diff --git a/common/tooling/apparmor/apparmor-d-paths.patch b/common/tooling/apparmor/apparmor-d-paths.patch index 16a2643..04b8d69 100644 --- a/common/tooling/apparmor/apparmor-d-paths.patch +++ b/common/tooling/apparmor/apparmor-d-paths.patch @@ -1,5 +1,5 @@ diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system -index be37123f..57df7990 100644 +index be37123f..6490e311 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -106,8 +106,9 @@ @@ -9,7 +9,7 @@ index be37123f..57df7990 100644 -@{bin}=/{,usr/}{,s}bin -@{lib}=/{,usr/}lib{,exec,32,64} +@{base_paths} = /nix/store/* /etc/profiles/per-user/* /run/current-system/sw -+@{bin}=@{base_paths}/bin ++@{bin}=@{base_paths}/bin /{,usr/}{,s}bin +@{lib}=@{base_paths}/lib # Common places for temporary files diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix index 34a4a0e..1065aa7 100644 --- a/common/tooling/apparmor/default.nix +++ b/common/tooling/apparmor/default.nix @@ -24,6 +24,8 @@ in /nix/store/*/bin/** mr, /nix/store/*/lib/** mr, /nix/store/** r, + ${getExe' pkgs.coreutils "coreutils"} rix, + ${getExe' pkgs.coreutils-full "coreutils"} rix, ''; "local/speech-dispatcher" = '' @@ -34,11 +36,21 @@ in "local/pass" = '' ${getExe' pkgs.pass ".pass-wrapped"} rix, - ${getExe' pkgs.coreutils "coreutils"} rix, + ''; + + "local/pass_gpg" = '' + @{PROC}/@{pid}/fd/ r, + /nix/store/*/libexec/keyboxd ix, + owner /run/user/*/gnupg/S.keyboxd wr, + ''; + + "abstractions/app/udevadm.d/udevadm_is_exec" = '' + @{bin}/udevadm mrix, ''; "local/firefox" = '' ${pkgs.passff-host}/share/** rPx -> passff, + @{HOME}/.mozilla/firefox/** mr, ''; "local/thunderbird" = '' @@ -47,8 +59,12 @@ in ''; "local/xdg-open" = '' - ${getExe' pkgs.coreutils "coreutils"} rix, - /proc/version r, + @{PROC}/version r, + ''; + + "local/xdg-mime" = '' + owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk, + @{PROC}/version r, ''; "local/vesktop" = '' @@ -60,9 +76,9 @@ in /etc/machine-id r, /dev/udmabuf rw, /dev/ r, - /sys/devices/@{pci}boot_vga r, - /sys/devices/@{pci}idVendor r, - /sys/devices/@{pci}idProduct r, + @{sys}/devices/@{pci}boot_vga r, + @{sys}/devices/@{pci}idVendor r, + @{sys}/devices/@{pci}idProduct r, ''); }; @@ -79,7 +95,6 @@ in ${getExe pkgs.pass} Px, } ''; - }; swaymux = { @@ -95,6 +110,122 @@ in } ''; }; + + osu-lazer = { + enable = true; + enforce = true; + profile = '' + abi , + include + profile osu-lazer @{bin}/osu\! flags=(attach_disconnected) { + include # read access to /nix/store, basic presets for most apps + +# include + include +# include + include +# include +# include + include + include +# include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + owner @{PROC}/@{pid}/net/dev r, + owner @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/net/ipv6_route r, + owner @{PROC}/@{pid}/net/route r, + + capability mknod, + + /dev/tty{@{d},} rw, + + ${pkgs.osu-lazer-bin}/bin/osu? ix, + ${getExe pkgs.bubblewrap} rix, + /nix/store/*-osu-lazer-bin-*-bwrap ix, + /nix/store/*-osu-lazer-bin-*-init ix, + /nix/store/*-osu-lazer-bin-*-extracted/** rk, + /nix/store/*-osu-lazer-bin-*-extracted/AppRun ix, + /nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix, + + @{bin}/ldconfig ix, + @{bin}/appimage-exec.sh ix, + @{bin}/rev ix, + @{bin}/bash ix, + @{bin}/grep ix, + @{bin}/lsblk ix, + @{bin}/awk ix, + @{bin}/gawk ix, + + @{bin}/xdg-mime Px, + ${getExe' pkgs.gamemode "gamemoderun"} ix, + + owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm, + owner @{HOME}/.dotnet/** rwkm, + owner @{HOME}/@{XDG_DATA_DIR}/Sentry/** rwk, + owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk, + owner @{HOME}/@{XDG_DATA_DIR}/applications/discord-*.desktop rwk, + + / r, + /nix/store/*-etc-os-release rk, + /nix/store/*/share/zoneinfo/** rk, + + owner /tmp/** rwk, + /usr/lib/ r, + + /var/cache/ldconfig/ rw, + owner /etc/ld.so* rw, + + @{PROC}/@{pid}/stat rk, + @{PROC}/@{pid}/task/@{pid}/comm wr, + @{PROC}@{sys}/kernel/os{type,release} rk, + @{PROC}/version r, + @{PROC}/{sys,@{pid}}/net/** rk, + @{PROC}/@{pid}/maps rk, + + /dev/snd/** rw, + /dev/input/ r, + /dev/dri/** wr, + /dev/input/** r, + /dev/udmabuf wr, + /dev/hidraw* rw, + + /.host-etc/alsa/conf.d/{,**} r, + /.host-etc/ssl/certs/{,**} r, + /.host-etc/resolv.conf rk, + + /run/udev/data/* r, + +# @{sys}/devices/@{pci}device r, +# @{sys}/devices/@{pci}boot_vga r, +# @{sys}/devices/@{pci}subsystem_vendor r, +# @{sys}/devices/@{pci}subsystem_device r, +# @{sys}/devices/virtual/dmi/id/* r, +# @{sys}/devices/@{pci}uevent r, +# @{sys}/devices/virtual/sound/** r, +# @{sys}/devices/virtual/block/** r, +# @{sys}/block/ r, +# @{sys}/devices@{sys}tem/node/ r, +# @{sys}/fs/cgroup/{,**/} r, +# @{sys}/fs/cgroup/** r, +# @{sys}/devices/@{pci}sound/** r, +# @{sys}/devices/@{pci}vendor r, +# @{sys}/class/hidraw/ r, +# @{sys}/class/input/ r, +# @{sys}/class/input/{,**} r, +# @{sys}/devices/**/input/** r, + } + ''; + }; + + vesktop = { enable = true; enforce = true; @@ -172,6 +303,39 @@ in include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass" ''; }; +# gamemoded = { +# enable = true; +# enforce = true; +# profile = '' +# include "${apparmor-d}/etc/apparmor.d/profiles-g-l/gamemoded" +# ''; +# }; + + pkexec = { + enable = false; + enforce = false; + # somehow this has conflicting imports and i have no clue how to fix it + profile = '' + include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pkexec" + ''; + }; + + xdg-mime = { + enable = true; + enforce = false; + # somehow this has conflicting imports and i have no clue how to fix it + profile = '' + include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-mime" + ''; + }; + mimetype = { + enable = true; + enforce = false; + # somehow this has conflicting imports and i have no clue how to fix it + profile = '' + include "${apparmor-d}/etc/apparmor.d/profiles-m-r/mimetype" + ''; + }; }; }; }