colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sane.programs: sandbox: refactor extraRuntimePaths computation

Browse Source
This commit is contained in:
Colin
2024-03-24 11:58:17 +00:00
parent 9c0b175260
commit 03fbb780b2
1 changed files with 12 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
modules/programs/default.nix
View File

@@ -68,13 +68,7 @@ let
fullRuntimePaths = lib.optionals (userName != null) ( fullRuntimePaths = lib.optionals (userName != null) (
builtins.map builtins.map
(p: path-lib.concat [ xdgRuntimeDir p ]) (p: path-lib.concat [ xdgRuntimeDir p ])
( sandbox.extraRuntimePaths
sandbox.extraRuntimePaths
++ lib.optionals sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok?
++ lib.optionals (builtins.elem "user" sandbox.whitelistDbus) [ "bus" ]
++ lib.optionals sandbox.whitelistWayland [ "wayland" ] # app can still communicate with wayland server w/o this, if it has net access
++ lib.optionals sandbox.whitelistS6 [ "s6" ] # TODO: this allows re-writing the services themselves: don't allow that!
)
); );
allowedPaths = [ allowedPaths = [
"/nix/store" "/nix/store"
@@ -487,18 +481,22 @@ let
# this gets the symlink into the sandbox, but not the actual secret. # this gets the symlink into the sandbox, but not the actual secret.
fs = lib.mapAttrs (_homePath: _secretSrc: {}) config.secrets; fs = lib.mapAttrs (_homePath: _secretSrc: {}) config.secrets;
sandbox.extraPaths = lib.mkMerge [ sandbox.extraPaths =
(lib.mkIf config.sandbox.whitelistDri [ lib.optionals config.sandbox.whitelistDri [
# /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary) # /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
# - but everything seems to gracefully fallback to *something* (MESA software rendering?) # - but everything seems to gracefully fallback to *something* (MESA software rendering?)
# - CPU usage difference between playing videos in Gtk apps (e.g. fractal) with v.s. without DRI is 10% v.s. 90%. # - CPU usage difference between playing videos in Gtk apps (e.g. fractal) with v.s. without DRI is 10% v.s. 90%.
# - GPU attack surface is *large*: <https://security.stackexchange.com/questions/182501/modern-linux-gpu-driver-security> # - GPU attack surface is *large*: <https://security.stackexchange.com/questions/182501/modern-linux-gpu-driver-security>
"/dev/dri" "/sys/dev/char" "/sys/devices" # (lappy: "/sys/devices/pci0000:00", moby needs something different) "/dev/dri" "/sys/dev/char" "/sys/devices" # (lappy: "/sys/devices/pci0000:00", moby needs something different)
]) ]
(lib.mkIf config.sandbox.whitelistX [ ++ lib.optionals config.sandbox.whitelistX [ "/tmp/.X11-unix" ]
"/tmp/.X11-unix" ;
]) sandbox.extraRuntimePaths =
]; lib.optionals config.sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok?
++ lib.optionals (builtins.elem "user" config.sandbox.whitelistDbus) [ "bus" ]
++ lib.optionals config.sandbox.whitelistWayland [ "wayland" ] # app can still communicate with wayland server w/o this, if it has net access
++ lib.optionals config.sandbox.whitelistS6 [ "s6" ] # TODO: this allows re-writing the services themselves: don't allow that!
;
sandbox.extraConfig = lib.mkIf config.sandbox.usePortal [ sandbox.extraConfig = lib.mkIf config.sandbox.usePortal [
"--sane-sandbox-portal" "--sane-sandbox-portal"
]; ];