Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add basic userspace apps

Browse Source
This commit is contained in:
Grimmauld 2024-10-13 13:44:16 +02:00
parent d6e4ce8850
commit 3f1d9786bf
Signed by: Grimmauld
GPG Key ID: C2946668769F91FB
2 changed files with 101 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
common/tooling/apparmor/apparmor-d-paths.patch
View File

@ -1,15 +1,16 @@
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index be37123f..1d61a671 100644
index be37123f..57df7990 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,8 @@
@@ -106,8 +106,9 @@
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
# Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64}
+@{bin}=/nix/store/*/bin
+@{lib}=/nix/store/*/lib
+@{base_paths} = /nix/store/* /etc/profiles/per-user/* /run/current-system/sw
+@{bin}=@{base_paths}/bin
+@{lib}=@{base_paths}/lib
# Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/

106
common/tooling/apparmor/default.nix
View File

@ -6,8 +6,9 @@
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib) mkIf;
inherit (lib) mkIf optionalString getExe' getExe;
apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
allowFingerprinting = true;
in
{
config = mkIf (enable && tooling.enable) {
@ -16,24 +17,60 @@ in
security.apparmor.packages = [ apparmor-d ];
security.apparmor.enable = true;
security.apparmor.includes = {
"local/vesktop" = ''
# @{lib}/libdl.so* mr,
# @{lib}/libglapi.so* mr,
# @{lib}/libc.so* mr,
# @{lib}/pluseaudio/** mr,
@{bin}/electron rix,
/nix/store/*/libexec/electron/** rix,
"abstractions/base" = ''
/nix/store/*/bin/** mr,
/nix/store/*/lib/** mr,
/nix/store/** r,
'';
"local/speech-dispatcher" = ''
${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix,
@{PROC}/@{pid}/stat r,
@{bin}/mbrola rix,
'';
"local/thunderbird" = ''
${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,
/dev/urandom w,
'';
"local/xdg-open" = ''
${getExe' pkgs.coreutils "coreutils"} rix,
/proc/version r,
'';
"local/vesktop" = ''
@{bin}/electron rix,
/nix/store/*/libexec/electron/** rix,
@{bin}/speech-dispatcher rPx,
@{bin}/xdg-open rPx,
'' + (optionalString allowFingerprinting ''
/etc/machine-id r,
/dev/udmabuf rw,
/dev/ r,
/sys/devices/@{pci}boot_vga r,
/sys/devices/@{pci}idVendor r,
/sys/devices/@{pci}idProduct r,
'');
};
security.apparmor.policies = {
swaymux = {
enable = true;
enforce = true;
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile swaymux ${getExe pkgs.swaymux} {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
${pkgs.swaymux}/bin/* rix, # wrapping
owner @{user_config_dirs}/Kvantum/** r, # themeing
}
'';
};
vesktop = {
enable = true;
enforce = true;
@ -41,6 +78,55 @@ in
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"
'';
};
speech-dispatcher = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/speech-dispatcher"
'';
};
spotify = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/spotify"
'';
};
thunderbird = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird"
'';
};
thunderbird-glxtest = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird-glxtest"
'';
};
xdg-open = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-open"
'';
};
child-open-any = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/children/child-open-any"
'';
};
child-open = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/children/child-open"
'';
};
};
};
}