractions/app/bus>
            include <abstractions/common/game>

            network inet dgram,
            network inet6 dgram,
            network inet stream,
            network inet6 stream,
            network netlink raw,

            owner @{PROC}/@{pid}/net/dev r,
            owner @{PROC}/@{pid}/net/if_inet6 r,
            owner @{PROC}/@{pid}/net/ipv6_route r,
            owner @{PROC}/@{pid}/net/route r,

            capability mknod,

            /dev/tty{@{d},} rw,

            ${pkgs.osu-lazer-bin}/bin/osu? ix,
            ${getExe pkgs.bubblewrap} rix,
            /nix/store/*-osu-lazer-bin-*-bwrap ix,
            /nix/store/*-osu-lazer-bin-*-init ix,
            /nix/store/*-osu-lazer-bin-*-extracted/** rk,
            /nix/store/*-osu-lazer-bin-*-extracted/AppRun ix,
            /nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix,

            @{bin}/ldconfig ix,
            @{bin}/appimage-exec.sh ix,
            @{bin}/rev ix,
            @{bin}/bash ix,
            @{bin}/grep ix,
            @{bin}/lsblk ix,
            @{bin}/awk ix,
            @{bin}/gawk ix,
            
            @{bin}/xdg-mime Px,
            ${getExe' pkgs.gamemode "gamemoderun"} ix,
            
            owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm,
            owner @{HOME}/.dotnet/** rwkm,
            owner @{HOME}/@{XDG_DATA_DIR}/Sentry/** rwk,
            owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk,
            owner @{HOME}/@{XDG_DATA_DIR}/applications/discord-*.desktop rwk,

            /nix/store/*-etc-os-release rk,
            /nix/store/*/share/zoneinfo/** rk,

            owner /tmp/** rwk,
            /usr/lib/ r,

            owner /var/cache/ldconfig/ rw,
            owner /etc/ld.so* rw,
            
            owner @{PROC}/@{pid}/{maps,stat} rk,
            @{PROC}/sys/kernel/os{type,release} rk,
            
            /dev/snd/** rw,
            /dev/udmabuf wr,
            
            /.host-etc/alsa/conf.d/{,**} r,
            /.host-etc/ssl/certs/{,**} r,
            /.host-etc/resolv.conf rk,
          }
        '';
      };

      
      vesktop = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"
        '';
      };
      speech-dispatcher = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/speech-dispatcher"
        '';
      };
      spotify = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/spotify"
        '';
      };
      thunderbird = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird"
        '';
      };
      thunderbird-glxtest = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird-glxtest"
        '';
      };
      xdg-open = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-open"
        '';
      };
      child-open-any = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/groups/children/child-open-any"
        '';
      };
      child-open = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/groups/children/child-open"
        '';
      };
      firefox-glxtest = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox-glxtest"
        '';
      };
      firefox = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox"
        '';
      };
      pass = {
        enable = true;
        enforce = true;
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass"
        '';
      };
#      gamemoded = {
#        enable = true;
#        enforce = true;
#        profile = ''
#          include "${apparmor-d}/etc/apparmor.d/profiles-g-l/gamemoded"
#        '';
#      };

      pkexec = {
        enable = false;
        enforce = false;
        # somehow this has conflicting imports and i have no clue how to fix it
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pkexec"
        '';
      };

      xdg-mime = {
        enable = true;
        enforce = false;
        # somehow this has conflicting imports and i have no clue how to fix it
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-mime"
        '';
      };
      mimetype = {
        enable = true;
        enforce = false;
        # somehow this has conflicting imports and i have no clue how to fix it
        profile = ''
          include "${apparmor-d}/etc/apparmor.d/profiles-m-r/mimetype"
        '';
      };
    };
  };
}
experimental apparmor support 2024-10-12 18:19:18 +02:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`
			`let`
			`inherit (config.grimmShared) enable tooling;`
add basic userspace apps 2024-10-13 13:44:16 +02:00			`inherit (lib) mkIf optionalString getExe' getExe;`
experimental apparmor support 2024-10-12 18:19:18 +02:00			`apparmor-d = pkgs.callPackage ./apparmor-d.nix {};`
add basic userspace apps 2024-10-13 13:44:16 +02:00			`allowFingerprinting = true;`
experimental apparmor support 2024-10-12 18:19:18 +02:00			`in`
			`{`
			`config = mkIf (enable && tooling.enable) {`
			`services.dbus.apparmor = "enabled";`
			`security.auditd.enable = true;`

			`security.apparmor.packages = [ apparmor-d ];`
			`security.apparmor.enable = true;`
add basic userspace apps 2024-10-13 13:44:16 +02:00
experimental apparmor support 2024-10-12 18:19:18 +02:00
			`security.apparmor.includes = {`
add basic userspace apps 2024-10-13 13:44:16 +02:00			`"abstractions/base" = ''`
make vesktop work 2024-10-12 21:01:10 +02:00			`/nix/store//bin/* mr,`
			`/nix/store//lib/* mr,`
			`/nix/store/** r,`
osu part 1 2024-10-14 14:49:17 +02:00			`${getExe' pkgs.coreutils "coreutils"} rix,`
			`${getExe' pkgs.coreutils-full "coreutils"} rix,`
make vesktop work 2024-10-12 21:01:10 +02:00			`'';`
add basic userspace apps 2024-10-13 13:44:16 +02:00
			`"local/speech-dispatcher" = ''`
			`${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix,`
			`@{PROC}/@{pid}/stat r,`
			`@{bin}/mbrola rix,`
			`'';`

firefox and pass in apparmor 2024-10-13 14:28:46 +02:00			`"local/pass" = ''`
			`${getExe' pkgs.pass ".pass-wrapped"} rix,`
osu part 1 2024-10-14 14:49:17 +02:00			`'';`

			`"local/pass_gpg" = ''`
			`@{PROC}/@{pid}/fd/ r,`
			`/nix/store/*/libexec/keyboxd ix,`
			`owner /run/user/*/gnupg/S.keyboxd wr,`
			`'';`

			`"abstractions/app/udevadm.d/udevadm_is_exec" = ''`
			`@{bin}/udevadm mrix,`
firefox and pass in apparmor 2024-10-13 14:28:46 +02:00			`'';`

			`"local/firefox" = ''`
			`${pkgs.passff-host}/share/** rPx -> passff,`
osu part 1 2024-10-14 14:49:17 +02:00			`@{HOME}/.mozilla/firefox/** mr,`
firefox and pass in apparmor 2024-10-13 14:28:46 +02:00			`'';`

add basic userspace apps 2024-10-13 13:44:16 +02:00			`"local/thunderbird" = ''`
			`${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,`
			`/dev/urandom w,`
			`'';`

			`"local/xdg-open" = ''`
osu part 1 2024-10-14 14:49:17 +02:00			`@{PROC}/version r,`
			`'';`

			`"local/xdg-mime" = ''`
			`owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk,`
			`@{PROC}/version r,`
add basic userspace apps 2024-10-13 13:44:16 +02:00			`'';`

			`"local/vesktop" = ''`
			`@{bin}/electron rix,`
			`/nix/store//libexec/electron/* rix,`
			`@{bin}/speech-dispatcher rPx,`
			`@{bin}/xdg-open rPx,`
			`'' + (optionalString allowFingerprinting ''`
			`/etc/machine-id r,`
			`/dev/udmabuf rw,`
			`/dev/ r,`
osu part 1 2024-10-14 14:49:17 +02:00			`@{sys}/devices/@{pci}boot_vga r,`
			`@{sys}/devices/@{pci}idVendor r,`
			`@{sys}/devices/@{pci}idProduct r,`
add basic userspace apps 2024-10-13 13:44:16 +02:00			`'');`
experimental apparmor support 2024-10-12 18:19:18 +02:00			`};`

make vesktop work 2024-10-12 21:01:10 +02:00			`security.apparmor.policies = {`
firefox and pass in apparmor 2024-10-13 14:28:46 +02:00			`passff = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`abi <abi/4.0>,`
			`include <tunables/global>`
			`profile passff ${pkgs.passff-host}/share/passff-host/passff.py {`
			`include <abstractions/base> # read access to /nix/store, basic presets for most apps`
			`include <abstractions/python>`
			`${getExe pkgs.pass} Px,`
			`}`
			`'';`
			`};`

add basic userspace apps 2024-10-13 13:44:16 +02:00			`swaymux = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`abi <abi/4.0>,`
			`include <tunables/global>`
			`profile swaymux ${getExe pkgs.swaymux} {`
			`include <abstractions/base> # read access to /nix/store, basic presets for most apps`
			`${pkgs.swaymux}/bin/* rix, # wrapping`
			`owner @{user_config_dirs}/Kvantum/** r, # themeing`
			`}`
			`'';`
			`};`
osu part 1 2024-10-14 14:49:17 +02:00
			`osu-lazer = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`abi <abi/4.0>,`
			`include <tunables/global>`
			`profile osu-lazer @{bin}/osu\! flags=(attach_disconnected) {`
			`include <abstractions/base> # read access to /nix/store, basic presets for most apps`

			`include <abstractions/common/bwrap>`
			`include <abstractions/devices-usb>`
			`include <abstractions/nameservice-strict>`
			`include <abstractions/app/udevadm>`
			`include <abstractions/app/bus>`
			`include <abstractions/common/game>`

			`network inet dgram,`
			`network inet6 dgram,`
			`network inet stream,`
			`network inet6 stream,`
			`network netlink raw,`

			`owner @{PROC}/@{pid}/net/dev r,`
			`owner @{PROC}/@{pid}/net/if_inet6 r,`
			`owner @{PROC}/@{pid}/net/ipv6_route r,`
			`owner @{PROC}/@{pid}/net/route r,`

			`capability mknod,`

			`/dev/tty{@{d},} rw,`

			`${pkgs.osu-lazer-bin}/bin/osu? ix,`
			`${getExe pkgs.bubblewrap} rix,`
			`/nix/store/-osu-lazer-bin--bwrap ix,`
			`/nix/store/-osu-lazer-bin--init ix,`
			`/nix/store/-osu-lazer-bin--extracted/** rk,`
			`/nix/store/-osu-lazer-bin--extracted/AppRun ix,`
			`/nix/store/-osu-lazer-bin--extracted/usr/bin/** ix,`

			`@{bin}/ldconfig ix,`
			`@{bin}/appimage-exec.sh ix,`
			`@{bin}/rev ix,`
			`@{bin}/bash ix,`
			`@{bin}/grep ix,`
			`@{bin}/lsblk ix,`
			`@{bin}/awk ix,`
			`@{bin}/gawk ix,`

			`@{bin}/xdg-mime Px,`
			`${getExe' pkgs.gamemode "gamemoderun"} ix,`

			`owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm,`
			`owner @{HOME}/.dotnet/** rwkm,`
			`owner @{HOME}/@{XDG_DATA_DIR}/Sentry/** rwk,`
			`owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk,`
			`owner @{HOME}/@{XDG_DATA_DIR}/applications/discord-*.desktop rwk,`

			`/nix/store/*-etc-os-release rk,`
			`/nix/store//share/zoneinfo/* rk,`

			`owner /tmp/** rwk,`
			`/usr/lib/ r,`

osu part 2 2024-10-14 16:54:09 +02:00			`owner /var/cache/ldconfig/ rw,`
osu part 1 2024-10-14 14:49:17 +02:00			`owner /etc/ld.so* rw,`

osu part 2 2024-10-14 16:54:09 +02:00			`owner @{PROC}/@{pid}/{maps,stat} rk,`
			`@{PROC}/sys/kernel/os{type,release} rk,`
osu part 1 2024-10-14 14:49:17 +02:00
			`/dev/snd/** rw,`
			`/dev/udmabuf wr,`

			`/.host-etc/alsa/conf.d/{,**} r,`
			`/.host-etc/ssl/certs/{,**} r,`
			`/.host-etc/resolv.conf rk,`
			`}`
			`'';`
			`};`


make vesktop work 2024-10-12 21:01:10 +02:00			`vesktop = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"`
			`'';`
			`};`
add basic userspace apps 2024-10-13 13:44:16 +02:00			`speech-dispatcher = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/profiles-s-z/speech-dispatcher"`
			`'';`
			`};`
			`spotify = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/profiles-s-z/spotify"`
			`'';`
			`};`
			`thunderbird = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird"`
			`'';`
			`};`
			`thunderbird-glxtest = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird-glxtest"`
			`'';`
			`};`
			`xdg-open = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-open"`
			`'';`
			`};`
			`child-open-any = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/groups/children/child-open-any"`
			`'';`
			`};`
			`child-open = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/groups/children/child-open"`
			`'';`
			`};`
firefox and pass in apparmor 2024-10-13 14:28:46 +02:00			`firefox-glxtest = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox-glxtest"`
			`'';`
			`};`
			`firefox = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox"`
			`'';`
			`};`
			`pass = {`
			`enable = true;`
			`enforce = true;`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass"`
			`'';`
			`};`
osu part 1 2024-10-14 14:49:17 +02:00			`# gamemoded = {`
			`# enable = true;`
			`# enforce = true;`
			`# profile = ''`
			`# include "${apparmor-d}/etc/apparmor.d/profiles-g-l/gamemoded"`
			`# '';`
			`# };`

			`pkexec = {`
			`enable = false;`
			`enforce = false;`
			`# somehow this has conflicting imports and i have no clue how to fix it`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pkexec"`
			`'';`
			`};`

			`xdg-mime = {`
			`enable = true;`
			`enforce = false;`
			`# somehow this has conflicting imports and i have no clue how to fix it`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-mime"`
			`'';`
			`};`
			`mimetype = {`
			`enable = true;`
			`enforce = false;`
			`# somehow this has conflicting imports and i have no clue how to fix it`
			`profile = ''`
			`include "${apparmor-d}/etc/apparmor.d/profiles-m-r/mimetype"`
			`'';`
			`};`
make vesktop work 2024-10-12 21:01:10 +02:00			`};`
experimental apparmor support 2024-10-12 18:19:18 +02:00			`};`
			`}`