From 3f1d9786bf47acd46c3737174935a3dbdec9d643 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Sun, 13 Oct 2024 13:44:16 +0200
Subject: [PATCH] add basic userspace apps

---
 .../tooling/apparmor/apparmor-d-paths.patch   |   9 +-
 common/tooling/apparmor/default.nix           | 106 ++++++++++++++++--
 2 files changed, 101 insertions(+), 14 deletions(-)

diff --git a/common/tooling/apparmor/apparmor-d-paths.patch b/common/tooling/apparmor/apparmor-d-paths.patch
index 222adb4..16a2643 100644
--- a/common/tooling/apparmor/apparmor-d-paths.patch
+++ b/common/tooling/apparmor/apparmor-d-paths.patch
@@ -1,15 +1,16 @@
 diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
-index be37123f..1d61a671 100644
+index be37123f..57df7990 100644
 --- a/apparmor.d/tunables/multiarch.d/system
 +++ b/apparmor.d/tunables/multiarch.d/system
-@@ -106,8 +106,8 @@
+@@ -106,8 +106,9 @@
  @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
  
  # Common places for binaries and libraries across distributions
 -@{bin}=/{,usr/}{,s}bin
 -@{lib}=/{,usr/}lib{,exec,32,64}
-+@{bin}=/nix/store/*/bin
-+@{lib}=/nix/store/*/lib
++@{base_paths} = /nix/store/* /etc/profiles/per-user/* /run/current-system/sw
++@{bin}=@{base_paths}/bin
++@{lib}=@{base_paths}/lib
  
  # Common places for temporary files
  @{tmp}=/tmp/ /tmp/user/@{uid}/
diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix
index 9f2e665..bfeaf5b 100644
--- a/common/tooling/apparmor/default.nix
+++ b/common/tooling/apparmor/default.nix
@@ -6,8 +6,9 @@
 }:
 let
   inherit (config.grimmShared) enable tooling;
-  inherit (lib) mkIf;
+  inherit (lib) mkIf optionalString getExe' getExe;
   apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
+  allowFingerprinting = true;
 in
 {
   config = mkIf (enable && tooling.enable) {
@@ -16,24 +17,60 @@ in
     
     security.apparmor.packages = [ apparmor-d ];
     security.apparmor.enable = true;
+    
 
     security.apparmor.includes = {
-      "local/vesktop" = ''
-#        @{lib}/libdl.so* mr,
-#        @{lib}/libglapi.so* mr,
-#        @{lib}/libc.so* mr,
-#        @{lib}/pluseaudio/** mr,
-
-        @{bin}/electron rix,
-        /nix/store/*/libexec/electron/** rix,
-
+      "abstractions/base" = ''
         /nix/store/*/bin/** mr,
         /nix/store/*/lib/** mr,
         /nix/store/** r,
       '';
+
+      "local/speech-dispatcher" = ''
+        ${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix,
+        @{PROC}/@{pid}/stat r,
+        @{bin}/mbrola rix,
+      '';
+
+      "local/thunderbird" = ''
+        ${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,
+        /dev/urandom w,
+      '';
+
+      "local/xdg-open" = ''
+        ${getExe' pkgs.coreutils "coreutils"} rix,
+        /proc/version r,
+      '';
+    
+      "local/vesktop" = ''
+        @{bin}/electron rix,
+        /nix/store/*/libexec/electron/** rix,
+        @{bin}/speech-dispatcher rPx,
+        @{bin}/xdg-open rPx,
+      '' + (optionalString allowFingerprinting ''
+        /etc/machine-id r,
+        /dev/udmabuf rw,
+        /dev/ r,
+        /sys/devices/@{pci}boot_vga r,
+        /sys/devices/@{pci}idVendor r,
+        /sys/devices/@{pci}idProduct r,
+      '');
     };
     
     security.apparmor.policies = {
+      swaymux = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          abi <abi/4.0>,
+          include <tunables/global>
+          profile swaymux ${getExe pkgs.swaymux} {
+            include <abstractions/base> # read access to /nix/store, basic presets for most apps
+            ${pkgs.swaymux}/bin/* rix, # wrapping
+            owner @{user_config_dirs}/Kvantum/** r, # themeing
+          }
+        '';
+      };
       vesktop = {
         enable = true;
         enforce = true;
@@ -41,6 +78,55 @@ in
           include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"
         '';
       };
+      speech-dispatcher = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/speech-dispatcher"
+        '';
+      };
+      spotify = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/spotify"
+        '';
+      };
+      thunderbird = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird"
+        '';
+      };
+      thunderbird-glxtest = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird-glxtest"
+        '';
+      };
+      xdg-open = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-open"
+        '';
+      };
+      child-open-any = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/groups/children/child-open-any"
+        '';
+      };
+      child-open = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/groups/children/child-open"
+        '';
+      };
     };
   };
 }