{ pkgs, config, lib, ... }: let inherit (config.grimmShared) enable tooling; inherit (lib) mkIf getExe' getExe; in { imports = [ ./apparmor-d-module.nix ]; # ./aa-alias-module.nix ]; config = mkIf (enable && tooling.enable && config.security.apparmor.enable) { services.dbus.apparmor = "enabled"; security.auditd.enable = true; security.apparmor.enableCache = true; security.apparmor.includes."tunables/alias.d/programs" = '' # alias / -> @{nix_store}/, alias /bin/spotify -> ${pkgs.spotify}/share/spotify/spotify, ''; environment.systemPackages = with pkgs; [ apparmor-parser ]; # security.apparmor.aa-alias-manager.enable = false; security.audit.backlogLimit = 512; security.apparmor_d = { enable = true; profiles = { vesktop = "enforce"; speech-dispatcher = "enforce"; thunderbird-glxtest = "enforce"; "firefox.apparmor.d" = "enforce"; pass = "enforce"; spotify = "enforce"; "thunderbird.apparmor.d" = "enforce"; # xdg-open = "enforce"; child-open-any = "enforce"; child-open = "enforce"; firefox-glxtest = "enforce"; firefox-vaapitest = "enforce"; gamemoded = "disable"; pkexec = "complain"; xdg-mime = "complain"; mimetype = "complain"; # sudo = "complain"; "unix-chkpwd.apparmor.d" = "complain"; }; }; security.apparmor.includes = { "abstractions/base" = '' /nix/store/*/bin/** mr, /nix/store/*/lib/** mr, /nix/store/** r, ${getExe' pkgs.coreutils "coreutils"} rix, ${getExe' pkgs.coreutils-full "coreutils"} rix, ''; # "tunables/alias.d/store" = '' # include # alias /bin -> @{bin}, # alias /bin/ -> /nix/store/*/bin/, # ''; "local/speech-dispatcher" = '' @{nix_store}/libexec/speech-dispatcher-modules/* ix, @{PROC}/@{pid}/stat r, @{bin}/mbrola rix, ''; "local/pass" = '' ${getExe' pkgs.pass ".pass-wrapped"} rix, @{nix_store}/wl-copy rUx, @{nix_store}/wl-paste rUx, ''; "local/pass_gpg" = '' @{PROC}/@{pid}/fd/ r, /nix/store/*/libexec/keyboxd ix, owner /run/user/*/gnupg/S.keyboxd wr, ''; "local/xdg-mime" = '' # include /bin/grep rix, /bin/gawk rix, # /bin/dbus-send Cx -> bus, /dev/tty* rw, ''; "abstractions/app/udevadm.d/udevadm_is_exec" = '' @{bin}/udevadm mrix, ''; "local/firefox" = '' ${pkgs.passff-host}/share/passff-host/passff.py rPx -> passff, @{HOME}/.mozilla/firefox/** mr, ''; "local/thunderbird" = '' ${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix, /dev/urandom w, ''; "abstractions/common/electron.d/libexec" = '' /nix/store/*/libexec/electron/** rix, ''; "local/pkexec" = '' capability sys_ptrace, ''; "local/xdg-open" = '' @{bin}/grep rix, /** r, ''; "local/child-open" = '' include @{bin}/grep ix, /@{PROC}/version r, @{bin}/gdbus Cx -> bus, # @{bin}/gdbus Ux, ''; "local/vesktop" = '' /etc/machine-id r, /dev/udmabuf rw, /sys/devices/@{pci}/boot_vga r, /sys/devices/@{pci}/**/id{Vendor,Product} r, /dev/ r, @{bin}/xdg-open rPx, /bin/electron rix, ''; "local/sudo" = '' /run/wrappers/wrappers.*/unix_chkpwd rPx -> unix-chkpwd, ''; "local/unix-chkpwd" = '' /run/wrappers/wrappers.*/unix_chkpwd rix, @{bin}/unix_chkpwd rix, ''; # "local/spotify" = '' # @{bin}/ # ''; }; security.apparmor.policies = { passff = { state = "enforce"; # enable = true; # enforce = true; profile = '' abi , include profile passff ${pkgs.passff-host}/share/passff-host/passff.py { include # read access to /nix/store, basic presets for most apps include @{bin}/pass Px -> pass, } ''; }; swaymux = { state = "enforce"; # enable = true; # enforce = true; profile = '' abi , include profile swaymux ${getExe pkgs.swaymux} { include # read access to /nix/store, basic presets for most apps ${pkgs.swaymux}/bin/* rix, # wrapping /dev/tty r, owner @{user_config_dirs}/Kvantum/** r, # themeing } ''; }; # speech-dispatcher-test = { # enable = true; # enforce = true; # profile = ''# # #abi , # #include # #@{exec_path} = @{bin}/speech-dispatcher #profile speech-dispatcher ${getExe' pkgs.speechd "speech-dispatcher"} flags=(complain) { # include # include # include # include # include # network inet stream, # network inet6 stream, # @{exec_path} mr, # @{sh_path} ix, # @{lib}/speech-dispatcher/** r, # @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, # /etc/machine-id r, # /etc/speech-dispatcher/{,**} r, # owner @{run}/user/@{uid}/speech-dispatcher/ rw, # owner @{run}/user/@{uid}/speech-dispatcher/** rwk, # include if exists #} ''; # }; sleep = { state = "enforce"; profile = '' abi , include profile sleep ${getExe' pkgs.coreutils-full "sleep"} { include } ''; }; osu-lazer = { state = "disable"; # enable = true; # enforce = true; profile = '' abi , include profile osu-lazer @{bin}/osu\! flags=(attach_disconnected) { include # read access to /nix/store, basic presets for most apps include include include include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/ipv6_route r, owner @{PROC}/@{pid}/net/route r, capability mknod, /dev/tty{@{d},} rw, ${pkgs.osu-lazer-bin}/bin/osu? ix, ${getExe pkgs.bubblewrap} rix, /nix/store/*-osu-lazer-bin-*-bwrap ix, /nix/store/*-osu-lazer-bin-*-init ix, /nix/store/*-container-init ix, /nix/store/*-osu-lazer-bin-*-extracted/** rk, /nix/store/*-osu-lazer-bin-*-extracted/AppRun ix, /nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix, @{bin}/ldconfig ix, @{bin}/appimage-exec.sh ix, @{bin}/rev ix, @{bin}/bash ix, @{bin}/grep ix, @{bin}/lsblk ix, @{bin}/awk ix, @{bin}/gawk ix, @{bin}/xdg-mime Px, /usr/bin/xdg-mime Px, ${getExe' pkgs.gamemode "gamemoderun"} ix, owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm, owner @{HOME}/.dotnet/** rwkm, owner @{HOME}/@{XDG_DATA_DIR}/Sentry/** rwk, owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk, owner @{HOME}/@{XDG_DATA_DIR}/applications/discord-*.desktop rwk, /nix/store/*-etc-os-release rk, /nix/store/*/share/zoneinfo/** rk, owner /tmp/** rwk, /usr/lib/ r, owner /var/cache/ldconfig/ rw, owner /etc/ld.so* rw, owner @{PROC}/@{pid}/{maps,stat} rk, @{PROC}/sys/kernel/os{type,release} rk, /dev/snd/** rw, /dev/udmabuf wr, /.host-etc/alsa/conf.d/{,**} r, /.host-etc/ssl/certs/{,**} r, /.host-etc/resolv.conf rk, } ''; }; }; }; }