modules/programs: sane-sandboxed: rework so portal env vars arent set when sandbox is disabled
and by setting them only at launch time we aid introspectability/debugging
This commit is contained in:
parent
25dcb7f89a
commit
02dd629616
|
@ -17,6 +17,7 @@ firejailFlags=()
|
||||||
bwrapFlags=()
|
bwrapFlags=()
|
||||||
landlockPaths=
|
landlockPaths=
|
||||||
capshCapsArg=
|
capshCapsArg=
|
||||||
|
extraEnv=()
|
||||||
|
|
||||||
enableDebug() {
|
enableDebug() {
|
||||||
isDebug=1
|
isDebug=1
|
||||||
|
@ -193,13 +194,10 @@ parseArgs() {
|
||||||
;;
|
;;
|
||||||
(--sane-sandbox-portal)
|
(--sane-sandbox-portal)
|
||||||
# instruct glib/gtk apps to perform actions such as opening external files via dbus calls to org.freedesktop.portal.*.
|
# instruct glib/gtk apps to perform actions such as opening external files via dbus calls to org.freedesktop.portal.*.
|
||||||
# note that this env var primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
|
# note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
|
||||||
# this switch is typically accompanied by removing all MIME associations from the app's view, then.
|
# this switch is typically accompanied by removing all MIME associations from the app's view, then.
|
||||||
export GIO_USE_PORTALS=1
|
# GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
|
||||||
# old name, beginning to be phased out as of 2023-10-02
|
extraEnv+=("GIO_USE_PORTALS=1" "GTK_USE_PORTAL=1" "NIXOS_XDG_OPEN_USE_PORTAL=1")
|
||||||
export GTK_USE_PORTAL=1
|
|
||||||
# make `xdg-open` just forward to the portal
|
|
||||||
export NIXOS_XDG_OPEN_USE_PORTAL=1
|
|
||||||
;;
|
;;
|
||||||
(--sane-sandbox-dns)
|
(--sane-sandbox-dns)
|
||||||
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
|
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
|
||||||
|
@ -295,7 +293,7 @@ firejailExec() {
|
||||||
fi
|
fi
|
||||||
PATH="$PATH:@firejail@/bin" exec \
|
PATH="$PATH:@firejail@/bin" exec \
|
||||||
firejail "${firejailFlags[@]}" -- \
|
firejail "${firejailFlags[@]}" -- \
|
||||||
"${cliArgs[@]}"
|
env "${extraEnv[@]}" "${cliArgs[@]}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -340,7 +338,7 @@ bwrapExec() {
|
||||||
# --unshare-user (implicit to every non-suid call to bwrap)
|
# --unshare-user (implicit to every non-suid call to bwrap)
|
||||||
PATH="$PATH:@bubblewrap@/bin" exec \
|
PATH="$PATH:@bubblewrap@/bin" exec \
|
||||||
bwrap --unshare-all --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
bwrap --unshare-all --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
|
||||||
"${cliArgs[@]}"
|
env "${extraEnv[@]}" "${cliArgs[@]}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -399,7 +397,7 @@ landlockExec() {
|
||||||
# invoke the actual user command.
|
# invoke the actual user command.
|
||||||
PATH="$PATH:@landlockSandboxer@/bin:@libcap@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec \
|
PATH="$PATH:@landlockSandboxer@/bin:@libcap@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec \
|
||||||
sandboxer \
|
sandboxer \
|
||||||
capsh "--caps=$capshCapsArg" --shell="${cliArgs[0]}" -- "${cliArgs[@]:1}"
|
capsh "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -434,7 +432,7 @@ capshonlyIngestCapability() {
|
||||||
|
|
||||||
capshonlyExec() {
|
capshonlyExec() {
|
||||||
PATH="$PATH:@libcap@/bin" exec \
|
PATH="$PATH:@libcap@/bin" exec \
|
||||||
capsh "--caps=$capshCapsArg" --shell="${cliArgs[0]}" -- "${cliArgs[@]:1}"
|
capsh "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user