{ pkgs, config, lib, ... }: let inherit (config.grimmShared) enable tooling; inherit (lib) mkIf getExe' getExe; in { imports = [ ./apparmor-d-module.nix ]; config = mkIf (enable && tooling.enable) { services.dbus.apparmor = "enabled"; security.auditd.enable = true; security.apparmor.enable = true; security.apparmor.enableCache = true; security.apparmor_d = { enable = true; profiles = { vesktop = "enforce"; speech-dispatcher = "enforce"; thunderbird-glxtest = "enforce"; "firefox.apparmor.d" = "enforce"; pass = "enforce"; spotify = "enforce"; "thunderbird.apparmor.d" = "enforce"; xdg-open = "enforce"; child-open-any = "enforce"; child-open = "enforce"; firefox-glxtest = "enforce"; gamemoded = "disable"; pkexec = "complain"; xdg-mime = "complain"; mimetype = "complain"; sudo = "complain"; }; }; security.apparmor.includes = { "abstractions/base" = '' /nix/store/*/bin/** mr, /nix/store/*/lib/** mr, /nix/store/** r, ${getExe' pkgs.coreutils "coreutils"} rix, ${getExe' pkgs.coreutils-full "coreutils"} rix, ''; "local/speech-dispatcher" = '' ${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix, @{PROC}/@{pid}/stat r, @{bin}/mbrola rix, ''; "local/pass" = '' ${getExe' pkgs.pass ".pass-wrapped"} rix, ''; "local/pass_gpg" = '' @{PROC}/@{pid}/fd/ r, /nix/store/*/libexec/keyboxd ix, owner /run/user/*/gnupg/S.keyboxd wr, ''; "abstractions/app/udevadm.d/udevadm_is_exec" = '' @{bin}/udevadm mrix, ''; "local/firefox" = '' ${pkgs.passff-host}/share/passff-host/passff.py rPx -> passff, @{HOME}/.mozilla/firefox/** mr, ''; "local/thunderbird" = '' ${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix, /dev/urandom w, ''; "abstractions/common/electron.d/libexec" = '' /nix/store/*/libexec/electron/** rix, ''; "local/pkexec" = '' capability sys_ptrace, ''; }; security.apparmor.policies = { passff = { enable = true; enforce = true; profile = '' abi , include profile passff ${pkgs.passff-host}/share/passff-host/passff.py { include # read access to /nix/store, basic presets for most apps include @{bin}/pass Px -> pass, } ''; }; swaymux = { enable = true; enforce = true; profile = '' abi , include profile swaymux ${getExe pkgs.swaymux} { include # read access to /nix/store, basic presets for most apps ${pkgs.swaymux}/bin/* rix, # wrapping /dev/tty r, owner @{user_config_dirs}/Kvantum/** r, # themeing } ''; }; osu-lazer = { enable = true; enforce = true; profile = '' abi , include profile osu-lazer @{bin}/osu\! flags=(attach_disconnected) { include # read access to /nix/store, basic presets for most apps include include include include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/ipv6_route r, owner @{PROC}/@{pid}/net/route r, capability mknod, /dev/tty{@{d},} rw, ${pkgs.osu-lazer-bin}/bin/osu? ix, ${getExe pkgs.bubblewrap} rix, /nix/store/*-osu-lazer-bin-*-bwrap ix, /nix/store/*-osu-lazer-bin-*-init ix, /nix/store/*-container-init ix, /nix/store/*-osu-lazer-bin-*-extracted/** rk, /nix/store/*-osu-lazer-bin-*-extracted/AppRun ix, /nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix, @{bin}/ldconfig ix, @{bin}/appimage-exec.sh ix, @{bin}/rev ix, @{bin}/bash ix, @{bin}/grep ix, @{bin}/lsblk ix, @{bin}/awk ix, @{bin}/gawk ix, @{bin}/xdg-mime Px, ${getExe' pkgs.gamemode "gamemoderun"} ix, owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm, owner @{HOME}/.dotnet/** rwkm, owner @{HOME}/@{XDG_DATA_DIR}/Sentry/** rwk, owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk, owner @{HOME}/@{XDG_DATA_DIR}/applications/discord-*.desktop rwk, /nix/store/*-etc-os-release rk, /nix/store/*/share/zoneinfo/** rk, owner /tmp/** rwk, /usr/lib/ r, owner /var/cache/ldconfig/ rw, owner /etc/ld.so* rw, owner @{PROC}/@{pid}/{maps,stat} rk, @{PROC}/sys/kernel/os{type,release} rk, /dev/snd/** rw, /dev/udmabuf wr, /.host-etc/alsa/conf.d/{,**} r, /.host-etc/ssl/certs/{,**} r, /.host-etc/resolv.conf rk, } ''; }; }; }; }