mirror of
https://github.com/ItsDrike/nixdots
synced 2025-01-26 06:14:35 +00:00
Add apparmor
This commit is contained in:
parent
7a17948e90
commit
4ea6be120d
|
@ -6,6 +6,7 @@ _: {
|
|||
./nix
|
||||
./environment
|
||||
./impermanence
|
||||
./security
|
||||
./programs.nix
|
||||
./system.nix
|
||||
./network.nix
|
||||
|
|
60
system/shared/security/apparmor.nix
Normal file
60
system/shared/security/apparmor.nix
Normal file
|
@ -0,0 +1,60 @@
|
|||
{ config, pkgs, ... }: {
|
||||
services.dbus.apparmor = "enabled";
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
apparmor-pam
|
||||
apparmor-utils
|
||||
apparmor-parser
|
||||
apparmor-profiles
|
||||
apparmor-bin-utils
|
||||
apparmor-kernel-patches
|
||||
libapparmor
|
||||
];
|
||||
|
||||
# apparmor configuration
|
||||
security.apparmor = {
|
||||
enable = true;
|
||||
|
||||
# whether to enable AppArmor cache
|
||||
# in /var/cache/apparmor
|
||||
enableCache = true;
|
||||
|
||||
# whether to kill processes which have an AppArmor profile enabled
|
||||
# but are not confined (AppArmor can only confine new processes)
|
||||
killUnconfinedConfinables = true;
|
||||
|
||||
# packages to be added to AppArmor's include path
|
||||
packages = [pkgs.apparmor-profiles];
|
||||
|
||||
# AppArmor policies
|
||||
policies = [
|
||||
"default_deny" = {
|
||||
enforce = false;
|
||||
enable = false;
|
||||
profile = ''
|
||||
profile default_deny /** {}
|
||||
'';
|
||||
};
|
||||
|
||||
"sudo" = {
|
||||
enforce = false;
|
||||
enable = false;
|
||||
profile = ''
|
||||
${pkgs.sudo}/bin/sudo {
|
||||
file /** rwlkUx
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
"nix" = {
|
||||
enforce = false;
|
||||
enable = false;
|
||||
profile = ''
|
||||
${config.nix.package}/bin/nix {
|
||||
unconfined
|
||||
}
|
||||
'';
|
||||
};
|
||||
];
|
||||
};
|
||||
}
|
5
system/shared/security/default.nix
Normal file
5
system/shared/security/default.nix
Normal file
|
@ -0,0 +1,5 @@
|
|||
{
|
||||
imports = [
|
||||
./apparmor.nix
|
||||
];
|
||||
}
|
Loading…
Reference in a new issue