sane.programs: sandbox: refactor extraRuntimePaths computation
This commit is contained in:
@@ -68,13 +68,7 @@ let
|
|||||||
fullRuntimePaths = lib.optionals (userName != null) (
|
fullRuntimePaths = lib.optionals (userName != null) (
|
||||||
builtins.map
|
builtins.map
|
||||||
(p: path-lib.concat [ xdgRuntimeDir p ])
|
(p: path-lib.concat [ xdgRuntimeDir p ])
|
||||||
(
|
sandbox.extraRuntimePaths
|
||||||
sandbox.extraRuntimePaths
|
|
||||||
++ lib.optionals sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok?
|
|
||||||
++ lib.optionals (builtins.elem "user" sandbox.whitelistDbus) [ "bus" ]
|
|
||||||
++ lib.optionals sandbox.whitelistWayland [ "wayland" ] # app can still communicate with wayland server w/o this, if it has net access
|
|
||||||
++ lib.optionals sandbox.whitelistS6 [ "s6" ] # TODO: this allows re-writing the services themselves: don't allow that!
|
|
||||||
)
|
|
||||||
);
|
);
|
||||||
allowedPaths = [
|
allowedPaths = [
|
||||||
"/nix/store"
|
"/nix/store"
|
||||||
@@ -487,18 +481,22 @@ let
|
|||||||
# this gets the symlink into the sandbox, but not the actual secret.
|
# this gets the symlink into the sandbox, but not the actual secret.
|
||||||
fs = lib.mapAttrs (_homePath: _secretSrc: {}) config.secrets;
|
fs = lib.mapAttrs (_homePath: _secretSrc: {}) config.secrets;
|
||||||
|
|
||||||
sandbox.extraPaths = lib.mkMerge [
|
sandbox.extraPaths =
|
||||||
(lib.mkIf config.sandbox.whitelistDri [
|
lib.optionals config.sandbox.whitelistDri [
|
||||||
# /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
|
# /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
|
||||||
# - but everything seems to gracefully fallback to *something* (MESA software rendering?)
|
# - but everything seems to gracefully fallback to *something* (MESA software rendering?)
|
||||||
# - CPU usage difference between playing videos in Gtk apps (e.g. fractal) with v.s. without DRI is 10% v.s. 90%.
|
# - CPU usage difference between playing videos in Gtk apps (e.g. fractal) with v.s. without DRI is 10% v.s. 90%.
|
||||||
# - GPU attack surface is *large*: <https://security.stackexchange.com/questions/182501/modern-linux-gpu-driver-security>
|
# - GPU attack surface is *large*: <https://security.stackexchange.com/questions/182501/modern-linux-gpu-driver-security>
|
||||||
"/dev/dri" "/sys/dev/char" "/sys/devices" # (lappy: "/sys/devices/pci0000:00", moby needs something different)
|
"/dev/dri" "/sys/dev/char" "/sys/devices" # (lappy: "/sys/devices/pci0000:00", moby needs something different)
|
||||||
])
|
]
|
||||||
(lib.mkIf config.sandbox.whitelistX [
|
++ lib.optionals config.sandbox.whitelistX [ "/tmp/.X11-unix" ]
|
||||||
"/tmp/.X11-unix"
|
;
|
||||||
])
|
sandbox.extraRuntimePaths =
|
||||||
];
|
lib.optionals config.sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok?
|
||||||
|
++ lib.optionals (builtins.elem "user" config.sandbox.whitelistDbus) [ "bus" ]
|
||||||
|
++ lib.optionals config.sandbox.whitelistWayland [ "wayland" ] # app can still communicate with wayland server w/o this, if it has net access
|
||||||
|
++ lib.optionals config.sandbox.whitelistS6 [ "s6" ] # TODO: this allows re-writing the services themselves: don't allow that!
|
||||||
|
;
|
||||||
sandbox.extraConfig = lib.mkIf config.sandbox.usePortal [
|
sandbox.extraConfig = lib.mkIf config.sandbox.usePortal [
|
||||||
"--sane-sandbox-portal"
|
"--sane-sandbox-portal"
|
||||||
];
|
];
|
||||||
|
Reference in New Issue
Block a user