mirror of
https://github.com/ItsDrike/nixdots
synced 2024-11-14 21:57:17 +00:00
61 lines
1.2 KiB
Nix
61 lines
1.2 KiB
Nix
|
{ config, pkgs, ... }: {
|
||
|
services.dbus.apparmor = "enabled";
|
||
|
|
||
|
environment.systemPackages = with pkgs; [
|
||
|
apparmor-pam
|
||
|
apparmor-utils
|
||
|
apparmor-parser
|
||
|
apparmor-profiles
|
||
|
apparmor-bin-utils
|
||
|
apparmor-kernel-patches
|
||
|
libapparmor
|
||
|
];
|
||
|
|
||
|
# apparmor configuration
|
||
|
security.apparmor = {
|
||
|
enable = true;
|
||
|
|
||
|
# whether to enable AppArmor cache
|
||
|
# in /var/cache/apparmor
|
||
|
enableCache = true;
|
||
|
|
||
|
# whether to kill processes which have an AppArmor profile enabled
|
||
|
# but are not confined (AppArmor can only confine new processes)
|
||
|
killUnconfinedConfinables = true;
|
||
|
|
||
|
# packages to be added to AppArmor's include path
|
||
|
packages = [pkgs.apparmor-profiles];
|
||
|
|
||
|
# AppArmor policies
|
||
|
policies = [
|
||
|
"default_deny" = {
|
||
|
enforce = false;
|
||
|
enable = false;
|
||
|
profile = ''
|
||
|
profile default_deny /** {}
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
"sudo" = {
|
||
|
enforce = false;
|
||
|
enable = false;
|
||
|
profile = ''
|
||
|
${pkgs.sudo}/bin/sudo {
|
||
|
file /** rwlkUx
|
||
|
}
|
||
|
'';
|
||
|
};
|
||
|
|
||
|
"nix" = {
|
||
|
enforce = false;
|
||
|
enable = false;
|
||
|
profile = ''
|
||
|
${config.nix.package}/bin/nix {
|
||
|
unconfined
|
||
|
}
|
||
|
'';
|
||
|
};
|
||
|
];
|
||
|
};
|
||
|
}
|