diff --git a/system/shared/default.nix b/system/shared/default.nix index 5ed5a2c..a93ddac 100644 --- a/system/shared/default.nix +++ b/system/shared/default.nix @@ -6,6 +6,7 @@ _: { ./nix ./environment ./impermanence + ./security ./programs.nix ./system.nix ./network.nix diff --git a/system/shared/security/apparmor.nix b/system/shared/security/apparmor.nix new file mode 100644 index 0000000..44cc3c6 --- /dev/null +++ b/system/shared/security/apparmor.nix @@ -0,0 +1,60 @@ +{ config, pkgs, ... }: { + services.dbus.apparmor = "enabled"; + + environment.systemPackages = with pkgs; [ + apparmor-pam + apparmor-utils + apparmor-parser + apparmor-profiles + apparmor-bin-utils + apparmor-kernel-patches + libapparmor + ]; + + # apparmor configuration + security.apparmor = { + enable = true; + + # whether to enable AppArmor cache + # in /var/cache/apparmor + enableCache = true; + + # whether to kill processes which have an AppArmor profile enabled + # but are not confined (AppArmor can only confine new processes) + killUnconfinedConfinables = true; + + # packages to be added to AppArmor's include path + packages = [pkgs.apparmor-profiles]; + + # AppArmor policies + policies = [ + "default_deny" = { + enforce = false; + enable = false; + profile = '' + profile default_deny /** {} + ''; + }; + + "sudo" = { + enforce = false; + enable = false; + profile = '' + ${pkgs.sudo}/bin/sudo { + file /** rwlkUx + } + ''; + }; + + "nix" = { + enforce = false; + enable = false; + profile = '' + ${config.nix.package}/bin/nix { + unconfined + } + ''; + }; + ]; + }; +} diff --git a/system/shared/security/default.nix b/system/shared/security/default.nix new file mode 100644 index 0000000..df16fb6 --- /dev/null +++ b/system/shared/security/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./apparmor.nix + ]; +}