aylac.top / nixcfg-own-knot
forked from aylac.top/nixcfg
this repo has no description
fork atom
nixcfg-own-knot / modules / nixos / security / apparmor.nix
at main 1.1 kB view raw
1# https://github.com/isabelroses/dotfiles/blob/14a191bd583b34e242ad13a0164a3c32c506c655/modules/nixos/security/apparmor.nix 2{ 3 lib, 4 pkgs, 5 config, 6 ... 7}: let 8 inherit (lib) getExe; 9in { 10 services.dbus.apparmor = "disabled"; 11 12 # apparmor configuration 13 security.apparmor = { 14 enable = true; 15 16 # whether to enable the AppArmor cache 17 # in /var/cache/apparmore 18 enableCache = true; 19 20 # whether to kill processes which have an AppArmor profile enabled 21 # but are not confined 22 killUnconfinedConfinables = true; 23 24 # packages to be added to AppArmor’s include path 25 packages = [pkgs.apparmor-profiles]; 26 27 # apparmor policies 28 policies = { 29 "default_deny" = { 30 state = "disable"; 31 profile = '' 32 profile default_deny /** { } 33 ''; 34 }; 35 36 "sudo" = { 37 state = "disable"; 38 profile = '' 39 ${getExe pkgs.sudo} { 40 file /** rwlkUx, 41 } 42 ''; 43 }; 44 45 "nix" = { 46 state = "disable"; 47 profile = '' 48 ${getExe config.nix.package} { 49 unconfined, 50 } 51 ''; 52 }; 53 }; 54 }; 55}