diff --git a/common/tooling/apparmor/apparmor-d-package.nix b/common/tooling/apparmor/apparmor-d-package.nix index aa2f084..f0a636d 100644 --- a/common/tooling/apparmor/apparmor-d-package.nix +++ b/common/tooling/apparmor/apparmor-d-package.nix @@ -32,6 +32,9 @@ buildGoModule { DISTRIBUTION=arch $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available mv .build/apparmor.d $out/etc + + rm $out/etc/apparmor.d/abstractions/authentication.d/complete + rm $out/bin/prebuild ''; diff --git a/common/tooling/apparmor/default.nix b/common/tooling/apparmor/default.nix index e0ac269..d5b058f 100644 --- a/common/tooling/apparmor/default.nix +++ b/common/tooling/apparmor/default.nix @@ -6,7 +6,7 @@ }: let inherit (config.grimmShared) enable tooling; - inherit (lib) mkIf optionalString getExe' getExe; + inherit (lib) mkIf getExe' getExe; in { imports = [ ./apparmor-d-module.nix ]; @@ -33,7 +33,7 @@ in child-open = "enforce"; firefox-glxtest = "enforce"; gamemoded = "disable"; - pkexec = "disable"; + pkexec = "complain"; xdg-mime = "complain"; mimetype = "complain"; }; @@ -82,6 +82,10 @@ in "abstractions/common/electron.d/libexec" = '' /nix/store/*/libexec/electron/** rix, ''; + + "local/pkexec" = '' + capability sys_ptrace, + ''; }; security.apparmor.policies = {