firefox and pass in apparmor

This commit is contained in:
Grimmauld 2024-10-13 14:28:46 +02:00
parent 3f1d9786bf
commit cebee13139
Signed by: Grimmauld
GPG key ID: C2946668769F91FB

View file

@ -32,6 +32,15 @@ in
@{bin}/mbrola rix,
'';
"local/pass" = ''
${getExe' pkgs.pass ".pass-wrapped"} rix,
${getExe' pkgs.coreutils "coreutils"} rix,
'';
"local/firefox" = ''
${pkgs.passff-host}/share/** rPx -> passff,
'';
"local/thunderbird" = ''
${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix,
/dev/urandom w,
@ -58,6 +67,21 @@ in
};
security.apparmor.policies = {
passff = {
enable = true;
enforce = true;
profile = ''
abi <abi/4.0>,
include <tunables/global>
profile passff ${pkgs.passff-host}/share/passff-host/passff.py {
include <abstractions/base> # read access to /nix/store, basic presets for most apps
include <abstractions/python>
${getExe pkgs.pass} Px,
}
'';
};
swaymux = {
enable = true;
enforce = true;
@ -127,6 +151,27 @@ in
include "${apparmor-d}/etc/apparmor.d/groups/children/child-open"
'';
};
firefox-glxtest = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox-glxtest"
'';
};
firefox = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox"
'';
};
pass = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass"
'';
};
};
};
}