68 lines
1.3 KiB
Nix
68 lines
1.3 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
lib,
|
|
...
|
|
}: let
|
|
inherit (builtins) attrValues;
|
|
inherit (lib) getExe;
|
|
in {
|
|
security = {
|
|
apparmor = {
|
|
enable = true;
|
|
|
|
# packages to include with apparmors path
|
|
packages = [pkgs.apparmor-profiles];
|
|
|
|
# kill any process that does not have a apparmor profile enabled
|
|
killUnconfinedConfinables = true;
|
|
|
|
# apparmor policies
|
|
# FIXME
|
|
policies = {
|
|
"default_deny" = {
|
|
enforce = false;
|
|
enable = false;
|
|
profile = ''
|
|
profile default_deny /** { }
|
|
'';
|
|
};
|
|
"nix" = {
|
|
enforce = false;
|
|
enable = false;
|
|
profile = ''
|
|
${getExe config.nix.package} {
|
|
unconfined,
|
|
}
|
|
'';
|
|
};
|
|
"sudo" = {
|
|
enforce = false;
|
|
enable = false;
|
|
profile = ''
|
|
${getExe pkgs.sudo} {
|
|
file /** rwlkUx,
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
# enable apparmor mode for dbus
|
|
services.dbus.apparmor = "enabled";
|
|
|
|
# apparmor packages to add to path
|
|
environment.systemPackages = attrValues {
|
|
inherit
|
|
(pkgs)
|
|
apparmor-utils
|
|
apparmor-bin-utils
|
|
apparmor-kernel-patches
|
|
apparmor-parser
|
|
apparmor-profiles
|
|
apparmor-pam
|
|
libapparmor
|
|
;
|
|
};
|
|
}
|