programs: fix most service invokers (sway, nwg-panel, etc) to use systemd

This commit is contained in:
2024-10-03 03:20:05 +00:00
parent 9991518a64
commit 0744237c13
10 changed files with 35 additions and 34 deletions

View File

@@ -1071,6 +1071,9 @@ in
swappy.sandbox.autodetectCliPaths = "existingFileOrParent";
swappy.sandbox.whitelistWayland = true;
systemctl.packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.systemdMinimal "systemctl";
systemctl.sandbox.whitelistSystemctl = true;
tcpdump.sandbox.net = "all";
tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];

View File

@@ -93,7 +93,7 @@
menu.items = [
{
name = "Lock";
cmd = "s6-rc start ${locker}";
cmd = "systemctl start ${locker}";
}
# {
# name = "Logout";

View File

@@ -69,7 +69,7 @@ in
type = types.str;
default = config.sane.programs.swayidle.config.actions.lock.service;
description = ''
s6 service to start which can lock the screen
service to start which can lock the screen
'';
};
torch = mkOption {
@@ -197,14 +197,12 @@ in
sandbox.whitelistAudio = true;
sandbox.whitelistDri = true;
sandbox.whitelistS6 = true;
sandbox.whitelistSystemctl = true;
sandbox.whitelistWayland = true;
sandbox.whitelistDbus = [
"user" # playerctl, swaync, ...
"system" # for "shutdown" option to speak to systemd
];
sandbox.extraPaths = [
"/run/systemd" #< for "shutdown" option
"/sys/class/backlight"
"/sys/class/leds" #< for torch/flashlight on moby
"/sys/class/power_supply" #< for the battery indicator

View File

@@ -138,12 +138,7 @@ in
"sane-scripts.reboot".sandbox = {
method = "bunpen";
whitelistDbus = [
"system"
];
extraPaths = [
"/run/systemd"
];
whitelistSystemctl = true;
};
"sane-scripts.reclaim-disk-space".sandbox = {
@@ -172,22 +167,12 @@ in
"sane-scripts.shutdown".sandbox = {
method = "bunpen";
whitelistDbus = [
"system"
];
extraPaths = [
"/run/systemd"
];
whitelistSystemctl = true;
};
"sane-scripts.stop-all-servo".sandbox = {
method = "bwrap";
whitelistDbus = [
"system"
];
extraPaths = [
"/run/systemd"
];
whitelistSystemctl = true;
};
# if `tee` isn't trustworthy we have bigger problems
@@ -244,8 +229,10 @@ in
"sane-scripts.wipe".sandbox = {
method = "bunpen";
whitelistDbus = [ "user" ]; #< for `secret-tool`
whitelistS6 = true; #< for stopping services before wiping
whitelistDbus = [
"user" #< for `secret-tool`
];
whitelistSystemctl = true;
extraHomePaths = [
# could be more specific, but at a maintenance cost.
# TODO: needs updating, now that persisted data lives behind symlinks!

View File

@@ -81,7 +81,7 @@ bindsym --locked XF86MonBrightnessDown exec brightnessctl set 5%-
bindsym Print exec sane-open --application sane-screenshot.desktop
bindsym $mod+Print exec sane-open --application sane-screenshot.desktop
bindsym $mod+p exec sane-open --application sane-screenshot.desktop
bindsym $mod+l exec s6-rc -b start $locker
bindsym $mod+l exec systemctl start $locker
bindsym $mod+s exec sane-open --application rofi-snippets.desktop
# bindsym $mod+slash exec sane-open splatmoji.desktop
bindsym $mod+d exec sane-open --application rofi.desktop

View File

@@ -158,7 +158,6 @@ in
"playerctl" # for waybar & particularly to have playerctld running
"rofi" # menu/launcher
"rofi-snippets"
"s6-rc" # used by sway config
"sane-screenshot"
"sane-open"
"sane-theme"
@@ -169,6 +168,7 @@ in
"swaynotificationcenter" # notification daemon
"switchboard" # network/bluetooth/sound control panel
"syshud" # volume notifier
"systemctl" # used by sway config
"unl0kr" # greeter
# "waybar"
"wdisplays" # like xrandr
@@ -202,7 +202,7 @@ in
sandbox.whitelistAudio = true; # it runs playerctl directly
sandbox.whitelistDbus = [ "system" "user" ]; # to e.g. launch apps
sandbox.whitelistDri = true;
sandbox.whitelistS6 = true; #< for Super+L to start the screen locker service
sandbox.whitelistSystemctl = true; #< for Super+L to start the screen locker service
sandbox.whitelistX = true; # sway invokes xwayland itself
sandbox.whitelistWayland = true;
sandbox.extraRuntimePaths = [

View File

@@ -38,7 +38,7 @@ let
lib.escapeShellArgs [ "sane-open" "--application" "${config.desktop}" ])
)
(lib.mkIf (config.service != null) (
lib.escapeShellArgs [ "s6-rc" "start" "${config.service}" ])
lib.escapeShellArgs [ "systemctl" "start" "${config.service}" ])
)
];
});
@@ -85,8 +85,10 @@ in
# "sway" #< required, but circular dep
];
sandbox.whitelistDbus = [ "user" ]; #< might need system too, for inhibitors
sandbox.whitelistS6 = true;
sandbox.whitelistDbus = [
"user" #< ??
];
sandbox.whitelistSystemctl = true;
sandbox.whitelistWayland = true;
sandbox.extraRuntimePaths = [ "sway" ];

View File

@@ -434,6 +434,13 @@ let
allow the program to start/stop s6 services.
'';
};
sandbox.whitelistSystemctl = mkOption {
type = types.bool;
default = false;
description = ''
allow the program to start/stop systemd system services.
'';
};
sandbox.whitelistWayland = mkOption {
type = types.bool;
default = false;
@@ -530,6 +537,8 @@ let
sandbox.keepPids = lib.mkIf config.sandbox.keepPidsAndProc true;
sandbox.whitelistDbus = lib.mkIf config.sandbox.whitelistSystemctl [ "system" ];
sandbox.extraPaths =
lib.optionals config.sandbox.whitelistDri [
# /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
@@ -563,6 +572,8 @@ let
"/sys/devices"
"/sys/firmware" #< for moby camera, to parse its devicetree
# "/dev"
] ++ lib.optionals config.sandbox.whitelistSystemctl [
"/run/systemd/system"
]
;
sandbox.extraRuntimePaths =

View File

@@ -216,7 +216,7 @@ let
wipe = static-nix-shell.mkBash {
pname = "sane-wipe";
srcRoot = ./src;
pkgs = [ "dconf" "libsecret" "procps" "s6-rc" ];
pkgs = [ "dconf" "libsecret" "procps" "systemdMinimal" ];
};
};
in sane-bin // {

View File

@@ -1,5 +1,5 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p bash -p dconf -p libsecret -p procps -p s6-rc
#!nix-shell -i bash -p bash -p dconf -p libsecret -p procps -p systemdMinimal
help() {
echo "usage: sane-wipe <resource>"
@@ -52,7 +52,7 @@ wipe_flare() {
}
wipe_fractal() {
s6-rc stop fractal
systemctl stop fractal
# first, ensure the relevant secrets are unlocked
secret-tool search --all --unlock 'xdg:schema' 'org.gnome.Fractal'