From 88457f7cbed6c3c4253573125c4127fcbc4bd40a Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Tue, 15 Oct 2024 21:35:53 +0200 Subject: [PATCH] a little more useable apparmor.d profile integration --- common/tooling/apparmor/apparmor-d-module.nix | 74 +++++++++ ...{apparmor-d.nix => apparmor-d-package.nix} | 0 common/tooling/apparmor/default.nix | 154 +++++------------- nix/sources.json | 8 +- 4 files changed, 118 insertions(+), 118 deletions(-) create mode 100644 common/tooling/apparmor/apparmor-d-module.nix rename common/tooling/apparmor/{apparmor-d.nix => apparmor-d-package.nix} (100%) diff --git a/common/tooling/apparmor/apparmor-d-module.nix b/common/tooling/apparmor/apparmor-d-module.nix new file mode 100644 index 0000000..a526bcc --- /dev/null +++ b/common/tooling/apparmor/apparmor-d-module.nix @@ -0,0 +1,74 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (lib) mkIf mergeAttrsList last path; + + cfg = config.security.apparmor_d; + apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {}; + in +{ + options.security.apparmor_d = with lib; let + profile = types.submodule ({ config, ... }: { + options = { + enable = mkOption { + type = types.bool; + default = true; + description = "whether to enable this profile"; + }; + + enforce = mkOption { + type = types.bool; + default = true; + description = "whether to enforce this profile"; + }; + + path = mkOption { + type = types.nonEmptyStr; + description = "path of the apparmor profile within apparmor.d, as copied from github"; + example = "apparmor.d/profiles-s-z/vesktop"; + }; + + name = mkOption { + type = types.nonEmptyStr; + description = "Name of the profile as placed in /etc/apparmor.d. Default is the profile name as given in apparmor.d."; + default = last (path.subpath.components config.path); + example = "vesktop"; + }; + }; + }); + in { + enable = mkEnableOption "enable apparmor.d support"; + + profiles = mkOption { + type = types.listOf (types.either types.nonEmptyStr profile); + default = []; + description = "set of apparmor profiles to include from apparmor.d"; + }; + }; + + options.test = lib.mkOption { default = null; }; + + config = mkIf (cfg.enable) { + security.apparmor.packages = [ apparmor-d ]; + security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then (let name = last (path.subpath.components p); in { + "${name}" = { + enable = true; + enforce = true; + profile = '' + include "${apparmor-d}/etc/${p}" + ''; + }; + }) else { + ${p.name} = { + inherit (p) enable enforce; + profile = '' + include "${apparmor-d}/etc/${p.path}" + ''; + }; + }) cfg.profiles ); + }; +} diff --git a/common/tooling/apparmor/apparmor-d.nix b/common/tooling/apparmor/apparmor-d-package.nix similarity index 100% rename from common/tooling/apparmor/apparmor-d.nix rename to common/tooling/apparmor/apparmor-d-package.nix diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix index 849d8e5..bb47b16 100644 --- a/common/tooling/apparmor/default.nix +++ b/common/tooling/apparmor/default.nix @@ -7,16 +7,54 @@ let inherit (config.grimmShared) enable tooling; inherit (lib) mkIf optionalString getExe' getExe; - apparmor-d = pkgs.callPackage ./apparmor-d.nix {}; allowFingerprinting = true; in { + imports = [ ./apparmor-d-module.nix ]; + config = mkIf (enable && tooling.enable) { services.dbus.apparmor = "enabled"; security.auditd.enable = true; - security.apparmor.packages = [ apparmor-d ]; security.apparmor.enable = true; + + security.apparmor_d = { + enable = true; + profiles = [ + "apparmor.d/profiles-s-z/vesktop" + "apparmor.d/profiles-s-z/speech-dispatcher" + "apparmor.d/profiles-s-z/thunderbird-glxtest" + "apparmor.d/groups/browsers/firefox" + "apparmor.d/profiles-m-r/pass" + "apparmor.d/profiles-s-z/spotify" + "apparmor.d/profiles-s-z/thunderbird" + "apparmor.d/groups/freedesktop/xdg-open" + "apparmor.d/groups/children/child-open-any" + "apparmor.d/groups/children/child-open" + "apparmor.d/groups/browsers/firefox-glxtest" +# { +# enable = true; +# enforce = true; +# path = "apparmor.d/profiles-g-l/gamemoded"; +# }; + { + enable = false; + enforce = false; + # somehow this has conflicting imports and i have no clue how to fix it + path = "apparmor.d/profiles-m-r/pkexec"; + } + { + enable = true; + enforce = false; + path = "apparmor.d/groups/freedesktop/xdg-mime"; + } + { + enable = true; + enforce = false; + path = "apparmor.d/profiles-m-r/mimetype"; + } + ]; + }; security.apparmor.includes = { @@ -189,118 +227,6 @@ in } ''; }; - - - vesktop = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop" - ''; - }; - speech-dispatcher = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/profiles-s-z/speech-dispatcher" - ''; - }; - spotify = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/profiles-s-z/spotify" - ''; - }; - thunderbird = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird" - ''; - }; - thunderbird-glxtest = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird-glxtest" - ''; - }; - xdg-open = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-open" - ''; - }; - child-open-any = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/groups/children/child-open-any" - ''; - }; - child-open = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/groups/children/child-open" - ''; - }; - firefox-glxtest = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox-glxtest" - ''; - }; - firefox = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox" - ''; - }; - pass = { - enable = true; - enforce = true; - profile = '' - include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass" - ''; - }; -# gamemoded = { -# enable = true; -# enforce = true; -# profile = '' -# include "${apparmor-d}/etc/apparmor.d/profiles-g-l/gamemoded" -# ''; -# }; - - pkexec = { - enable = false; - enforce = false; - # somehow this has conflicting imports and i have no clue how to fix it - profile = '' - include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pkexec" - ''; - }; - - xdg-mime = { - enable = true; - enforce = false; - # somehow this has conflicting imports and i have no clue how to fix it - profile = '' - include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-mime" - ''; - }; - mimetype = { - enable = true; - enforce = false; - # somehow this has conflicting imports and i have no clue how to fix it - profile = '' - include "${apparmor-d}/etc/apparmor.d/profiles-m-r/mimetype" - ''; - }; }; }; } diff --git a/nix/sources.json b/nix/sources.json index b0dad81..7fae2bf 100644 --- a/nix/sources.json +++ b/nix/sources.json @@ -41,10 +41,10 @@ "homepage": "https://nyx.chaotic.cx", "owner": "chaotic-cx", "repo": "nyx", - "rev": "d73c548a001f367048d4f22cf2ae626cd2002503", - "sha256": "0d4353i57y979sd3d95i3sn1fax6bnip9hibavx06bbckwl9h2dx", + "rev": "ec6b449d3d096a0e79db5f8c4a321ea9ec836e40", + "sha256": "1l1y0m5xdpgsd28m1qwl84xaq0jg85yd8hhz0rj01yrw87vhkdqr", "type": "tarball", - "url": "https://github.com/chaotic-cx/nyx/archive/d73c548a001f367048d4f22cf2ae626cd2002503.tar.gz", + "url": "https://github.com/chaotic-cx/nyx/archive/ec6b449d3d096a0e79db5f8c4a321ea9ec836e40.tar.gz", "url_template": "https://github.com///archive/.tar.gz" }, "glibc-eac": { @@ -68,7 +68,7 @@ "lix-pkg": { "branch": "main", "repo": "https://git.lix.systems/lix-project/lix.git", - "rev": "9865ebaaa618d82a7b7fdccc636cbaa7dfa42427", + "rev": "4682e40183b86972e5a1ef8f17e5366b9b3a8b2c", "type": "git" }, "nixos-mailserver": {