From d654f09e3b659b2691b3a2037b6675b5b44eaf73 Mon Sep 17 00:00:00 2001
From: Ryan Yin <xiaoyin_c@qq.com>
Date: Tue, 3 Sep 2024 23:35:13 +0800
Subject: [PATCH] fix: disable apparmor & hardening profile to avoid neovim
 being killed

---
 .gitignore                            | 1 +
 hardening/README.md                   | 1 +
 hardening/profiles/default.nix        | 6 ------
 outputs/x86_64-linux/src/idols-ai.nix | 4 ++--
 4 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/.gitignore b/.gitignore
index 4f61d2053..186d3000d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ result/
 .DS_Store
 .pre-commit-config.yaml
 logs/
+core*
diff --git a/hardening/README.md b/hardening/README.md
index 07d59050e..9cb222ac0 100644
--- a/hardening/README.md
+++ b/hardening/README.md
@@ -20,6 +20,7 @@
 - NixOS Profile:
   https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/profiles/hardened.nix
 - Apparmor: [roddhjav/apparmor.d)](https://github.com/roddhjav/apparmor.d)
+  - https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
   - AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based
     applications and processes.
   - Nix Package:
diff --git a/hardening/profiles/default.nix b/hardening/profiles/default.nix
index a31fed224..ef52853ac 100644
--- a/hardening/profiles/default.nix
+++ b/hardening/profiles/default.nix
@@ -6,10 +6,4 @@
   # disable coredump that could be exploited later
   # and also slow down the system when something crash
   systemd.coredump.enable = false;
-
-  # required to run chromium
-  security.chromiumSuidSandbox.enable = true;
-
-  # enable firejail
-  programs.firejail.enable = true;
 }
diff --git a/outputs/x86_64-linux/src/idols-ai.nix b/outputs/x86_64-linux/src/idols-ai.nix
index f85c0ac50..000d5607d 100644
--- a/outputs/x86_64-linux/src/idols-ai.nix
+++ b/outputs/x86_64-linux/src/idols-ai.nix
@@ -20,9 +20,9 @@
       # host specific
       "hosts/idols-${name}"
       # nixos hardening
-      "hardening/profiles/default.nix"
+      # "hardening/profiles/default.nix"
       "hardening/nixpaks"
-      "hardening/apparmor"
+      # "hardening/apparmor"
     ];
     home-modules = map mylib.relativeToRoot [
       # common