diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 0a95d183..6be12d34 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -106,8 +106,8 @@ @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ # Common places for binaries and libraries across distributions -@{bin}=/{,usr/}{,s}bin -@{lib}=/{,usr/}lib{,exec,32,64} +@{bin}=/bin +@{lib}=/{nix/store/*/,}{,usr/}lib{,exec,32,64} # Common places for temporary files @{tmp}=/tmp/ /tmp/user/@{uid}/ diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 3f2dd9f4..39a8b64a 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -37,7 +37,7 @@ func init() { // Compatibility with AppArmor 3 switch prebuild.Distribution { - case "arch": + case "arch", "nixos": case "ubuntu": if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) { diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index a887d4b9..606b4643 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -33,7 +33,7 @@ func DefaultTunables() *AppArmorProfileFile { return &AppArmorProfileFile{ Preamble: Rules{ &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, + &Variable{Name: "bin", Values: []string{"/{nix/store/*/,}{,usr/}{,s}bin"}, Define: true}, &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 4b8e11ec..11eab5f7 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -28,7 +28,7 @@ func (p Configure) Apply() ([]string, error) { res := []string{} switch prebuild.Distribution { - case "arch", "opensuse": + case "arch", "opensuse", "nixos": case "ubuntu": if err := prebuild.DebianHide.Init(); err != nil {