fix pattern matching and sudo

common/tooling/apparmor/apparmor-d-package.nix

@@ -29,12 +29,9 @@ buildGoModule {
   postInstall = ''
     mkdir -p $out/etc
     
-    DISTRIBUTION=arch $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
+    DISTRIBUTION=opensuse $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
     
     mv .build/apparmor.d $out/etc
-
-    rm $out/etc/apparmor.d/abstractions/authentication.d/complete
-    
     rm $out/bin/prebuild
   '';
 

common/tooling/apparmor/apparmor-d-paths.patch

@@ -1,8 +1,8 @@
 diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
-index be37123f..81ac4f20 100644
+index be37123f..9166eaee 100644
 --- a/apparmor.d/tunables/multiarch.d/system
 +++ b/apparmor.d/tunables/multiarch.d/system
-@@ -106,8 +106,19 @@
+@@ -106,8 +106,21 @@
  @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
  
  # Common places for binaries and libraries across distributions
@@ -15,12 +15,26 @@ index be37123f..81ac4f20 100644
 +@{package16}=@{package8}@{package8}
 +@{package32}=@{package16}@{package16}
 +@{package64}=@{package32}@{package32}
-+@{nix_package_name}={@{package64},}{@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},}
++@{nix_package_name}={@{package32},}{@{package16},}{@{package8},}{@{package4},}{@{package2},}{@{package1},}
++
++
 +
 +@{nix_store}=/nix/store/@{rand32}-@{nix_package_name}
-+@{base_paths}=@{nix_store} /etc/profiles/per-user/@{user} /run/current-system/sw
++@{base_paths}={@{nix_store},/run/current-system/sw,/etc/profiles/per-user/@{user}}
-+@{bin}=@{base_paths}/bin /{,usr/}{,s}bin
++@{bin}={@{base_paths}/bin,/{,usr/}{,s}bin}
 +@{lib}=@{base_paths}/lib
  
  # Common places for temporary files
  @{tmp}=/tmp/ /tmp/user/@{uid}/
+diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
+index 91f77e2e..ab4b8c5e 100644
+--- a/cmd/prebuild/main.go
++++ b/cmd/prebuild/main.go
+@@ -31,7 +31,6 @@ func init() {
+ 
+ 	// Build tasks applied by default
+ 	builder.Register(
+-		"userspace", // Resolve variable in profile attachments
+ 		"hotfix",    // Temporary fix for #74, #80 & #235
+ 	)
+ 

common/tooling/apparmor/default.nix

@@ -16,7 +16,7 @@ in
     security.auditd.enable = true;
     
     security.apparmor.enable = true;
-    security.apparmor.enableCache = true;
+#    security.apparmor.enableCache = true;
 
     security.apparmor_d = {
       enable = true;
@@ -37,6 +37,7 @@ in
         xdg-mime = "complain";
         mimetype = "complain";
         sudo = "complain";
+        "unix-chkpwd.apparmor.d" = "complain";
       };
     };
     
@@ -50,6 +51,13 @@ in
         ${getExe' pkgs.coreutils-full "coreutils"} rix,
       '';
 
+#      "tunables/alias.d/store" = ''
+#        include <tunables/global>
+#        alias /bin -> @{bin},
+#        alias /bin/ -> /nix/store/*/bin/,
+#      '';
+
+
       "local/speech-dispatcher" = ''
         ${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix,
         @{PROC}/@{pid}/stat r,
@@ -87,6 +95,33 @@ in
       "local/pkexec" = ''
         capability sys_ptrace,
       '';
+
+      "local/child-open" = ''
+        include <abstractions/app/bus>
+        @{bin}/grep ix,
+        /@{PROC}/version r,
+#        @{bin}/gdbus Cx -> bus,
+        @{bin}/gdbus Ux,
+      '';
+
+      "local/vesktop" = ''
+        /etc/machine-id r,
+        /dev/udmabuf rw,
+        /sys/devices/@{pci}/boot_vga r,
+        /sys/devices/@{pci}/**/id{Vendor,Product} r,
+        /dev/ r,
+        /run/current-system/sw/bin/xdg-open rPx,
+      '';
+
+      "local/sudo" = ''
+        @{nix_store}/libexec/sudo/** m,
+        /run/wrappers/wrappers.*/unix_chkpwd rPx -> unix-chkpwd,
+      '';
+
+      "local/unix-chkpwd" = ''
+        /run/wrappers/wrappers.*/unix_chkpwd rix,
+        @{bin}/unix_chkpwd rix,
+      '';
     };
     
     security.apparmor.policies = {