mirrors/nix-darwin
mirrors/nix-darwin
1
0
Fork 0
mirror of https://github.com/LnL7/nix-darwin.git synced 2025-03-13 20:30:02 +00:00
Code Activity

security-accessibility: remove options

Browse source 
The accessibility database has been protected with SIP since macOS
10.12 and there doesn't seem to be another way to configure this
programmatically.
This commit is contained in:
Daiderd Jordan 2017-11-29 00:14:31 +01:00
parent 48af45075a
commit c4e213745a
No known key found for this signature in database
GPG key ID: D02435D05B810C96
5 changed files with 3 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
default.nix
View file

@ -41,7 +41,6 @@ let
./modules/nix/nixpkgs.nix
./modules/environment
./modules/launchd
./modules/security
./modules/services/activate-system
./modules/services/chunkwm.nix
./modules/services/emacs.nix

3
modules/alias.nix
View file

@ -10,6 +10,8 @@ in
options = {
nix.profile = mkOption { internal = true; default = null; };
security.enableAccessibilityAccess = mkOption { internal = true; default = null; };
security.accessibilityPrograms = mkOption { internal = true; default = null; };
};
@ -17,6 +19,7 @@ in
assertions =
[ { assertion = config.nix.profile == null; message = "nix.profile was renamed to nix.package"; }
{ assertion = config.security.enableAccessibilityAccess == null; message = "security.enableAccessibilityAccess was removed, it's broken since 10.12 because of SIP"; }
];
nix.package = mkIf (config.nix.profile != null) config.nix.profile;

1
modules/examples/lnl.nix
View file

@ -43,7 +43,6 @@
config.nix.package
];
security.enableAccessibilityAccess = true;
services.khd.enable = true;
services.kwm.enable = true;

43
modules/security/default.nix
View file

@ -1,43 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.security;
runSQL = sql: ''/usr/bin/sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "${sql}"'';
allowAccess = client: runSQL ''INSERT or REPLACE INTO access VALUES ('kTCCServiceAccessibility','${client}',1,1,1,NULL,NULL)'';
revokeAccess = clients: runSQL ''DELETE FROM access WHERE client LIKE '/nix/store/%' AND client NOT IN (${concatMapStringsSep "," (s: "'${s}'") clients})'';
in
{
options = {
security.enableAccessibilityAccess = mkOption {
type = types.bool;
default = false;
description = "Wether to configure programs that are allowed control through the accessibility APIs.";
};
security.accessibilityPrograms = mkOption {
type = types.listOf types.path;
default = [];
example = literalExample ''[ ''${pkgs.hello}/bin/hello" ]'';
description = "List of nix programs that are allowed control through the accessibility APIs.";
};
};
config = {
system.activationScripts.accessibility.text = mkIf cfg.enableAccessibilityAccess ''
# Set up programs that require accessibility permissions
echo "setting up accessibility programs..." >&2
${revokeAccess cfg.accessibilityPrograms}
${concatMapStringsSep "\n" allowAccess cfg.accessibilityPrograms}
'';
};
}

1
modules/system/activation-scripts.nix
View file

@ -53,7 +53,6 @@ in
${cfg.activationScripts.extraActivation.text}
${cfg.activationScripts.nix.text}
${cfg.activationScripts.accessibility.text}
${cfg.activationScripts.applications.text}
${cfg.activationScripts.etc.text}
${cfg.activationScripts.launchd.text}