add basic userspace apps
This commit is contained in:
parent
d6e4ce8850
commit
3f1d9786bf
2 changed files with 101 additions and 14 deletions
|
@ -1,15 +1,16 @@
|
||||||
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
|
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
|
||||||
index be37123f..1d61a671 100644
|
index be37123f..57df7990 100644
|
||||||
--- a/apparmor.d/tunables/multiarch.d/system
|
--- a/apparmor.d/tunables/multiarch.d/system
|
||||||
+++ b/apparmor.d/tunables/multiarch.d/system
|
+++ b/apparmor.d/tunables/multiarch.d/system
|
||||||
@@ -106,8 +106,8 @@
|
@@ -106,8 +106,9 @@
|
||||||
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
|
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
|
||||||
|
|
||||||
# Common places for binaries and libraries across distributions
|
# Common places for binaries and libraries across distributions
|
||||||
-@{bin}=/{,usr/}{,s}bin
|
-@{bin}=/{,usr/}{,s}bin
|
||||||
-@{lib}=/{,usr/}lib{,exec,32,64}
|
-@{lib}=/{,usr/}lib{,exec,32,64}
|
||||||
+@{bin}=/nix/store/*/bin
|
+@{base_paths} = /nix/store/* /etc/profiles/per-user/* /run/current-system/sw
|
||||||
+@{lib}=/nix/store/*/lib
|
+@{bin}=@{base_paths}/bin
|
||||||
|
+@{lib}=@{base_paths}/lib
|
||||||
|
|
||||||
# Common places for temporary files
|
# Common places for temporary files
|
||||||
@{tmp}=/tmp/ /tmp/user/@{uid}/
|
@{tmp}=/tmp/ /tmp/user/@{uid}/
|
||||||
|
|
|
@ -6,8 +6,9 @@
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
inherit (config.grimmShared) enable tooling;
|
inherit (config.grimmShared) enable tooling;
|
||||||
inherit (lib) mkIf;
|
inherit (lib) mkIf optionalString getExe' getExe;
|
||||||
apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
|
apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
|
||||||
|
allowFingerprinting = true;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = mkIf (enable && tooling.enable) {
|
config = mkIf (enable && tooling.enable) {
|
||||||
|
@ -17,23 +18,59 @@ in
|
||||||
security.apparmor.packages = [ apparmor-d ];
|
security.apparmor.packages = [ apparmor-d ];
|
||||||
security.apparmor.enable = true;
|
security.apparmor.enable = true;
|
||||||
|
|
||||||
|
|
||||||
security.apparmor.includes = {
|
security.apparmor.includes = {
|
||||||
"local/vesktop" = ''
|
"abstractions/base" = ''
|
||||||
# @{lib}/libdl.so* mr,
|
|
||||||
# @{lib}/libglapi.so* mr,
|
|
||||||
# @{lib}/libc.so* mr,
|
|
||||||
# @{lib}/pluseaudio/** mr,
|
|
||||||
|
|
||||||
@{bin}/electron rix,
|
|
||||||
/nix/store/*/libexec/electron/** rix,
|
|
||||||
|
|
||||||
/nix/store/*/bin/** mr,
|
/nix/store/*/bin/** mr,
|
||||||
/nix/store/*/lib/** mr,
|
/nix/store/*/lib/** mr,
|
||||||
/nix/store/** r,
|
/nix/store/** r,
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
"local/speech-dispatcher" = ''
|
||||||
|
${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix,
|
||||||
|
@{PROC}/@{pid}/stat r,
|
||||||
|
@{bin}/mbrola rix,
|
||||||
|
'';
|
||||||
|
|
||||||
|
"local/thunderbird" = ''
|
||||||
|
${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,
|
||||||
|
/dev/urandom w,
|
||||||
|
'';
|
||||||
|
|
||||||
|
"local/xdg-open" = ''
|
||||||
|
${getExe' pkgs.coreutils "coreutils"} rix,
|
||||||
|
/proc/version r,
|
||||||
|
'';
|
||||||
|
|
||||||
|
"local/vesktop" = ''
|
||||||
|
@{bin}/electron rix,
|
||||||
|
/nix/store/*/libexec/electron/** rix,
|
||||||
|
@{bin}/speech-dispatcher rPx,
|
||||||
|
@{bin}/xdg-open rPx,
|
||||||
|
'' + (optionalString allowFingerprinting ''
|
||||||
|
/etc/machine-id r,
|
||||||
|
/dev/udmabuf rw,
|
||||||
|
/dev/ r,
|
||||||
|
/sys/devices/@{pci}boot_vga r,
|
||||||
|
/sys/devices/@{pci}idVendor r,
|
||||||
|
/sys/devices/@{pci}idProduct r,
|
||||||
|
'');
|
||||||
};
|
};
|
||||||
|
|
||||||
security.apparmor.policies = {
|
security.apparmor.policies = {
|
||||||
|
swaymux = {
|
||||||
|
enable = true;
|
||||||
|
enforce = true;
|
||||||
|
profile = ''
|
||||||
|
abi <abi/4.0>,
|
||||||
|
include <tunables/global>
|
||||||
|
profile swaymux ${getExe pkgs.swaymux} {
|
||||||
|
include <abstractions/base> # read access to /nix/store, basic presets for most apps
|
||||||
|
${pkgs.swaymux}/bin/* rix, # wrapping
|
||||||
|
owner @{user_config_dirs}/Kvantum/** r, # themeing
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
vesktop = {
|
vesktop = {
|
||||||
enable = true;
|
enable = true;
|
||||||
enforce = true;
|
enforce = true;
|
||||||
|
@ -41,6 +78,55 @@ in
|
||||||
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"
|
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
speech-dispatcher = {
|
||||||
|
enable = true;
|
||||||
|
enforce = true;
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/speech-dispatcher"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
spotify = {
|
||||||
|
enable = true;
|
||||||
|
enforce = true;
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/spotify"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
thunderbird = {
|
||||||
|
enable = true;
|
||||||
|
enforce = true;
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
thunderbird-glxtest = {
|
||||||
|
enable = true;
|
||||||
|
enforce = true;
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird-glxtest"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
xdg-open = {
|
||||||
|
enable = true;
|
||||||
|
enforce = true;
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-open"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
child-open-any = {
|
||||||
|
enable = true;
|
||||||
|
enforce = true;
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/groups/children/child-open-any"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
child-open = {
|
||||||
|
enable = true;
|
||||||
|
enforce = true;
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/groups/children/child-open"
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue