From 83faa6a5e192654f36e8ceec777a846ccaaad923 Mon Sep 17 00:00:00 2001
From: xnm <artem.shv@proton.me>
Date: Sun, 27 Apr 2025 16:56:47 +0300
Subject: [PATCH] update(security): simplify security configuration and enhance
 apparmor

- Remove SELinux-related configurations (kernel params, systemd
override, packages)
- Disable kernel modules locking
- Streamline LSM modules list
- Enhance AppArmor with kill unconfined option and PAM integration
- Add AppArmor support for various services (login, sshd, sudo, etc.)
- Enable D-Bus AppArmor integration
- Remove unused hyprlock PAM service
---
 nixos/linux-kernel.nix      | 13 ++++++-------
 nixos/security-services.nix | 13 ++++++++++++-
 2 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/nixos/linux-kernel.nix b/nixos/linux-kernel.nix
index f45c498..69789c5 100644
--- a/nixos/linux-kernel.nix
+++ b/nixos/linux-kernel.nix
@@ -3,7 +3,7 @@
 {
   # Linux Kernel
   security.forcePageTableIsolation = true;
-  security.lockKernelModules = true;
+  # security.lockKernelModules = true;
   # security.protectKernelImage = true;
   security.unprivilegedUsernsClone = true;
   security.virtualisation.flushL1DataCache = "cond";
@@ -17,11 +17,10 @@
     "fbcon=nodefer"
     "vt.global_cursor_default=0"
     "kernel.modules_disabled=1"
-    "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
+    "lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
     "usbcore.autosuspend=-1"
     "video4linux"
     "acpi_rev_override=5"
-    "security=selinux"
   ];
   # boot.kernelPatches = [ {
   #      name = "selinux-config";
@@ -35,9 +34,9 @@
   #            '';
   # } ];
 
-  systemd.package = pkgs.systemd.override { withSelinux = true; };
+  # systemd.package = pkgs.systemd.override { withSelinux = true; };
 
-  environment.systemPackages = with pkgs; [
-    policycoreutils
-  ];
+  # environment.systemPackages = with pkgs; [
+  #   policycoreutils
+  # ];
 }
diff --git a/nixos/security-services.nix b/nixos/security-services.nix
index 4530d7f..38924cd 100644
--- a/nixos/security-services.nix
+++ b/nixos/security-services.nix
@@ -18,13 +18,24 @@
   };
   security.apparmor = {
     enable = true;
+    killUnconfinedConfinables = true;
     packages = with pkgs; [
       apparmor-utils
       apparmor-profiles
     ];
   };
+
+  security.pam.services = {
+    login.enableAppArmor = true;
+    sshd.enableAppArmor = true;
+    sudo.enableAppArmor = true;
+    su.enableAppArmor = true;
+    greetd.enableAppArmor = true;
+    u2f.enableAppArmor = true;
+  };
+
+  services.dbus.apparmor = "enabled";
   services.fail2ban.enable = true;
-  security.pam.services.hyprlock = {};
   # security.polkit.enable = true;
   programs.browserpass.enable = true;
   services.clamav = {