a little more useable apparmor.d profile integration

2024-10-15 21:35:53 +02:00 · 2024-10-15 21:35:53 +02:00 · 88457f7cbe
commit 88457f7cbe
parent f781c73d8d
4 changed files with 118 additions and 118 deletions
--- a/common/tooling/apparmor/apparmor-d-module.nix
+++ b/common/tooling/apparmor/apparmor-d-module.nix
@ -0,0 +1,74 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkIf mergeAttrsList last path;
+
+  cfg = config.security.apparmor_d;
+  apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
+  in
+{
+  options.security.apparmor_d = with lib; let 
+    profile = types.submodule ({ config, ... }: {
+      options = {
+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = "whether to enable this profile";
+      };
+
+      enforce = mkOption {
+        type = types.bool;
+        default = true;
+        description = "whether to enforce this profile";
+      };
+
+      path = mkOption {
+        type = types.nonEmptyStr;
+        description = "path of the apparmor profile within apparmor.d, as copied from github";
+        example = "apparmor.d/profiles-s-z/vesktop";
+      };
+
+      name = mkOption {
+        type = types.nonEmptyStr;
+        description = "Name of the profile as placed in /etc/apparmor.d. Default is the profile name as given in apparmor.d.";
+        default = last (path.subpath.components config.path);
+        example = "vesktop";
+      };
+      };
+    });
+  in {
+    enable = mkEnableOption "enable apparmor.d support";
+
+    profiles = mkOption {
+      type = types.listOf (types.either types.nonEmptyStr profile);
+      default = [];
+      description = "set of apparmor profiles to include from apparmor.d";
+    };
+  };
+
+  options.test = lib.mkOption { default = null; };
+  
+  config = mkIf (cfg.enable) {
+    security.apparmor.packages = [ apparmor-d ];
+    security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then (let name = last (path.subpath.components p); in {
+      "${name}" = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/${p}"
+        '';
+      };
+    }) else {
+      ${p.name} = {
+        inherit (p) enable enforce;
+        profile = ''
+          include "${apparmor-d}/etc/${p.path}"
+        '';
+      };
+    }) cfg.profiles );
+  };
+}
--- a/common/tooling/apparmor/apparmor-d-package.nix
+++ b/common/tooling/apparmor/apparmor-d-package.nix
--- a/common/tooling/apparmor/default.nix
+++ b/common/tooling/apparmor/default.nix
@ -7,16 +7,54 @@
 let
  inherit (config.grimmShared) enable tooling;
  inherit (lib) mkIf optionalString getExe' getExe;
-  apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
  allowFingerprinting = true;
 in
 {
+  imports = [ ./apparmor-d-module.nix ];
+  
  config = mkIf (enable && tooling.enable) {
    services.dbus.apparmor = "enabled";
    security.auditd.enable = true;
    
-    security.apparmor.packages = [ apparmor-d ];
    security.apparmor.enable = true;
+
+    security.apparmor_d = {
+      enable = true;
+      profiles = [
+        "apparmor.d/profiles-s-z/vesktop"
+        "apparmor.d/profiles-s-z/speech-dispatcher"
+        "apparmor.d/profiles-s-z/thunderbird-glxtest"
+        "apparmor.d/groups/browsers/firefox"
+        "apparmor.d/profiles-m-r/pass"
+        "apparmor.d/profiles-s-z/spotify"
+        "apparmor.d/profiles-s-z/thunderbird"
+        "apparmor.d/groups/freedesktop/xdg-open"
+        "apparmor.d/groups/children/child-open-any"
+        "apparmor.d/groups/children/child-open"
+        "apparmor.d/groups/browsers/firefox-glxtest"
+#      {
+#        enable = true;
+#        enforce = true;
+#        path = "apparmor.d/profiles-g-l/gamemoded";
+#      };
+        {
+          enable = false;
+          enforce = false;
+          # somehow this has conflicting imports and i have no clue how to fix it
+          path = "apparmor.d/profiles-m-r/pkexec";
+        }
+        {
+          enable = true;
+          enforce = false;
+          path = "apparmor.d/groups/freedesktop/xdg-mime";
+        }
+        {
+          enable = true;
+          enforce = false;
+          path = "apparmor.d/profiles-m-r/mimetype";
+        }      
+      ];
+    };
    

    security.apparmor.includes = {
@ -189,118 +227,6 @@ in
          }
        '';
      };
-
-      
-      vesktop = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"
-        '';
-      };
-      speech-dispatcher = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/speech-dispatcher"
-        '';
-      };
-      spotify = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/spotify"
-        '';
-      };
-      thunderbird = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird"
-        '';
-      };
-      thunderbird-glxtest = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird-glxtest"
-        '';
-      };
-      xdg-open = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-open"
-        '';
-      };
-      child-open-any = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/groups/children/child-open-any"
-        '';
-      };
-      child-open = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/groups/children/child-open"
-        '';
-      };
-      firefox-glxtest = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox-glxtest"
-        '';
-      };
-      firefox = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox"
-        '';
-      };
-      pass = {
-        enable = true;
-        enforce = true;
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass"
-        '';
-      };
-#      gamemoded = {
-#        enable = true;
-#        enforce = true;
-#        profile = ''
-#          include "${apparmor-d}/etc/apparmor.d/profiles-g-l/gamemoded"
-#        '';
-#      };
-
-      pkexec = {
-        enable = false;
-        enforce = false;
-        # somehow this has conflicting imports and i have no clue how to fix it
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pkexec"
-        '';
-      };
-
-      xdg-mime = {
-        enable = true;
-        enforce = false;
-        # somehow this has conflicting imports and i have no clue how to fix it
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-mime"
-        '';
-      };
-      mimetype = {
-        enable = true;
-        enforce = false;
-        # somehow this has conflicting imports and i have no clue how to fix it
-        profile = ''
-          include "${apparmor-d}/etc/apparmor.d/profiles-m-r/mimetype"
-        '';
-      };
    };
  };
 }
--- a/nix/sources.json
+++ b/nix/sources.json
@ -41,10 +41,10 @@
        "homepage": "https://nyx.chaotic.cx",
        "owner": "chaotic-cx",
        "repo": "nyx",
-        "rev": "d73c548a001f367048d4f22cf2ae626cd2002503",
-        "sha256": "0d4353i57y979sd3d95i3sn1fax6bnip9hibavx06bbckwl9h2dx",
+        "rev": "ec6b449d3d096a0e79db5f8c4a321ea9ec836e40",
+        "sha256": "1l1y0m5xdpgsd28m1qwl84xaq0jg85yd8hhz0rj01yrw87vhkdqr",
        "type": "tarball",
-        "url": "https://github.com/chaotic-cx/nyx/archive/d73c548a001f367048d4f22cf2ae626cd2002503.tar.gz",
+        "url": "https://github.com/chaotic-cx/nyx/archive/ec6b449d3d096a0e79db5f8c4a321ea9ec836e40.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
    "glibc-eac": {
@ -68,7 +68,7 @@
    "lix-pkg": {
        "branch": "main",
        "repo": "https://git.lix.systems/lix-project/lix.git",
-        "rev": "9865ebaaa618d82a7b7fdccc636cbaa7dfa42427",
+        "rev": "4682e40183b86972e5a1ef8f17e5366b9b3a8b2c",
        "type": "git"
    },
    "nixos-mailserver": {