modules/programs: sane-sandboxed: rework so portal env vars arent set when sandbox is disabled
and by setting them only at launch time we aid introspectability/debugging
This commit is contained in:
parent
25dcb7f89a
commit
02dd629616
|
@ -17,6 +17,7 @@ firejailFlags=()
|
|||
bwrapFlags=()
|
||||
landlockPaths=
|
||||
capshCapsArg=
|
||||
extraEnv=()
|
||||
|
||||
enableDebug() {
|
||||
isDebug=1
|
||||
|
@ -193,13 +194,10 @@ parseArgs() {
|
|||
;;
|
||||
(--sane-sandbox-portal)
|
||||
# instruct glib/gtk apps to perform actions such as opening external files via dbus calls to org.freedesktop.portal.*.
|
||||
# note that this env var primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
|
||||
# note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
|
||||
# this switch is typically accompanied by removing all MIME associations from the app's view, then.
|
||||
export GIO_USE_PORTALS=1
|
||||
# old name, beginning to be phased out as of 2023-10-02
|
||||
export GTK_USE_PORTAL=1
|
||||
# make `xdg-open` just forward to the portal
|
||||
export NIXOS_XDG_OPEN_USE_PORTAL=1
|
||||
# GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
|
||||
extraEnv+=("GIO_USE_PORTALS=1" "GTK_USE_PORTAL=1" "NIXOS_XDG_OPEN_USE_PORTAL=1")
|
||||
;;
|
||||
(--sane-sandbox-dns)
|
||||
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
|
||||
|
@ -295,7 +293,7 @@ firejailExec() {
|
|||
fi
|
||||
PATH="$PATH:@firejail@/bin" exec \
|
||||
firejail "${firejailFlags[@]}" -- \
|
||||
"${cliArgs[@]}"
|
||||
env "${extraEnv[@]}" "${cliArgs[@]}"
|
||||
}
|
||||
|
||||
|
||||
|
@ -340,7 +338,7 @@ bwrapExec() {
|
|||
# --unshare-user (implicit to every non-suid call to bwrap)
|
||||
PATH="$PATH:@bubblewrap@/bin" exec \
|
||||
bwrap --unshare-all --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
||||
"${cliArgs[@]}"
|
||||
env "${extraEnv[@]}" "${cliArgs[@]}"
|
||||
}
|
||||
|
||||
|
||||
|
@ -399,7 +397,7 @@ landlockExec() {
|
|||
# invoke the actual user command.
|
||||
PATH="$PATH:@landlockSandboxer@/bin:@libcap@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec \
|
||||
sandboxer \
|
||||
capsh "--caps=$capshCapsArg" --shell="${cliArgs[0]}" -- "${cliArgs[@]:1}"
|
||||
capsh "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
|
||||
}
|
||||
|
||||
|
||||
|
@ -434,7 +432,7 @@ capshonlyIngestCapability() {
|
|||
|
||||
capshonlyExec() {
|
||||
PATH="$PATH:@libcap@/bin" exec \
|
||||
capsh "--caps=$capshCapsArg" --shell="${cliArgs[0]}" -- "${cliArgs[@]:1}"
|
||||
capsh "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user