colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: sane-sandboxed: rework so portal env vars arent set when sandbox is disabled

Browse Source 
and by setting them only at launch time we aid introspectability/debugging
This commit is contained in:
Colin 2024-02-15 11:57:36 +00:00
parent 25dcb7f89a
commit 02dd629616
1 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
modules/programs/sane-sandboxed
View File

@ -17,6 +17,7 @@ firejailFlags=()
bwrapFlags=() bwrapFlags=()
landlockPaths= landlockPaths=
capshCapsArg= capshCapsArg=
extraEnv=()
enableDebug() { enableDebug() {
isDebug=1 isDebug=1
@ -193,13 +194,10 @@ parseArgs() {
;; ;;
(--sane-sandbox-portal) (--sane-sandbox-portal)
# instruct glib/gtk apps to perform actions such as opening external files via dbus calls to org.freedesktop.portal.*. # instruct glib/gtk apps to perform actions such as opening external files via dbus calls to org.freedesktop.portal.*.
# note that this env var primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves. # note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
# this switch is typically accompanied by removing all MIME associations from the app's view, then. # this switch is typically accompanied by removing all MIME associations from the app's view, then.
export GIO_USE_PORTALS=1 # GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
# old name, beginning to be phased out as of 2023-10-02 extraEnv+=("GIO_USE_PORTALS=1" "GTK_USE_PORTAL=1" "NIXOS_XDG_OPEN_USE_PORTAL=1")
export GTK_USE_PORTAL=1
# make `xdg-open` just forward to the portal
export NIXOS_XDG_OPEN_USE_PORTAL=1
;; ;;
(--sane-sandbox-dns) (--sane-sandbox-dns)
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed # N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
@ -295,7 +293,7 @@ firejailExec() {
fi fi
PATH="$PATH:@firejail@/bin" exec \ PATH="$PATH:@firejail@/bin" exec \
firejail "${firejailFlags[@]}" -- \ firejail "${firejailFlags[@]}" -- \
"${cliArgs[@]}" env "${extraEnv[@]}" "${cliArgs[@]}"
} }
@ -340,7 +338,7 @@ bwrapExec() {
# --unshare-user (implicit to every non-suid call to bwrap) # --unshare-user (implicit to every non-suid call to bwrap)
PATH="$PATH:@bubblewrap@/bin" exec \ PATH="$PATH:@bubblewrap@/bin" exec \
bwrap --unshare-all --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \ bwrap --unshare-all --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
"${cliArgs[@]}" env "${extraEnv[@]}" "${cliArgs[@]}"
} }
@ -399,7 +397,7 @@ landlockExec() {
# invoke the actual user command. # invoke the actual user command.
PATH="$PATH:@landlockSandboxer@/bin:@libcap@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec \ PATH="$PATH:@landlockSandboxer@/bin:@libcap@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec \
sandboxer \ sandboxer \
capsh "--caps=$capshCapsArg" --shell="${cliArgs[0]}" -- "${cliArgs[@]:1}" capsh "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
} }
@ -434,7 +432,7 @@ capshonlyIngestCapability() {
capshonlyExec() { capshonlyExec() {
PATH="$PATH:@libcap@/bin" exec \ PATH="$PATH:@libcap@/bin" exec \
capsh "--caps=$capshCapsArg" --shell="${cliArgs[0]}" -- "${cliArgs[@]:1}" capsh "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
} }