{ pkgs, config, lib, ... }: let inherit (config.grimmShared) enable tooling; inherit (lib) mkIf optionalString getExe' getExe; apparmor-d = pkgs.callPackage ./apparmor-d.nix {}; allowFingerprinting = true; in { config = mkIf (enable && tooling.enable) { services.dbus.apparmor = "enabled"; security.auditd.enable = true; security.apparmor.packages = [ apparmor-d ]; security.apparmor.enable = true; security.apparmor.includes = { "abstractions/base" = '' /nix/store/*/bin/** mr, /nix/store/*/lib/** mr, /nix/store/** r, ${getExe' pkgs.coreutils "coreutils"} rix, ${getExe' pkgs.coreutils-full "coreutils"} rix, ''; "local/speech-dispatcher" = '' ${pkgs.speechd}/libexec/speech-dispatcher-modules/* rix, @{PROC}/@{pid}/stat r, @{bin}/mbrola rix, ''; "local/pass" = '' ${getExe' pkgs.pass ".pass-wrapped"} rix, ''; "local/pass_gpg" = '' @{PROC}/@{pid}/fd/ r, /nix/store/*/libexec/keyboxd ix, owner /run/user/*/gnupg/S.keyboxd wr, ''; "abstractions/app/udevadm.d/udevadm_is_exec" = '' @{bin}/udevadm mrix, ''; "local/firefox" = '' ${pkgs.passff-host}/share/** rPx -> passff, @{HOME}/.mozilla/firefox/** mr, ''; "local/thunderbird" = '' ${getExe' pkgs.thunderbird ".thunderbird-wrapped_"} rix, /dev/urandom w, ''; "local/xdg-open" = '' @{PROC}/version r, ''; "local/xdg-mime" = '' owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk, @{PROC}/version r, ''; "local/vesktop" = '' @{bin}/electron rix, /nix/store/*/libexec/electron/** rix, @{bin}/speech-dispatcher rPx, @{bin}/xdg-open rPx, '' + (optionalString allowFingerprinting '' /etc/machine-id r, /dev/udmabuf rw, /dev/ r, @{sys}/devices/@{pci}boot_vga r, @{sys}/devices/@{pci}idVendor r, @{sys}/devices/@{pci}idProduct r, ''); }; security.apparmor.policies = { passff = { enable = true; enforce = true; profile = '' abi , include profile passff ${pkgs.passff-host}/share/passff-host/passff.py { include # read access to /nix/store, basic presets for most apps include ${getExe pkgs.pass} Px, } ''; }; swaymux = { enable = true; enforce = true; profile = '' abi , include profile swaymux ${getExe pkgs.swaymux} { include # read access to /nix/store, basic presets for most apps ${pkgs.swaymux}/bin/* rix, # wrapping owner @{user_config_dirs}/Kvantum/** r, # themeing } ''; }; osu-lazer = { enable = true; enforce = true; profile = '' abi , include profile osu-lazer @{bin}/osu\! flags=(attach_disconnected) { include # read access to /nix/store, basic presets for most apps include include include include include include network inet dgram, network inet6 dgram, network inet stream, network inet6 stream, network netlink raw, owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/ipv6_route r, owner @{PROC}/@{pid}/net/route r, capability mknod, /dev/tty{@{d},} rw, ${pkgs.osu-lazer-bin}/bin/osu? ix, ${getExe pkgs.bubblewrap} rix, /nix/store/*-osu-lazer-bin-*-bwrap ix, /nix/store/*-osu-lazer-bin-*-init ix, /nix/store/*-osu-lazer-bin-*-extracted/** rk, /nix/store/*-osu-lazer-bin-*-extracted/AppRun ix, /nix/store/*-osu-lazer-bin-*-extracted/usr/bin/** ix, @{bin}/ldconfig ix, @{bin}/appimage-exec.sh ix, @{bin}/rev ix, @{bin}/bash ix, @{bin}/grep ix, @{bin}/lsblk ix, @{bin}/awk ix, @{bin}/gawk ix, @{bin}/xdg-mime Px, ${getExe' pkgs.gamemode "gamemoderun"} ix, owner @{HOME}/@{XDG_DATA_DIR}/osu/** rwkm, owner @{HOME}/.dotnet/** rwkm, owner @{HOME}/@{XDG_DATA_DIR}/Sentry/** rwk, owner @{HOME}/@{XDG_CONFIG_DIR}/mimeapps* rwk, owner @{HOME}/@{XDG_DATA_DIR}/applications/discord-*.desktop rwk, /nix/store/*-etc-os-release rk, /nix/store/*/share/zoneinfo/** rk, owner /tmp/** rwk, /usr/lib/ r, owner /var/cache/ldconfig/ rw, owner /etc/ld.so* rw, owner @{PROC}/@{pid}/{maps,stat} rk, @{PROC}/sys/kernel/os{type,release} rk, /dev/snd/** rw, /dev/udmabuf wr, /.host-etc/alsa/conf.d/{,**} r, /.host-etc/ssl/certs/{,**} r, /.host-etc/resolv.conf rk, } ''; }; vesktop = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/profiles-s-z/vesktop" ''; }; speech-dispatcher = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/profiles-s-z/speech-dispatcher" ''; }; spotify = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/profiles-s-z/spotify" ''; }; thunderbird = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird" ''; }; thunderbird-glxtest = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/profiles-s-z/thunderbird-glxtest" ''; }; xdg-open = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-open" ''; }; child-open-any = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/groups/children/child-open-any" ''; }; child-open = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/groups/children/child-open" ''; }; firefox-glxtest = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox-glxtest" ''; }; firefox = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/groups/browsers/firefox" ''; }; pass = { enable = true; enforce = true; profile = '' include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pass" ''; }; # gamemoded = { # enable = true; # enforce = true; # profile = '' # include "${apparmor-d}/etc/apparmor.d/profiles-g-l/gamemoded" # ''; # }; pkexec = { enable = false; enforce = false; # somehow this has conflicting imports and i have no clue how to fix it profile = '' include "${apparmor-d}/etc/apparmor.d/profiles-m-r/pkexec" ''; }; xdg-mime = { enable = true; enforce = false; # somehow this has conflicting imports and i have no clue how to fix it profile = '' include "${apparmor-d}/etc/apparmor.d/groups/freedesktop/xdg-mime" ''; }; mimetype = { enable = true; enforce = false; # somehow this has conflicting imports and i have no clue how to fix it profile = '' include "${apparmor-d}/etc/apparmor.d/profiles-m-r/mimetype" ''; }; }; }; }