Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Grimmauld:b10ee3bf29fb5f5c4f6effcb8cb7124496453ef9
Branches Tags
Grimmauld:main
Grimmauld:server-migration
...
compare: Grimmauld:d6e4ce8850230b52fdd660ec6e46fd7bc34bcd67
Branches Tags
Grimmauld:main
Grimmauld:server-migration

2 commits
b10ee3bf29 ... d6e4ce8850

Author SHA1 Message Date
Grimmauld
d6e4ce8850
make vesktop work 2024-10-12 21:01:10 +02:00
Grimmauld
e072d9e4a5
experimental apparmor support 2024-10-12 18:19:18 +02:00
4 changed files with 86 additions and 0 deletions
Show stats Expand all files Collapse all files

15
common/tooling/apparmor/apparmor-d-paths.patch Normal file
View file

@ -0,0 +1,15 @@
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index be37123f..1d61a671 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,8 @@
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
# Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64}
+@{bin}=/nix/store/*/bin
+@{lib}=/nix/store/*/lib
# Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/

24
common/tooling/apparmor/apparmor-d.nix Normal file
View file

@ -0,0 +1,24 @@
{ stdenv, fetchFromGitHub }:
stdenv.mkDerivation rec {
pname = "apparmor-d";
version = "unstable-2024-10-12";
src = fetchFromGitHub {
rev = "116272b8ada281178150f1c9a564aac1967121f6";
owner = "roddhjav";
repo = "apparmor.d";
hash = "sha256-Yx9UJdmBqjMSPVwFyvidQXfQ4pdEKaDMfvi7gF6GSVc=";
};
doCheck = false;
dontBuild = true;
patches = [
./apparmor-d-paths.patch
];
installPhase = ''
mkdir -p $out/etc
cp -r apparmor.d $out/etc
'';
}

46
common/tooling/apparmor/default.nix Normal file
View file

@ -0,0 +1,46 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (config.grimmShared) enable tooling;
inherit (lib) mkIf;
apparmor-d = pkgs.callPackage ./apparmor-d.nix {};
in
{
config = mkIf (enable && tooling.enable) {
services.dbus.apparmor = "enabled";
security.auditd.enable = true;
security.apparmor.packages = [ apparmor-d ];
security.apparmor.enable = true;
security.apparmor.includes = {
"local/vesktop" = ''
# @{lib}/libdl.so* mr,
# @{lib}/libglapi.so* mr,
# @{lib}/libc.so* mr,
# @{lib}/pluseaudio/** mr,
@{bin}/electron rix,
/nix/store/*/libexec/electron/** rix,
/nix/store/*/bin/** mr,
/nix/store/*/lib/** mr,
/nix/store/** r,
'';
};
security.apparmor.policies = {
vesktop = {
enable = true;
enforce = true;
profile = ''
include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop"
'';
};
};
};
}

1
common/tooling/default.nix
View file

@ -28,6 +28,7 @@ in
./java.nix ./java.nix
./opensnitch ./opensnitch
./ranger.nix ./ranger.nix
./apparmor
]; ];
config = mkIf (enable && tooling.enable) { config = mkIf (enable && tooling.enable) {