diff options
Diffstat (limited to 'modules/security/default.nix')
| -rw-r--r-- | modules/security/default.nix | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/modules/security/default.nix b/modules/security/default.nix new file mode 100644 index 0000000..01c74c3 --- /dev/null +++ b/modules/security/default.nix @@ -0,0 +1,36 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + cfg = config.security; + + runSQL = sql: ''/usr/bin/sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "${sql}"''; + + allowAccess = client: runSQL ''INSERT or REPLACE INTO access VALUES ('kTCCServiceAccessibility','${client}',1,1,1,NULL,NULL)''; + revokeAccess = clients: runSQL ''DELETE FROM access WHERE client LIKE '/nix/store/%' AND client NOT IN (${concatMapStringsSep "," (s: "'${s}'") clients})''; + +in + +{ + options = { + security.accessibilityPrograms = mkOption { + type = types.listOf types.path; + default = []; + description = "List of nix programs that are allowed control through the accessibility APIs."; + }; + }; + + config = { + + system.activationScripts.accessibility.text = '' + # Set up programs that require accessibility permissions + echo "setting up accessibility programs..." >&2 + + ${revokeAccess cfg.accessibilityPrograms} + ${concatMapStringsSep "\n" allowAccess cfg.accessibilityPrograms} + ''; + + }; +} |