experimental apparmor support

common/tooling/apparmor/apparmor-d-paths.patch

@@ -0,0 +1,15 @@
+diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
+index be37123f..1d61a671 100644
+--- a/apparmor.d/tunables/multiarch.d/system
++++ b/apparmor.d/tunables/multiarch.d/system
+@@ -106,8 +106,8 @@
+ @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
+ 
+ # Common places for binaries and libraries across distributions
+-@{bin}=/{,usr/}{,s}bin
+-@{lib}=/{,usr/}lib{,exec,32,64}
++@{bin}=/nix/store/*/bin
++@{lib}=/nix/store/*/lib
+ 
+ # Common places for temporary files
+ @{tmp}=/tmp/ /tmp/user/@{uid}/

common/tooling/apparmor/apparmor-d.nix

@@ -0,0 +1,24 @@
+{ stdenv, fetchFromGitHub }: 
+stdenv.mkDerivation rec {
+  pname = "apparmor-d";
+  version = "unstable-2024-10-12";
+
+  src = fetchFromGitHub {
+    rev = "116272b8ada281178150f1c9a564aac1967121f6";
+    owner = "roddhjav";
+    repo = "apparmor.d";
+    hash = "sha256-Yx9UJdmBqjMSPVwFyvidQXfQ4pdEKaDMfvi7gF6GSVc=";
+  };
+  
+  doCheck = false;
+  dontBuild = true;
+
+  patches = [
+    ./apparmor-d-paths.patch
+  ];
+
+  installPhase = ''
+    mkdir -p $out/etc
+    cp -r apparmor.d $out/etc
+  '';
+}

common/tooling/apparmor/default.nix

@@ -0,0 +1,26 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (config.grimmShared) enable tooling;
+  inherit (lib) mkIf;
+  apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
+in
+{
+  config = mkIf (enable && tooling.enable) {
+    services.dbus.apparmor = "enabled";
+    security.auditd.enable = true;
+    
+    security.apparmor.packages = [ apparmor-d ];
+    security.apparmor.enable = true;
+
+    security.apparmor.includes = {
+      vesktop = ''include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"'';
+    };
+    
+    security.apparmor.policies = {};
+  };
+}

common/tooling/default.nix

@@ -28,6 +28,7 @@ in
     ./java.nix
     ./opensnitch
     ./ranger.nix
+    ./apparmor
   ];
 
   config = mkIf (enable && tooling.enable) {