I’m searching for a method to disallow access to some files/directories to all executables, except for few selected ones.
SELinux would be the right choice for this, but it isn’t implemented right now in nixos and seems to be really hard to do.
At the moment I use apparmor to achieve somethin like this. I think it’s not possible to write default rules for all executables in apparmor. My workaround for this is, to fold over all packages i want to put in environment.systemPackages and add rules for them. But this doesn’t cover nix shell.
Does someone know of some way to achive this in apparmor or with some other tool in nixos?