Gitiles
Code Review Sign In
git.clicks.codes / Minion / NixFiles / a7ae29ffbbb05cd1fa26193ba855b2cb77df38f2 / . / modules / apparmor.nix
blob: 64ebd34b622048e0c6ee733c99411d0f06bc1655 [file] [log] [blame]
Skyler Grey1fe0da32023-02-26 13:06:21 +0000[diff] [blame]1{ pkgs, system, username, config, ... }: {
2 config = {
3 security.apparmor = {
4 enable = true;
5
6 packages = [ pkgs.apparmor-profiles ];
7
8 killUnconfinedConfinables = true;
9
10 policies = {
11 # TODO: Refactor this into a directory, ideally we'll have too many
12 # profiles for this to be just here. Perhaps look at neovim for an
13 # example? Explore if we could put these outside of nix files so we can
14 # use syntax highlighting
15
16 default_deny = {
17 profile = ''
18 profile default_deny /** { }
19 '';
20 enforce = false;
Skyler Greyea00ad52023-02-13 06:49:48 +0000[diff] [blame]21 enable = false;
Skyler Grey1fe0da32023-02-26 13:06:21 +0000[diff] [blame]22 };
23
24 sudo = {
25 profile = ''
Skyler Greyea00ad52023-02-13 06:49:48 +0000[diff] [blame]26 ${pkgs.sudo}/bin/sudo {
27 file /** rwlkUx,
Skyler Grey1fe0da32023-02-26 13:06:21 +0000[diff] [blame]28 }
29 '';
Skyler Greyea00ad52023-02-13 06:49:48 +0000[diff] [blame]30 enforce = false;
31 enable = false;
32 };
33
34 nix = {
35 profile = ''
36 ${pkgs.nix}/bin/nix {
37 unconfined,
38 }
39 '';
40 enforce = false;
41 enable = false;
Skyler Grey1fe0da32023-02-26 13:06:21 +0000[diff] [blame]42 };
43 };
44 };
45
Skyler Greyea00ad52023-02-13 06:49:48 +0000[diff] [blame]46 services.dbus.apparmor = "disabled";
Skyler Grey1fe0da32023-02-26 13:06:21 +0000[diff] [blame]47 };
48}