From cf3c3cb08238693c83c20e55c9ef9e0401181420 Mon Sep 17 00:00:00 2001
From: Daiderd Jordan <daiderd@gmail.com>
Date: Tue, 16 May 2017 00:10:21 +0200
Subject: security: add option to configure accessibilityPrograms

---
 modules/security/default.nix | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 modules/security/default.nix

(limited to 'modules/security')

diff --git a/modules/security/default.nix b/modules/security/default.nix
new file mode 100644
index 0000000..01c74c3
--- /dev/null
+++ b/modules/security/default.nix
@@ -0,0 +1,36 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+  cfg = config.security;
+
+  runSQL = sql: ''/usr/bin/sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "${sql}"'';
+
+  allowAccess = client: runSQL ''INSERT or REPLACE INTO access VALUES ('kTCCServiceAccessibility','${client}',1,1,1,NULL,NULL)'';
+  revokeAccess = clients: runSQL ''DELETE FROM access WHERE client LIKE '/nix/store/%' AND client NOT IN (${concatMapStringsSep "," (s: "'${s}'") clients})'';
+
+in
+
+{
+  options = {
+    security.accessibilityPrograms = mkOption {
+      type = types.listOf types.path;
+      default = [];
+      description = "List of nix programs that are allowed control through the accessibility APIs.";
+    };
+  };
+
+  config = {
+
+    system.activationScripts.accessibility.text = ''
+      # Set up programs that require accessibility permissions
+      echo "setting up accessibility programs..." >&2
+
+      ${revokeAccess cfg.accessibilityPrograms}
+      ${concatMapStringsSep "\n" allowAccess cfg.accessibilityPrograms}
+    '';
+
+  };
+}
-- 
cgit v1.2.3