From e072d9e4a5547c371a74a2930294aadb7fb81484 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Sat, 12 Oct 2024 18:19:18 +0200 Subject: [PATCH] experimental apparmor support --- .../tooling/apparmor/apparmor-d-paths.patch | 15 +++++++++++ common/tooling/apparmor/apparmor-d.nix | 24 +++++++++++++++++ common/tooling/apparmor/default.nix | 26 +++++++++++++++++++ common/tooling/default.nix | 1 + 4 files changed, 66 insertions(+) create mode 100644 common/tooling/apparmor/apparmor-d-paths.patch create mode 100644 common/tooling/apparmor/apparmor-d.nix create mode 100644 common/tooling/apparmor/default.nix diff --git a/common/tooling/apparmor/apparmor-d-paths.patch b/common/tooling/apparmor/apparmor-d-paths.patch new file mode 100644 index 0000000..222adb4 --- /dev/null +++ b/common/tooling/apparmor/apparmor-d-paths.patch @@ -0,0 +1,15 @@ +diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system +index be37123f..1d61a671 100644 +--- a/apparmor.d/tunables/multiarch.d/system ++++ b/apparmor.d/tunables/multiarch.d/system +@@ -106,8 +106,8 @@ + @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ + + # Common places for binaries and libraries across distributions +-@{bin}=/{,usr/}{,s}bin +-@{lib}=/{,usr/}lib{,exec,32,64} ++@{bin}=/nix/store/*/bin ++@{lib}=/nix/store/*/lib + + # Common places for temporary files + @{tmp}=/tmp/ /tmp/user/@{uid}/ diff --git a/common/tooling/apparmor/apparmor-d.nix b/common/tooling/apparmor/apparmor-d.nix new file mode 100644 index 0000000..41e3ca1 --- /dev/null +++ b/common/tooling/apparmor/apparmor-d.nix @@ -0,0 +1,24 @@ +{ stdenv, fetchFromGitHub }: +stdenv.mkDerivation rec { + pname = "apparmor-d"; + version = "unstable-2024-10-12"; + + src = fetchFromGitHub { + rev = "116272b8ada281178150f1c9a564aac1967121f6"; + owner = "roddhjav"; + repo = "apparmor.d"; + hash = "sha256-Yx9UJdmBqjMSPVwFyvidQXfQ4pdEKaDMfvi7gF6GSVc="; + }; + + doCheck = false; + dontBuild = true; + + patches = [ + ./apparmor-d-paths.patch + ]; + + installPhase = '' + mkdir -p $out/etc + cp -r apparmor.d $out/etc + ''; +} diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix new file mode 100644 index 0000000..7150d75 --- /dev/null +++ b/common/tooling/apparmor/default.nix @@ -0,0 +1,26 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (config.grimmShared) enable tooling; + inherit (lib) mkIf; + apparmor-d = pkgs.callPackage ./apparmor-d.nix {}; +in +{ + config = mkIf (enable && tooling.enable) { + services.dbus.apparmor = "enabled"; + security.auditd.enable = true; + + security.apparmor.packages = [ apparmor-d ]; + security.apparmor.enable = true; + + security.apparmor.includes = { + vesktop = ''include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"''; + }; + + security.apparmor.policies = {}; + }; +} diff --git a/common/tooling/default.nix b/common/tooling/default.nix index 3a1e9f1..353b4c8 100644 --- a/common/tooling/default.nix +++ b/common/tooling/default.nix @@ -28,6 +28,7 @@ in ./java.nix ./opensnitch ./ranger.nix + ./apparmor ]; config = mkIf (enable && tooling.enable) {