1
0
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2025-03-13 20:30:02 +00:00

security-accessibility: remove options

The accessibility database has been protected with SIP since macOS
10.12 and there doesn't seem to be another way to configure this
programmatically.
This commit is contained in:
Daiderd Jordan 2017-11-29 00:14:31 +01:00
parent 48af45075a
commit c4e213745a
No known key found for this signature in database
GPG key ID: D02435D05B810C96
5 changed files with 3 additions and 46 deletions

View file

@ -41,7 +41,6 @@ let
./modules/nix/nixpkgs.nix
./modules/environment
./modules/launchd
./modules/security
./modules/services/activate-system
./modules/services/chunkwm.nix
./modules/services/emacs.nix

View file

@ -10,6 +10,8 @@ in
options = {
nix.profile = mkOption { internal = true; default = null; };
security.enableAccessibilityAccess = mkOption { internal = true; default = null; };
security.accessibilityPrograms = mkOption { internal = true; default = null; };
};
@ -17,6 +19,7 @@ in
assertions =
[ { assertion = config.nix.profile == null; message = "nix.profile was renamed to nix.package"; }
{ assertion = config.security.enableAccessibilityAccess == null; message = "security.enableAccessibilityAccess was removed, it's broken since 10.12 because of SIP"; }
];
nix.package = mkIf (config.nix.profile != null) config.nix.profile;

View file

@ -43,7 +43,6 @@
config.nix.package
];
security.enableAccessibilityAccess = true;
services.khd.enable = true;
services.kwm.enable = true;

View file

@ -1,43 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security;
runSQL = sql: ''/usr/bin/sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "${sql}"'';
allowAccess = client: runSQL ''INSERT or REPLACE INTO access VALUES ('kTCCServiceAccessibility','${client}',1,1,1,NULL,NULL)'';
revokeAccess = clients: runSQL ''DELETE FROM access WHERE client LIKE '/nix/store/%' AND client NOT IN (${concatMapStringsSep "," (s: "'${s}'") clients})'';
in
{
options = {
security.enableAccessibilityAccess = mkOption {
type = types.bool;
default = false;
description = "Wether to configure programs that are allowed control through the accessibility APIs.";
};
security.accessibilityPrograms = mkOption {
type = types.listOf types.path;
default = [];
example = literalExample ''[ ''${pkgs.hello}/bin/hello" ]'';
description = "List of nix programs that are allowed control through the accessibility APIs.";
};
};
config = {
system.activationScripts.accessibility.text = mkIf cfg.enableAccessibilityAccess ''
# Set up programs that require accessibility permissions
echo "setting up accessibility programs..." >&2
${revokeAccess cfg.accessibilityPrograms}
${concatMapStringsSep "\n" allowAccess cfg.accessibilityPrograms}
'';
};
}

View file

@ -53,7 +53,6 @@ in
${cfg.activationScripts.extraActivation.text}
${cfg.activationScripts.nix.text}
${cfg.activationScripts.accessibility.text}
${cfg.activationScripts.applications.text}
${cfg.activationScripts.etc.text}
${cfg.activationScripts.launchd.text}