From 1e9f12df9f431fd755a7e7e2edfa202afa92a96d Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Wed, 16 Oct 2024 15:20:09 +0200
Subject: [PATCH] simplify module

---
 common/tooling/apparmor/apparmor-d-module.nix | 55 ++++--------------
 common/tooling/apparmor/default.nix           | 56 +++++++------------
 2 files changed, 29 insertions(+), 82 deletions(-)

diff --git a/common/tooling/apparmor/apparmor-d-module.nix b/common/tooling/apparmor/apparmor-d-module.nix
index 3ec6ee2..f723206 100644
--- a/common/tooling/apparmor/apparmor-d-module.nix
+++ b/common/tooling/apparmor/apparmor-d-module.nix
@@ -5,65 +5,30 @@
   ...
 }:
 let
-  inherit (lib) mkIf mergeAttrsList last path;
+  inherit (lib) mkIf mapAttrs;
 
   cfg = config.security.apparmor_d;
   apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
   in
 {
-  options.security.apparmor_d = with lib; let 
-    profile = types.submodule ({ config, ... }: {
-      options = {
-      enable = mkOption {
-        type = types.bool;
-        default = true;
-        description = "whether to enable this profile";
-      };
-
-      enforce = mkOption {
-        type = types.bool;
-        default = true;
-        description = "whether to enforce this profile";
-      };
-
-      name = mkOption {
-        type = types.nonEmptyStr;
-        description = "name of the apparmor profile within apparmor.d";
-        example = "vesktop";
-      };
-      };
-    });
-  in {
+  options.security.apparmor_d = with lib; {
     enable = mkEnableOption "enable apparmor.d support";
 
     profiles = mkOption {
-      type = types.listOf (types.either types.nonEmptyStr profile);
-      default = [];
+      type = types.attrsOf (types.enum [ "disable" "complain" "enforce" ]);
+      default = {};
       description = "set of apparmor profiles to include from apparmor.d";
     };
   };
 
-  options.test = lib.mkOption { default = null; };
-  
   config = mkIf (cfg.enable) {
     security.apparmor.packages = [ apparmor-d ];
-    security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then {
-      "${p}" = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/${p}"
-        '';
-      };
-    } else {
-      ${p.name} = {
-        inherit (p) enable enforce;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/${p.name}"
-        '';
-      };
-    }) cfg.profiles );
-
+    security.apparmor.policies = mapAttrs (name: value: {
+      enable = value != "disable";
+      enforce = value == "enforce";
+      profile = ''include "${apparmor-d}/etc/apparmor.d/${name}"'';
+    }) cfg.profiles;
+    
     environment.systemPackages = [ apparmor-d ];
   };
 }
diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix
index 2b7f8e9..46c8a93 100644
--- a/common/tooling/apparmor/default.nix
+++ b/common/tooling/apparmor/default.nix
@@ -16,46 +16,27 @@ in
     security.auditd.enable = true;
     
     security.apparmor.enable = true;
-    security.apparmor.enableCache = true;
+#    security.apparmor.enableCache = true;
 
     security.apparmor_d = {
       enable = true;
-      profiles = [
-        "vesktop"
-        "speech-dispatcher"
-        "thunderbird-glxtest"
-        # "firefox"
-        "firefox.apparmor.d"
-        "pass"
-        "spotify"
-        # "thunderbird"
-        "thunderbird.apparmor.d"
-        "xdg-open"
-        "child-open-any"
-        "child-open"
-        "firefox-glxtest"
-#      {
-#        enable = true;
-#        enforce = true;
-#        name = "gamemoded";
-#      };
-        {
-          enable = false;
-          enforce = false;
-          # somehow this has conflicting imports and i have no clue how to fix it
-          name = "pkexec";
-        }
-        {
-          enable = true;
-          enforce = false;
-          name = "xdg-mime";
-        }
-        {
-          enable = true;
-          enforce = false;
-          name = "mimetype";
-        }      
-      ];
+      profiles = {
+        vesktop = "enforce";
+        speech-dispatcher = "enforce";
+        thunderbird-glxtest = "enforce";
+        "firefox.apparmor.d" = "enforce";
+        pass = "enforce";
+        spotify = "enforce";
+        "thunderbird.apparmor.d" = "enforce";
+        xdg-open = "enforce";
+        child-open-any = "enforce";
+        child-open = "enforce";
+        firefox-glxtest = "enforce";
+        gamemoded = "disable";
+        pkexec = "disable";
+        xdg-mime = "complain";
+        mimetype = "complain";    
+      };
     };
     
 
@@ -168,6 +149,7 @@ in
             ${getExe pkgs.bubblewrap} rix,
             /nix/store/*-osu-lazer-bin-*-bwrap ix,
             /nix/store/*-osu-lazer-bin-*-init ix,
+            /nix/store/*-container-init ix,
             /nix/store/*-osu-lazer-bin-*-extracted/** rk,
             /nix/store/*-osu-lazer-bin-*-extracted/AppRun ix,
             /nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix,