security: add option to configure accessibilityPrograms

author: Daiderd Jordan <daiderd@gmail.com> 2017-05-16 00:10:21 +0200
committer: Daiderd Jordan <daiderd@gmail.com> 2017-05-16 00:10:21 +0200
commit: cf3c3cb08238693c83c20e55c9ef9e0401181420 (patch)
tree: 4dbdb2acb2e4c89d99c38f7b9902dece395b8d2e /modules/security
parent: 32bfad7cc662cd84bbca3efa67106d4d3040fe35 (diff)
1 files changed, 36 insertions, 0 deletions
diff --git a/modules/security/default.nix b/modules/security/default.nix
new file mode 100644
index 0000000..01c74c3
--- /dev/null
+++ b/modules/security/default.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.security;
+
+  runSQL = sql: ''/usr/bin/sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "${sql}"'';
+
+  allowAccess = client: runSQL ''INSERT or REPLACE INTO access VALUES ('kTCCServiceAccessibility','${client}',1,1,1,NULL,NULL)'';
+  revokeAccess = clients: runSQL ''DELETE FROM access WHERE client LIKE '/nix/store/%' AND client NOT IN (${concatMapStringsSep "," (s: "'${s}'") clients})'';
+
+in
+
+{
+  options = {
+    security.accessibilityPrograms = mkOption {
+      type = types.listOf types.path;
+      default = [];
+      description = "List of nix programs that are allowed control through the accessibility APIs.";
+    };
+  };
+
+  config = {
+
+    system.activationScripts.accessibility.text = ''
+      # Set up programs that require accessibility permissions
+      echo "setting up accessibility programs..." >&2
+
+      ${revokeAccess cfg.accessibilityPrograms}
+      ${concatMapStringsSep "\n" allowAccess cfg.accessibilityPrograms}
+    '';
+
+  };
+}
author	Daiderd Jordan <daiderd@gmail.com>	2017-05-16 00:10:21 +0200
committer	Daiderd Jordan <daiderd@gmail.com>	2017-05-16 00:10:21 +0200
commit	cf3c3cb08238693c83c20e55c9ef9e0401181420 (patch)
tree	4dbdb2acb2e4c89d99c38f7b9902dece395b8d2e /modules/security
parent	32bfad7cc662cd84bbca3efa67106d4d3040fe35 (diff)