Restrict access to files to executables

I’m searching for a method to disallow access to some files/directories to all executables, except for few selected ones.

SELinux would be the right choice for this, but it isn’t implemented right now in nixos and seems to be really hard to do.

At the moment I use apparmor to achieve somethin like this. I think it’s not possible to write default rules for all executables in apparmor. My workaround for this is, to fold over all packages i want to put in environment.systemPackages and add rules for them. But this doesn’t cover nix shell.

Does someone know of some way to achive this in apparmor or with some other tool in nixos?

1 Like

It is possible with apparmor by adding

profile default /** {
      ${defaultProfile}
    }

Restricting this to much makes the system unusable. For example i get

sudo nixos-rebuild test --flake .
building the system configuration...
error: remounting /nix/store writable: Permission denied

I tried to allow everthing for nixos-rebuild with

    ${pkgs.nixos-rebuild}/bin/* {
      ${allowAll}
    }

and

  allowAll = ''
    capability,
    network,
    mount,
    remount,
    umount,
    pivot_root,
    ptrace,
    signal,
    dbus,
    unix,
    file,
  '';

which didn’t solve it. I think nixos-rebuild uses annother command which is denied to remount

I will report here if I get it working

pkgs.nixos-rebuild doesn’t produce the same path as the later installed nixos-rebuild
Maybe it has something to do wth

  nix = {
    package = pkgs.nixUnstable;
    extraOptions = ''
      experimental-features = nix-command flakes
    '';
  }

It seems to be that default is just a name and this is not a default profile. I think what i want to do is not possible with apparmor

nixos-rebuild is a pretty simple script that calls nix (and nix-*): https://github.com/NixOS/nixpkgs/blob/295bb46a7f93d7cb2a3ece13afe15a50e627c091/pkgs/os-specific/linux/nixos-rebuild/nixos-rebuild.sh