fix pkexec

2024-10-16 19:39:53 +02:00 · 2024-10-16 19:39:53 +02:00 · ff7e5e76c5
commit ff7e5e76c5
parent befdc89ae2
2 changed files with 9 additions and 2 deletions
--- a/common/tooling/apparmor/apparmor-d-package.nix
+++ b/common/tooling/apparmor/apparmor-d-package.nix
@ -32,6 +32,9 @@ buildGoModule {
    DISTRIBUTION=arch $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
    
    mv .build/apparmor.d $out/etc
+
+    rm $out/etc/apparmor.d/abstractions/authentication.d/complete
+    
    rm $out/bin/prebuild
  '';

--- a/common/tooling/apparmor/default.nix
+++ b/common/tooling/apparmor/default.nix
@ -6,7 +6,7 @@
 }:
 let
  inherit (config.grimmShared) enable tooling;
-  inherit (lib) mkIf optionalString getExe' getExe;
+  inherit (lib) mkIf getExe' getExe;
 in
 {
  imports = [ ./apparmor-d-module.nix ];
@ -33,7 +33,7 @@ in
        child-open = "enforce";
        firefox-glxtest = "enforce";
        gamemoded = "disable";
-        pkexec = "disable";
+        pkexec = "complain";
        xdg-mime = "complain";
        mimetype = "complain";    
      };
@ -82,6 +82,10 @@ in
      "abstractions/common/electron.d/libexec" = ''
        /nix/store/*/libexec/electron/** rix,
      '';
+
+      "local/pkexec" = ''
+        capability sys_ptrace,
+      '';
    };
    
    security.apparmor.policies = {