update(security): simplify security configuration and enhance apparmor

- Remove SELinux-related configurations (kernel params, systemd override, packages) - Disable kernel modules locking - Streamline LSM modules list - Enhance AppArmor with kill unconfined option and PAM integration - Add AppArmor support for various services (login, sshd, sudo, etc.) - Enable D-Bus AppArmor integration - Remove unused hyprlock PAM service
2025-09-15 09:45:58 +03:00 · 2025-04-27 16:56:47 +03:00
parent 78d6258bfe
commit 83faa6a5e1
2 changed files with 18 additions and 8 deletions
--- a/nixos/linux-kernel.nix
+++ b/nixos/linux-kernel.nix
@@ -3,7 +3,7 @@
 {
  # Linux Kernel
  security.forcePageTableIsolation = true;
-  security.lockKernelModules = true;
+  # security.lockKernelModules = true;
  # security.protectKernelImage = true;
  security.unprivilegedUsernsClone = true;
  security.virtualisation.flushL1DataCache = "cond";
@@ -17,11 +17,10 @@
    "fbcon=nodefer"
    "vt.global_cursor_default=0"
    "kernel.modules_disabled=1"
-    "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
+    "lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
    "usbcore.autosuspend=-1"
    "video4linux"
    "acpi_rev_override=5"
-    "security=selinux"
  ];
  # boot.kernelPatches = [ {
  #      name = "selinux-config";
@@ -35,9 +34,9 @@
  #            '';
  # } ];

-  systemd.package = pkgs.systemd.override { withSelinux = true; };
+  # systemd.package = pkgs.systemd.override { withSelinux = true; };

-  environment.systemPackages = with pkgs; [
-    policycoreutils
-  ];
+  # environment.systemPackages = with pkgs; [
+  #   policycoreutils
+  # ];
 }
--- a/nixos/security-services.nix
+++ b/nixos/security-services.nix
@@ -18,13 +18,24 @@
  };
  security.apparmor = {
    enable = true;
+    killUnconfinedConfinables = true;
    packages = with pkgs; [
      apparmor-utils
      apparmor-profiles
    ];
  };
+
+  security.pam.services = {
+    login.enableAppArmor = true;
+    sshd.enableAppArmor = true;
+    sudo.enableAppArmor = true;
+    su.enableAppArmor = true;
+    greetd.enableAppArmor = true;
+    u2f.enableAppArmor = true;
+  };
+
+  services.dbus.apparmor = "enabled";
  services.fail2ban.enable = true;
-  security.pam.services.hyprlock = {};
  # security.polkit.enable = true;
  programs.browserpass.enable = true;
  services.clamav = {