diff --git a/common/tooling/apparmor/apparmor-d-package.nix b/common/tooling/apparmor/apparmor-d-package.nix index f0a636d..3f460d5 100644 --- a/common/tooling/apparmor/apparmor-d-package.nix +++ b/common/tooling/apparmor/apparmor-d-package.nix @@ -29,12 +29,9 @@ buildGoModule { postInstall = '' mkdir -p $out/etc - DISTRIBUTION=arch $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available + DISTRIBUTION=opensuse $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available mv .build/apparmor.d $out/etc - - rm $out/etc/apparmor.d/abstractions/authentication.d/complete - rm $out/bin/prebuild ''; diff --git a/common/tooling/apparmor/apparmor-d-paths.patch b/common/tooling/apparmor/apparmor-d-paths.patch index 0e1dd3b..bdac765 100644 --- a/common/tooling/apparmor/apparmor-d-paths.patch +++ b/common/tooling/apparmor/apparmor-d-paths.patch @@ -1,8 +1,8 @@ diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system -index be37123f..81ac4f20 100644 +index be37123f..9166eaee 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system -@@ -106,8 +106,19 @@ +@@ -106,8 +106,21 @@ @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ # Common places for binaries and libraries across distributions @@ -15,12 +15,26 @@ index be37123f..81ac4f20 100644 +@{package16}=@{package8}@{package8} +@{package32}=@{package16}@{package16} +@{package64}=@{package32}@{package32} -+@{nix_package_name}={@{package64},}{@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},} ++@{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},} ++ ++ + +@{nix_store}=/nix/store/@{rand32}-@{nix_package_name} -+@{base_paths}=@{nix_store} /etc/profiles/per-user/@{user} /run/current-system/sw -+@{bin}=@{base_paths}/bin /{,usr/}{,s}bin ++@{base_paths}={@{nix_store},/run/current-system/sw,/etc/profiles/per-user/@{user}} ++@{bin}={@{base_paths}/bin,/{,usr/}{,s}bin} +@{lib}=@{base_paths}/lib # Common places for temporary files @{tmp}=/tmp/ /tmp/user/@{uid}/ +diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go +index 91f77e2e..ab4b8c5e 100644 +--- a/cmd/prebuild/main.go ++++ b/cmd/prebuild/main.go +@@ -31,7 +31,6 @@ func init() { + + // Build tasks applied by default + builder.Register( +- "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 + ) + diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix index 8c37dc4..71df377 100644 --- a/common/tooling/apparmor/default.nix +++ b/common/tooling/apparmor/default.nix @@ -16,7 +16,7 @@ in security.auditd.enable = true; security.apparmor.enable = true; - security.apparmor.enableCache = true; +# security.apparmor.enableCache = true; security.apparmor_d = { enable = true; @@ -37,6 +37,7 @@ in xdg-mime = "complain"; mimetype = "complain"; sudo = "complain"; + "unix-chkpwd.apparmor.d" = "complain"; }; }; @@ -50,6 +51,13 @@ in ${getExe' pkgs.coreutils-full "coreutils"} rix, ''; +# "tunables/alias.d/store" = '' +# include +# alias /bin -> @{bin}, +# alias /bin/ -> /nix/store/*/bin/, +# ''; + + "local/speech-dispatcher" = '' ${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix, @{PROC}/@{pid}/stat r, @@ -87,6 +95,33 @@ in "local/pkexec" = '' capability sys_ptrace, ''; + + "local/child-open" = '' + include + @{bin}/grep ix, + /@{PROC}/version r, +# @{bin}/gdbus Cx -> bus, + @{bin}/gdbus Ux, + ''; + + "local/vesktop" = '' + /etc/machine-id r, + /dev/udmabuf rw, + /sys/devices/@{pci}/boot_vga r, + /sys/devices/@{pci}/**/id{Vendor,Product} r, + /dev/ r, + /run/current-system/sw/bin/xdg-open rPx, + ''; + + "local/sudo" = '' + @{nix_store}/libexec/sudo/** m, + /run/wrappers/wrappers.*/unix_chkpwd rPx -> unix-chkpwd, + ''; + + "local/unix-chkpwd" = '' + /run/wrappers/wrappers.*/unix_chkpwd rix, + @{bin}/unix_chkpwd rix, + ''; }; security.apparmor.policies = {