grimm-nixos-laptop/common/tooling/apparmor/apparmor-d-prebuild.patch

54 lines
2.1 KiB
Diff

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 0a95d183..6be12d34 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -106,8 +106,8 @@
@{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/
# Common places for binaries and libraries across distributions
-@{bin}=/{,usr/}{,s}bin
-@{lib}=/{,usr/}lib{,exec,32,64}
+@{bin}=/bin
+@{lib}=/{nix/store/*/,}{,usr/}lib{,exec,32,64}
# Common places for temporary files
@{tmp}=/tmp/ /tmp/user/@{uid}/
diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 3f2dd9f4..39a8b64a 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -37,7 +37,7 @@ func init() {
// Compatibility with AppArmor 3
switch prebuild.Distribution {
- case "arch":
+ case "arch", "nixos":
case "ubuntu":
if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
index a887d4b9..606b4643 100644
--- a/pkg/aa/apparmor.go
+++ b/pkg/aa/apparmor.go
@@ -33,7 +33,7 @@ func DefaultTunables() *AppArmorProfileFile {
return &AppArmorProfileFile{
Preamble: Rules{
&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
- &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+ &Variable{Name: "bin", Values: []string{"/{nix/store/*/,}{,usr/}{,s}bin"}, Define: true},
&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index 4b8e11ec..11eab5f7 100644
--- a/pkg/prebuild/prepare/configure.go
+++ b/pkg/prebuild/prepare/configure.go
@@ -28,7 +28,7 @@ func (p Configure) Apply() ([]string, error) {
res := []string{}
switch prebuild.Distribution {
- case "arch", "opensuse":
+ case "arch", "opensuse", "nixos":
case "ubuntu":
if err := prebuild.DebianHide.Init(); err != nil {