mirror of
https://github.com/LnL7/nix-darwin.git
synced 2025-03-13 20:30:02 +00:00
security-accessibility: remove options
The accessibility database has been protected with SIP since macOS 10.12 and there doesn't seem to be another way to configure this programmatically.
This commit is contained in:
parent
48af45075a
commit
c4e213745a
5 changed files with 3 additions and 46 deletions
|
@ -41,7 +41,6 @@ let
|
|||
./modules/nix/nixpkgs.nix
|
||||
./modules/environment
|
||||
./modules/launchd
|
||||
./modules/security
|
||||
./modules/services/activate-system
|
||||
./modules/services/chunkwm.nix
|
||||
./modules/services/emacs.nix
|
||||
|
|
|
@ -10,6 +10,8 @@ in
|
|||
options = {
|
||||
|
||||
nix.profile = mkOption { internal = true; default = null; };
|
||||
security.enableAccessibilityAccess = mkOption { internal = true; default = null; };
|
||||
security.accessibilityPrograms = mkOption { internal = true; default = null; };
|
||||
|
||||
};
|
||||
|
||||
|
@ -17,6 +19,7 @@ in
|
|||
|
||||
assertions =
|
||||
[ { assertion = config.nix.profile == null; message = "nix.profile was renamed to nix.package"; }
|
||||
{ assertion = config.security.enableAccessibilityAccess == null; message = "security.enableAccessibilityAccess was removed, it's broken since 10.12 because of SIP"; }
|
||||
];
|
||||
|
||||
nix.package = mkIf (config.nix.profile != null) config.nix.profile;
|
||||
|
|
|
@ -43,7 +43,6 @@
|
|||
config.nix.package
|
||||
];
|
||||
|
||||
security.enableAccessibilityAccess = true;
|
||||
services.khd.enable = true;
|
||||
services.kwm.enable = true;
|
||||
|
||||
|
|
|
@ -1,43 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
cfg = config.security;
|
||||
|
||||
runSQL = sql: ''/usr/bin/sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "${sql}"'';
|
||||
|
||||
allowAccess = client: runSQL ''INSERT or REPLACE INTO access VALUES ('kTCCServiceAccessibility','${client}',1,1,1,NULL,NULL)'';
|
||||
revokeAccess = clients: runSQL ''DELETE FROM access WHERE client LIKE '/nix/store/%' AND client NOT IN (${concatMapStringsSep "," (s: "'${s}'") clients})'';
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
security.enableAccessibilityAccess = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = "Wether to configure programs that are allowed control through the accessibility APIs.";
|
||||
};
|
||||
|
||||
security.accessibilityPrograms = mkOption {
|
||||
type = types.listOf types.path;
|
||||
default = [];
|
||||
example = literalExample ''[ ''${pkgs.hello}/bin/hello" ]'';
|
||||
description = "List of nix programs that are allowed control through the accessibility APIs.";
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
|
||||
system.activationScripts.accessibility.text = mkIf cfg.enableAccessibilityAccess ''
|
||||
# Set up programs that require accessibility permissions
|
||||
echo "setting up accessibility programs..." >&2
|
||||
|
||||
${revokeAccess cfg.accessibilityPrograms}
|
||||
${concatMapStringsSep "\n" allowAccess cfg.accessibilityPrograms}
|
||||
'';
|
||||
|
||||
};
|
||||
}
|
|
@ -53,7 +53,6 @@ in
|
|||
${cfg.activationScripts.extraActivation.text}
|
||||
|
||||
${cfg.activationScripts.nix.text}
|
||||
${cfg.activationScripts.accessibility.text}
|
||||
${cfg.activationScripts.applications.text}
|
||||
${cfg.activationScripts.etc.text}
|
||||
${cfg.activationScripts.launchd.text}
|
||||
|
|
Loading…
Add table
Reference in a new issue