firefox and pass in apparmor

2024-10-13 14:28:46 +02:00 · 2024-10-13 14:28:46 +02:00 · cebee13139
commit cebee13139
parent 3f1d9786bf
1 changed files with 45 additions and 0 deletions
--- a/common/tooling/apparmor/default.nix
+++ b/common/tooling/apparmor/default.nix
@ -32,6 +32,15 @@ in
        @{bin}/mbrola rix,
      '';

+      "local/pass" = ''
+        ${getExe' pkgs.pass ".pass-wrapped"} rix,
+        ${getExe' pkgs.coreutils "coreutils"} rix,
+      '';
+
+      "local/firefox" = ''
+        ${pkgs.passff-host}/share/** rPx -> passff,
+      '';
+
      "local/thunderbird" = ''
        ${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,
        /dev/urandom w,
@ -58,6 +67,21 @@ in
    };
    
    security.apparmor.policies = {
+      passff = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          abi <abi/4.0>,
+          include <tunables/global>
+          profile passff ${pkgs.passff-host}/share/passff-host/passff.py {
+            include <abstractions/base> # read access to /nix/store, basic presets for most apps
+            include <abstractions/python>
+            ${getExe pkgs.pass} Px,
+          }
+        '';
+
+      };
+      
      swaymux = {
        enable = true;
        enforce = true;
@ -127,6 +151,27 @@ in
          include "${apparmor-d}/etc/apparmor.d/groups/children/child-open"
        '';
      };
+      firefox-glxtest = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox-glxtest"
+        '';
+      };
+      firefox = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox"
+        '';
+      };
+      pass = {
+        enable = true;
+        enforce = true;
+        profile = ''
+          include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass"
+        '';
+      };
    };
  };
 }