Compare commits

..

2 commits

Author SHA1 Message Date
befdc89ae2
fix all apparmor profiles just being complain mode 2024-10-16 15:26:56 +02:00
1e9f12df9f
simplify module 2024-10-16 15:20:09 +02:00
3 changed files with 29 additions and 82 deletions

View file

@ -5,64 +5,29 @@
... ...
}: }:
let let
inherit (lib) mkIf mergeAttrsList last path; inherit (lib) mkIf mapAttrs;
cfg = config.security.apparmor_d; cfg = config.security.apparmor_d;
apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {}; apparmor-d = pkgs.callPackage ./apparmor-d-package.nix {};
in in
{ {
options.security.apparmor_d = with lib; let options.security.apparmor_d = with lib; {
profile = types.submodule ({ config, ... }: {
options = {
enable = mkOption {
type = types.bool;
default = true;
description = "whether to enable this profile";
};
enforce = mkOption {
type = types.bool;
default = true;
description = "whether to enforce this profile";
};
name = mkOption {
type = types.nonEmptyStr;
description = "name of the apparmor profile within apparmor.d";
example = "vesktop";
};
};
});
in {
enable = mkEnableOption "enable apparmor.d support"; enable = mkEnableOption "enable apparmor.d support";
profiles = mkOption { profiles = mkOption {
type = types.listOf (types.either types.nonEmptyStr profile); type = types.attrsOf (types.enum [ "disable" "complain" "enforce" ]);
default = []; default = {};
description = "set of apparmor profiles to include from apparmor.d"; description = "set of apparmor profiles to include from apparmor.d";
}; };
}; };
options.test = lib.mkOption { default = null; };
config = mkIf (cfg.enable) { config = mkIf (cfg.enable) {
security.apparmor.packages = [ apparmor-d ]; security.apparmor.packages = [ apparmor-d ];
security.apparmor.policies = mergeAttrsList (map (p: if (builtins.isString p) then { security.apparmor.policies = mapAttrs (name: value: {
"${p}" = { enable = value != "disable";
enable = true; enforce = value == "enforce";
enforce = true; profile = ''include "${apparmor-d}/etc/apparmor.d/${name}"'';
profile = '' }) cfg.profiles;
include "${apparmor-d}/etc/apparmor.d/${p}"
'';
};
} else {
${p.name} = {
inherit (p) enable enforce;
profile = ''
include "${apparmor-d}/etc/apparmor.d/${p.name}"
'';
};
}) cfg.profiles );
environment.systemPackages = [ apparmor-d ]; environment.systemPackages = [ apparmor-d ];
}; };

View file

@ -29,7 +29,7 @@ buildGoModule {
postInstall = '' postInstall = ''
mkdir -p $out/etc mkdir -p $out/etc
DISTRIBUTION=arch $out/bin/prebuild --complain --abi 4 # fixme: replace with nixos support once available DISTRIBUTION=arch $out/bin/prebuild --abi 4 # fixme: replace with nixos support once available
mv .build/apparmor.d $out/etc mv .build/apparmor.d $out/etc
rm $out/bin/prebuild rm $out/bin/prebuild

View file

@ -20,42 +20,23 @@ in
security.apparmor_d = { security.apparmor_d = {
enable = true; enable = true;
profiles = [ profiles = {
"vesktop" vesktop = "enforce";
"speech-dispatcher" speech-dispatcher = "enforce";
"thunderbird-glxtest" thunderbird-glxtest = "enforce";
# "firefox" "firefox.apparmor.d" = "enforce";
"firefox.apparmor.d" pass = "enforce";
"pass" spotify = "enforce";
"spotify" "thunderbird.apparmor.d" = "enforce";
# "thunderbird" xdg-open = "enforce";
"thunderbird.apparmor.d" child-open-any = "enforce";
"xdg-open" child-open = "enforce";
"child-open-any" firefox-glxtest = "enforce";
"child-open" gamemoded = "disable";
"firefox-glxtest" pkexec = "disable";
# { xdg-mime = "complain";
# enable = true; mimetype = "complain";
# enforce = true; };
# name = "gamemoded";
# };
{
enable = false;
enforce = false;
# somehow this has conflicting imports and i have no clue how to fix it
name = "pkexec";
}
{
enable = true;
enforce = false;
name = "xdg-mime";
}
{
enable = true;
enforce = false;
name = "mimetype";
}
];
}; };
@ -168,6 +149,7 @@ in
${getExe pkgs.bubblewrap} rix, ${getExe pkgs.bubblewrap} rix,
/nix/store/*-osu-lazer-bin-*-bwrap ix, /nix/store/*-osu-lazer-bin-*-bwrap ix,
/nix/store/*-osu-lazer-bin-*-init ix, /nix/store/*-osu-lazer-bin-*-init ix,
/nix/store/*-container-init ix,
/nix/store/*-osu-lazer-bin-*-extracted/** rk, /nix/store/*-osu-lazer-bin-*-extracted/** rk,
/nix/store/*-osu-lazer-bin-*-extracted/AppRun ix, /nix/store/*-osu-lazer-bin-*-extracted/AppRun ix,
/nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix, /nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix,