apparmor: modularize, add rules package

JohnRTitor · Jun 12, 2024 · 198abd7 · 198abd7
1 parent 15ec120
commit 198abd7
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 4 deletions.
diff --git a/pkgs/roddhjav-apparmor-rules.nix b/pkgs/roddhjav-apparmor-rules.nix
@@ -0,0 +1,47 @@
+{
+  lib,
+  stdenvNoCC,
+  fetchFromGitHub,
+  unstableGitUpdater,
+}:
+
+stdenvNoCC.mkDerivation {
+  pname = "roddhjav-apparmor-rules";
+  version = "0-unstable-2024-06-11";
+
+  src = fetchFromGitHub {
+    owner = "roddhjav";
+    repo = "apparmor.d";
+    rev = "6d549b7c70415e884586c23a8a5d2448d89e543d";
+    hash = "sha256-iHBIBOKOsagDwQRD8SjymEeM3xTQhtTDeL8YvqhHtPQ=";
+  };
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/etc/apparmor.d
+    cp -r apparmor.d/* $out/etc/apparmor.d
+    runHook postInstall
+  '';
+
+  passthru.updateScript = unstableGitUpdater { };
+
+  meta = {
+    homepage = "https://github.com/roddhjav/apparmor.d";
+    description = "Over 1500 AppArmor profiles aiming to confine most linux processes";
+    longDescription = ''
+      AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine
+      most Linux based applications and processes. Confines all system services, user services
+      and most desktop environments. Currently supported DEs are GNOME, KDE and XFCE (partial).
+      If your DE is not listed in https://github.com/roddhjav/apparmor.d
+      Do not use this, else it may break your system.
+    '';
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    maintainers = with lib.maintainers; [
+      johnrtitor
+    ];
+  };
+}
diff --git a/system/services/apparmor.nix b/system/services/apparmor.nix
@@ -0,0 +1,9 @@
+{pkgs, ...}:
+{
+  security.apparmor.enable = true;
+  security.apparmor.enableCache = true;
+  services.dbus.apparmor = "enabled";
+  security.apparmor.packages = [
+    (pkgs.callPackage ../../pkgs/roddhjav-apparmor-rules.nix {})
+  ];
+}
diff --git a/system/services/default.nix b/system/services/default.nix
@@ -8,6 +8,7 @@
   imports =
     [
       ./ananicy-cpp.nix
+      ./apparmor.nix
       ./console-tty.nix
       ./gnome-keyring.nix
     ]
@@ -91,9 +92,5 @@
 
   security.polkit.enable = true; # Enable polkit for elevated prompts
 
-  security.apparmor.enable = true;
-  security.apparmor.enableCache = true;
-  services.dbus.apparmor = "enabled";
-
   services.colord.enable = true; # For color management
 }