Compare commits
No commits in common. "befdc89ae2aefb4d28a354cf40dd64bd4a7ff829" and "e68b43a81213e55350e79a9281dbbe1d2bd65c12" have entirely different histories.
befdc89ae2
...
e68b43a812
3 changed files with 82 additions and 29 deletions
|
@ -5,29 +5,64 @@
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
inherit (lib) mkIf mapAttrs;
|
inherit (lib) mkIf mergeAttrsList last path;
|
||||||
|
|
||||||
cfg = config.security.apparmor_d;
|
cfg = config.security.apparmor_d;
|
||||||
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
|
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.security.apparmor_d = with lib; {
|
options.security.apparmor_d = with lib; let
|
||||||
|
profile = types.submodule ({ config, ... }: {
|
||||||
|
options = {
|
||||||
|
enable = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = "whether to enable this profile";
|
||||||
|
};
|
||||||
|
|
||||||
|
enforce = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = "whether to enforce this profile";
|
||||||
|
};
|
||||||
|
|
||||||
|
name = mkOption {
|
||||||
|
type = types.nonEmptyStr;
|
||||||
|
description = "name of the apparmor profile within apparmor.d";
|
||||||
|
example = "vesktop";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
in {
|
||||||
enable = mkEnableOption "enable apparmor.d support";
|
enable = mkEnableOption "enable apparmor.d support";
|
||||||
|
|
||||||
profiles = mkOption {
|
profiles = mkOption {
|
||||||
type = types.attrsOf (types.enum [ "disable" "complain" "enforce" ]);
|
type = types.listOf (types.either types.nonEmptyStr profile);
|
||||||
default = {};
|
default = [];
|
||||||
description = "set of apparmor profiles to include from apparmor.d";
|
description = "set of apparmor profiles to include from apparmor.d";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
options.test = lib.mkOption { default = null; };
|
||||||
|
|
||||||
config = mkIf (cfg.enable) {
|
config = mkIf (cfg.enable) {
|
||||||
security.apparmor.packages = [ apparmor-d ];
|
security.apparmor.packages = [ apparmor-d ];
|
||||||
security.apparmor.policies = mapAttrs (name: value: {
|
security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then {
|
||||||
enable = value != "disable";
|
"${p}" = {
|
||||||
enforce = value == "enforce";
|
enable = true;
|
||||||
profile = ''include "${apparmor-d}/etc/apparmor.d/${name}"'';
|
enforce = true;
|
||||||
}) cfg.profiles;
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/${p}"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
} else {
|
||||||
|
${p.name} = {
|
||||||
|
inherit (p) enable enforce;
|
||||||
|
profile = ''
|
||||||
|
include "${apparmor-d}/etc/apparmor.d/${p.name}"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}) cfg.profiles );
|
||||||
|
|
||||||
environment.systemPackages = [ apparmor-d ];
|
environment.systemPackages = [ apparmor-d ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -29,7 +29,7 @@ buildGoModule {
|
||||||
postInstall = ''
|
postInstall = ''
|
||||||
mkdir -p $out/etc
|
mkdir -p $out/etc
|
||||||
|
|
||||||
DISTRIBUTION=arch $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
|
DISTRIBUTION=arch $out/bin/prebuild --complain --abi 4 # fixme: replace with nixos support once available
|
||||||
|
|
||||||
mv .build/apparmor.d $out/etc
|
mv .build/apparmor.d $out/etc
|
||||||
rm $out/bin/prebuild
|
rm $out/bin/prebuild
|
||||||
|
|
|
@ -20,23 +20,42 @@ in
|
||||||
|
|
||||||
security.apparmor_d = {
|
security.apparmor_d = {
|
||||||
enable = true;
|
enable = true;
|
||||||
profiles = {
|
profiles = [
|
||||||
vesktop = "enforce";
|
"vesktop"
|
||||||
speech-dispatcher = "enforce";
|
"speech-dispatcher"
|
||||||
thunderbird-glxtest = "enforce";
|
"thunderbird-glxtest"
|
||||||
"firefox.apparmor.d" = "enforce";
|
# "firefox"
|
||||||
pass = "enforce";
|
"firefox.apparmor.d"
|
||||||
spotify = "enforce";
|
"pass"
|
||||||
"thunderbird.apparmor.d" = "enforce";
|
"spotify"
|
||||||
xdg-open = "enforce";
|
# "thunderbird"
|
||||||
child-open-any = "enforce";
|
"thunderbird.apparmor.d"
|
||||||
child-open = "enforce";
|
"xdg-open"
|
||||||
firefox-glxtest = "enforce";
|
"child-open-any"
|
||||||
gamemoded = "disable";
|
"child-open"
|
||||||
pkexec = "disable";
|
"firefox-glxtest"
|
||||||
xdg-mime = "complain";
|
# {
|
||||||
mimetype = "complain";
|
# enable = true;
|
||||||
};
|
# enforce = true;
|
||||||
|
# name = "gamemoded";
|
||||||
|
# };
|
||||||
|
{
|
||||||
|
enable = false;
|
||||||
|
enforce = false;
|
||||||
|
# somehow this has conflicting imports and i have no clue how to fix it
|
||||||
|
name = "pkexec";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
enable = true;
|
||||||
|
enforce = false;
|
||||||
|
name = "xdg-mime";
|
||||||
|
}
|
||||||
|
{
|
||||||
|
enable = true;
|
||||||
|
enforce = false;
|
||||||
|
name = "mimetype";
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -149,7 +168,6 @@ in
|
||||||
${getExe pkgs.bubblewrap} rix,
|
${getExe pkgs.bubblewrap} rix,
|
||||||
/nix/store/*-osu-lazer-bin-*-bwrap ix,
|
/nix/store/*-osu-lazer-bin-*-bwrap ix,
|
||||||
/nix/store/*-osu-lazer-bin-*-init ix,
|
/nix/store/*-osu-lazer-bin-*-init ix,
|
||||||
/nix/store/*-container-init ix,
|
|
||||||
/nix/store/*-osu-lazer-bin-*-extracted/** rk,
|
/nix/store/*-osu-lazer-bin-*-extracted/** rk,
|
||||||
/nix/store/*-osu-lazer-bin-*-extracted/AppRun ix,
|
/nix/store/*-osu-lazer-bin-*-extracted/AppRun ix,
|
||||||
/nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix,
|
/nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix,
|
||||||
|
|
Loading…
Reference in a new issue