a little more useable apparmor.d profile integration

This commit is contained in:
Grimmauld 2024-10-15 21:35:53 +02:00
parent f781c73d8d
commit 88457f7cbe
Signed by: Grimmauld
GPG key ID: C2946668769F91FB
4 changed files with 118 additions and 118 deletions

View file

@ -0,0 +1,74 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (lib) mkIf mergeAttrsList last path;
cfg = config.security.apparmor_d;
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
in
{
options.security.apparmor_d = with lib; let
profile = types.submodule ({ config, ... }: {
options = {
enable = mkOption {
type = types.bool;
default = true;
description = "whether to enable this profile";
};
enforce = mkOption {
type = types.bool;
default = true;
description = "whether to enforce this profile";
};
path = mkOption {
type = types.nonEmptyStr;
description = "path of the apparmor profile within apparmor.d, as copied from github";
example = "apparmor.d/profiles-s-z/vesktop";
};
name = mkOption {
type = types.nonEmptyStr;
description = "Name of the profile as placed in /etc/apparmor.d. Default is the profile name as given in apparmor.d.";
default = last (path.subpath.components config.path);
example = "vesktop";
};
};
});
in {
enable = mkEnableOption "enable apparmor.d support";
profiles = mkOption {
type = types.listOf (types.either types.nonEmptyStr profile);
default = [];
description = "set of apparmor profiles to include from apparmor.d";
};
};
options.test = lib.mkOption { default = null; };
config = mkIf (cfg.enable) {
security.apparmor.packages = [ apparmor-d ];
security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then (let name = last (path.subpath.components p); in {
"${name}" = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/${p}"
'';
};
}) else {
${p.name} = {
inherit (p) enable enforce;
profile = ''
include "${apparmor-d}/etc/${p.path}"
'';
};
}) cfg.profiles );
};
}

View file

@ -7,17 +7,55 @@
let let
inherit (config.grimmShared) enable tooling; inherit (config.grimmShared) enable tooling;
inherit (lib) mkIf optionalString getExe' getExe; inherit (lib) mkIf optionalString getExe' getExe;
apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
allowFingerprinting = true; allowFingerprinting = true;
in in
{ {
imports = [ ./apparmor-d-module.nix ];
config = mkIf (enable && tooling.enable) { config = mkIf (enable && tooling.enable) {
services.dbus.apparmor = "enabled"; services.dbus.apparmor = "enabled";
security.auditd.enable = true; security.auditd.enable = true;
security.apparmor.packages = [ apparmor-d ];
security.apparmor.enable = true; security.apparmor.enable = true;
security.apparmor_d = {
enable = true;
profiles = [
"apparmor.d/profiles-s-z/vesktop"
"apparmor.d/profiles-s-z/speech-dispatcher"
"apparmor.d/profiles-s-z/thunderbird-glxtest"
"apparmor.d/groups/browsers/firefox"
"apparmor.d/profiles-m-r/pass"
"apparmor.d/profiles-s-z/spotify"
"apparmor.d/profiles-s-z/thunderbird"
"apparmor.d/groups/freedesktop/xdg-open"
"apparmor.d/groups/children/child-open-any"
"apparmor.d/groups/children/child-open"
"apparmor.d/groups/browsers/firefox-glxtest"
# {
# enable = true;
# enforce = true;
# path = "apparmor.d/profiles-g-l/gamemoded";
# };
{
enable = false;
enforce = false;
# somehow this has conflicting imports and i have no clue how to fix it
path = "apparmor.d/profiles-m-r/pkexec";
}
{
enable = true;
enforce = false;
path = "apparmor.d/groups/freedesktop/xdg-mime";
}
{
enable = true;
enforce = false;
path = "apparmor.d/profiles-m-r/mimetype";
}
];
};
security.apparmor.includes = { security.apparmor.includes = {
"abstractions/base" = '' "abstractions/base" = ''
@ -189,118 +227,6 @@ in
} }
''; '';
}; };
vesktop = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"
'';
};
speech-dispatcher = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/speech-dispatcher"
'';
};
spotify = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/spotify"
'';
};
thunderbird = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird"
'';
};
thunderbird-glxtest = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird-glxtest"
'';
};
xdg-open = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-open"
'';
};
child-open-any = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/children/child-open-any"
'';
};
child-open = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/children/child-open"
'';
};
firefox-glxtest = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox-glxtest"
'';
};
firefox = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox"
'';
};
pass = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass"
'';
};
# gamemoded = {
# enable = true;
# enforce = true;
# profile = ''
# include "${apparmor-d}/etc/apparmor.d/profiles-g-l/gamemoded"
# '';
# };
pkexec = {
enable = false;
enforce = false;
# somehow this has conflicting imports and i have no clue how to fix it
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pkexec"
'';
};
xdg-mime = {
enable = true;
enforce = false;
# somehow this has conflicting imports and i have no clue how to fix it
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-mime"
'';
};
mimetype = {
enable = true;
enforce = false;
# somehow this has conflicting imports and i have no clue how to fix it
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-m-r/mimetype"
'';
};
}; };
}; };
} }

View file

@ -41,10 +41,10 @@
"homepage": "https://nyx.chaotic.cx", "homepage": "https://nyx.chaotic.cx",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "d73c548a001f367048d4f22cf2ae626cd2002503", "rev": "ec6b449d3d096a0e79db5f8c4a321ea9ec836e40",
"sha256": "0d4353i57y979sd3d95i3sn1fax6bnip9hibavx06bbckwl9h2dx", "sha256": "1l1y0m5xdpgsd28m1qwl84xaq0jg85yd8hhz0rj01yrw87vhkdqr",
"type": "tarball", "type": "tarball",
"url": "https://github.com/chaotic-cx/nyx/archive/d73c548a001f367048d4f22cf2ae626cd2002503.tar.gz", "url": "https://github.com/chaotic-cx/nyx/archive/ec6b449d3d096a0e79db5f8c4a321ea9ec836e40.tar.gz",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz" "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
}, },
"glibc-eac": { "glibc-eac": {
@ -68,7 +68,7 @@
"lix-pkg": { "lix-pkg": {
"branch": "main", "branch": "main",
"repo": "https://git.lix.systems/lix-project/lix.git", "repo": "https://git.lix.systems/lix-project/lix.git",
"rev": "9865ebaaa618d82a7b7fdccc636cbaa7dfa42427", "rev": "4682e40183b86972e5a1ef8f17e5366b9b3a8b2c",
"type": "git" "type": "git"
}, },
"nixos-mailserver": { "nixos-mailserver": {