| Skyler Grey | 1fe0da3 | 2023-02-26 13:06:21 +0000 | [diff] [blame] | 1 | { pkgs, system, username, config, ... }: { |
| 2 | config = { |
| 3 | security.apparmor = { |
| 4 | enable = true; |
| 5 | |
| 6 | packages = [ pkgs.apparmor-profiles ]; |
| 7 | |
| 8 | killUnconfinedConfinables = true; |
| 9 | |
| 10 | policies = { |
| 11 | # TODO: Refactor this into a directory, ideally we'll have too many |
| 12 | # profiles for this to be just here. Perhaps look at neovim for an |
| 13 | # example? Explore if we could put these outside of nix files so we can |
| 14 | # use syntax highlighting |
| 15 | |
| 16 | default_deny = { |
| 17 | profile = '' |
| 18 | profile default_deny /** { } |
| 19 | ''; |
| 20 | enforce = false; |
| 21 | enable = true; |
| 22 | }; |
| 23 | |
| 24 | sudo = { |
| 25 | profile = '' |
| 26 | ${config.security.wrapperDir}/sudo { |
| 27 | file rwlkUx, |
| 28 | } |
| 29 | ''; |
| 30 | }; |
| 31 | }; |
| 32 | }; |
| 33 | |
| 34 | services.dbus.apparmor = "required"; |
| 35 | }; |
| 36 | } |