Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use intended tooling: allows nixos-specific support in apparmor.d

Browse Source
This commit is contained in:
Grimmauld 2024-10-15 23:31:58 +02:00
parent 88457f7cbe
commit 2cd93f01d9
Signed by: Grimmauld
GPG Key ID: C2946668769F91FB
3 changed files with 50 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
common/tooling/apparmor/apparmor-d-module.nix
View File

@ -26,16 +26,9 @@ let
description = "whether to enforce this profile"; description = "whether to enforce this profile";
}; };
path = mkOption {
type = types.nonEmptyStr;
description = "path of the apparmor profile within apparmor.d, as copied from github";
example = "apparmor.d/profiles-s-z/vesktop";
};
name = mkOption { name = mkOption {
type = types.nonEmptyStr; type = types.nonEmptyStr;
description = "Name of the profile as placed in /etc/apparmor.d. Default is the profile name as given in apparmor.d."; description = "name of the apparmor profile within apparmor.d";
default = last (path.subpath.components config.path);
example = "vesktop"; example = "vesktop";
}; };
}; };
@ -54,21 +47,23 @@ let
config = mkIf (cfg.enable) { config = mkIf (cfg.enable) {
security.apparmor.packages = [ apparmor-d ]; security.apparmor.packages = [ apparmor-d ];
security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then (let name = last (path.subpath.components p); in { security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then {
"${name}" = { "${p}" = {
enable = true; enable = true;
enforce = true; enforce = true;
profile = '' profile = ''
include "${apparmor-d}/etc/${p}" include "${apparmor-d}/etc/apparmor.d/${p}"
''; '';
}; };
}) else { } else {
${p.name} = { ${p.name} = {
inherit (p) enable enforce; inherit (p) enable enforce;
profile = '' profile = ''
include "${apparmor-d}/etc/${p.path}" include "${apparmor-d}/etc/apparmor.d/${p.name}"
''; '';
}; };
}) cfg.profiles ); }) cfg.profiles );
environment.systemPackages = [ apparmor-d ];
}; };
} }

31
common/tooling/apparmor/apparmor-d-package.nix
View File

@ -1,5 +1,5 @@
{ stdenv, fetchFromGitHub }: { buildGoModule, fetchFromGitHub, git, lib }:
stdenv.mkDerivation rec { buildGoModule {
pname = "apparmor-d"; pname = "apparmor-d";
version = "unstable-2024-10-12"; version = "unstable-2024-10-12";
@ -9,16 +9,35 @@ stdenv.mkDerivation rec {
repo = "apparmor.d"; repo = "apparmor.d";
hash = "sha256-Yx9UJdmBqjMSPVwFyvidQXfQ4pdEKaDMfvi7gF6GSVc="; hash = "sha256-Yx9UJdmBqjMSPVwFyvidQXfQ4pdEKaDMfvi7gF6GSVc=";
}; };
vendorHash = "sha256-YkOcpzn5AKFMDWUYbKY8DzGMiIMSyaDfexFmXv5HNQI=";
doCheck = false; doCheck = false;
dontBuild = true; #dontBuild = true;
nativeBuildInputs = [ git ];
patches = [ patches = [
./apparmor-d-paths.patch ./apparmor-d-paths.patch
]; ];
installPhase = '' postInstall = ''
mkdir -p $out/etc mkdir -p $out/etc build/apparmor.d
cp -r apparmor.d $out/etc
rm $out/bin/cmd $out/bin/aa
mv $out/bin/prebuild build/prebuild
DISTRIBUTION=arch ./build/prebuild --complain --abi 4 # fixme: replace with nixos support once available
mv .build/apparmor.d $out/etc
''; '';
meta = {
description = "Full set of AppArmor profiles (~ 1500 profiles) ";
homepage = "https://github.com/roddhjav/apparmor.d";
license = lib.licenses.gpl2Only;
mainProgram = "aa-log";
maintainers = with lib.maintainers; [ grimmauld ];
platforms = lib.platforms.linux;
};
} }

32
common/tooling/apparmor/default.nix
View File

@ -21,37 +21,39 @@ in
security.apparmor_d = { security.apparmor_d = {
enable = true; enable = true;
profiles = [ profiles = [
"apparmor.d/profiles-s-z/vesktop" "vesktop"
"apparmor.d/profiles-s-z/speech-dispatcher" "speech-dispatcher"
"apparmor.d/profiles-s-z/thunderbird-glxtest" "thunderbird-glxtest"
"apparmor.d/groups/browsers/firefox" # "firefox"
"apparmor.d/profiles-m-r/pass" "firefox.apparmor.d"
"apparmor.d/profiles-s-z/spotify" "pass"
"apparmor.d/profiles-s-z/thunderbird" "spotify"
"apparmor.d/groups/freedesktop/xdg-open" # "thunderbird"
"apparmor.d/groups/children/child-open-any" "thunderbird.apparmor.d"
"apparmor.d/groups/children/child-open" "xdg-open"
"apparmor.d/groups/browsers/firefox-glxtest" "child-open-any"
"child-open"
"firefox-glxtest"
# { # {
# enable = true; # enable = true;
# enforce = true; # enforce = true;
# path = "apparmor.d/profiles-g-l/gamemoded"; # name = "gamemoded";
# }; # };
{ {
enable = false; enable = false;
enforce = false; enforce = false;
# somehow this has conflicting imports and i have no clue how to fix it # somehow this has conflicting imports and i have no clue how to fix it
path = "apparmor.d/profiles-m-r/pkexec"; name = "pkexec";
} }
{ {
enable = true; enable = true;
enforce = false; enforce = false;
path = "apparmor.d/groups/freedesktop/xdg-mime"; name = "xdg-mime";
} }
{ {
enable = true; enable = true;
enforce = false; enforce = false;
path = "apparmor.d/profiles-m-r/mimetype"; name = "mimetype";
} }
]; ];
}; };