security: add option to configure accessibilityPrograms

1 files changed, 36 insertions, 0 deletions

diff --git a/modules/security/default.nix b/modules/security/default.nix
new file mode 100644
index 0000000..01c74c3
--- /dev/null
+++ b/modules/security/default.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.security;
+
+  runSQL = sql: ''/usr/bin/sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "${sql}"'';
+
+  allowAccess = client: runSQL ''INSERT or REPLACE INTO access VALUES ('kTCCServiceAccessibility','${client}',1,1,1,NULL,NULL)'';
+  revokeAccess = clients: runSQL ''DELETE FROM access WHERE client LIKE '/nix/store/%' AND client NOT IN (${concatMapStringsSep "," (s: "'${s}'") clients})'';
+
+in
+
+{
+  options = {
+    security.accessibilityPrograms = mkOption {
+      type = types.listOf types.path;
+      default = [];
+      description = "List of nix programs that are allowed control through the accessibility APIs.";
+    };
+  };
+
+  config = {
+
+    system.activationScripts.accessibility.text = ''
+      # Set up programs that require accessibility permissions
+      echo "setting up accessibility programs..." >&2
+
+      ${revokeAccess cfg.accessibilityPrograms}
+      ${concatMapStringsSep "\n" allowAccess cfg.accessibilityPrograms}
+    '';
+
+  };
+}