commit 1fe0da3d9468719c118fb049b095fa3eaca49784
author Skyler Grey <skyler3665@gmail.com> Sun Feb 26 13:06:21 2023 +0000
committer Skyler Grey <skyler3665@gmail.com> Sun Feb 26 13:09:38 2023 +0000
tree 0bc08f7e35fa84d19863107651f550df76ce6a5f
parent d0cf4caf653c13807be4a38f4196accfcadf3c26

Install apparmor

modules/apparmor.nix

diff --git a/modules/apparmor.nix b/modules/apparmor.nix
new file mode 100644
index 0000000..fddd363
--- /dev/null
+++ b/modules/apparmor.nix
@@ -0,0 +1,36 @@
+{ pkgs, system, username, config, ... }: {
+  config = {
+    security.apparmor = {
+      enable = true;
+
+      packages = [ pkgs.apparmor-profiles ];
+
+      killUnconfinedConfinables = true;
+
+      policies = {
+        # TODO: Refactor this into a directory, ideally we'll have too many
+        # profiles for this to be just here. Perhaps look at neovim for an
+        # example? Explore if we could put these outside of nix files so we can
+        # use syntax highlighting
+
+        default_deny = {
+          profile = ''
+          profile default_deny /** { }
+          '';
+          enforce = false;
+          enable = true;
+        };
+
+        sudo = {
+          profile = ''
+          ${config.security.wrapperDir}/sudo {
+            file rwlkUx,
+          }
+          '';
+        };
+      };
+    };
+
+    services.dbus.apparmor = "required";
+  };
+}