Add apparmor

This commit is contained in:
ItsDrike 2024-04-15 22:13:19 +02:00
parent 7a17948e90
commit 4ea6be120d
Signed by: ItsDrike
GPG key ID: FA2745890B7048C0
3 changed files with 66 additions and 0 deletions

View file

@ -6,6 +6,7 @@ _: {
./nix ./nix
./environment ./environment
./impermanence ./impermanence
./security
./programs.nix ./programs.nix
./system.nix ./system.nix
./network.nix ./network.nix

View file

@ -0,0 +1,60 @@
{ config, pkgs, ... }: {
services.dbus.apparmor = "enabled";
environment.systemPackages = with pkgs; [
apparmor-pam
apparmor-utils
apparmor-parser
apparmor-profiles
apparmor-bin-utils
apparmor-kernel-patches
libapparmor
];
# apparmor configuration
security.apparmor = {
enable = true;
# whether to enable AppArmor cache
# in /var/cache/apparmor
enableCache = true;
# whether to kill processes which have an AppArmor profile enabled
# but are not confined (AppArmor can only confine new processes)
killUnconfinedConfinables = true;
# packages to be added to AppArmor's include path
packages = [pkgs.apparmor-profiles];
# AppArmor policies
policies = [
"default_deny" = {
enforce = false;
enable = false;
profile = ''
profile default_deny /** {}
'';
};
"sudo" = {
enforce = false;
enable = false;
profile = ''
${pkgs.sudo}/bin/sudo {
file /** rwlkUx
}
'';
};
"nix" = {
enforce = false;
enable = false;
profile = ''
${config.nix.package}/bin/nix {
unconfined
}
'';
};
];
};
}

View file

@ -0,0 +1,5 @@
{
imports = [
./apparmor.nix
];
}