Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
grimm-nixos-laptop/hardening/apparmor/apparmor-d-prebuild.patch
Grimmauld d50a73ab06
updates
2025-01-21 19:27:00 +01:00

61 lines
2.8 KiB
Diff
Raw Blame History

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 0a95d183..4e15d5e3 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,8 @@
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
# Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64}
+@{bin}=/{nix/store/*/,}{,usr/}bin
+@{lib}=/{nix/store/*/,/run/wrappers,}{,usr/}lib{,exec,32,64}
# Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/
diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 3f2dd9f4..39a8b64a 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -37,7 +37,7 @@ func init() {
// Compatibility with AppArmor 3
switch prebuild.Distribution {
- case "arch":
+ case "arch", "nixos":
case "ubuntu":
if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
index a887d4b9..eb0cc2ef 100644
--- a/pkg/aa/apparmor.go
+++ b/pkg/aa/apparmor.go
@@ -33,13 +33,13 @@ func DefaultTunables() *AppArmorProfileFile {
return &AppArmorProfileFile{
Preamble: Rules{
&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,/run/wrappers,}{,usr/}{,s}bin"}, Define: true},
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
&Variable{Name: "int2", Values: []string{"[0-9][0-9]"}, Define: true},
- &Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
+ &Variable{Name: "lib", Values: []string{"/{nix/store/*/,}{,usr/}lib{,exec,32,64}"}, Define: true},
&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
&Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index 4b8e11ec..11eab5f7 100644
--- a/pkg/prebuild/prepare/configure.go
+++ b/pkg/prebuild/prepare/configure.go
@@ -28,7 +28,7 @@ func (p Configure) Apply() ([]string, error) {
res := []string{}
switch prebuild.Distribution {
- case "arch", "opensuse":
+ case "arch", "opensuse", "nixos":
case "ubuntu":
if err := prebuild.DebianHide.Init(); err != nil {
Reference in a new issue View git blame Copy permalink