programs: fix most service invokers (sway, nwg-panel, etc) to use systemd
This commit is contained in:
@@ -1071,6 +1071,9 @@ in
|
||||
swappy.sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||
swappy.sandbox.whitelistWayland = true;
|
||||
|
||||
systemctl.packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.systemdMinimal "systemctl";
|
||||
systemctl.sandbox.whitelistSystemctl = true;
|
||||
|
||||
tcpdump.sandbox.net = "all";
|
||||
tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||
tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
|
@@ -93,7 +93,7 @@
|
||||
menu.items = [
|
||||
{
|
||||
name = "Lock";
|
||||
cmd = "s6-rc start ${locker}";
|
||||
cmd = "systemctl start ${locker}";
|
||||
}
|
||||
# {
|
||||
# name = "Logout";
|
||||
|
@@ -69,7 +69,7 @@ in
|
||||
type = types.str;
|
||||
default = config.sane.programs.swayidle.config.actions.lock.service;
|
||||
description = ''
|
||||
s6 service to start which can lock the screen
|
||||
service to start which can lock the screen
|
||||
'';
|
||||
};
|
||||
torch = mkOption {
|
||||
@@ -197,14 +197,12 @@ in
|
||||
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistS6 = true;
|
||||
sandbox.whitelistSystemctl = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.whitelistDbus = [
|
||||
"user" # playerctl, swaync, ...
|
||||
"system" # for "shutdown" option to speak to systemd
|
||||
];
|
||||
sandbox.extraPaths = [
|
||||
"/run/systemd" #< for "shutdown" option
|
||||
"/sys/class/backlight"
|
||||
"/sys/class/leds" #< for torch/flashlight on moby
|
||||
"/sys/class/power_supply" #< for the battery indicator
|
||||
|
@@ -138,12 +138,7 @@ in
|
||||
|
||||
"sane-scripts.reboot".sandbox = {
|
||||
method = "bunpen";
|
||||
whitelistDbus = [
|
||||
"system"
|
||||
];
|
||||
extraPaths = [
|
||||
"/run/systemd"
|
||||
];
|
||||
whitelistSystemctl = true;
|
||||
};
|
||||
|
||||
"sane-scripts.reclaim-disk-space".sandbox = {
|
||||
@@ -172,22 +167,12 @@ in
|
||||
|
||||
"sane-scripts.shutdown".sandbox = {
|
||||
method = "bunpen";
|
||||
whitelistDbus = [
|
||||
"system"
|
||||
];
|
||||
extraPaths = [
|
||||
"/run/systemd"
|
||||
];
|
||||
whitelistSystemctl = true;
|
||||
};
|
||||
|
||||
"sane-scripts.stop-all-servo".sandbox = {
|
||||
method = "bwrap";
|
||||
whitelistDbus = [
|
||||
"system"
|
||||
];
|
||||
extraPaths = [
|
||||
"/run/systemd"
|
||||
];
|
||||
whitelistSystemctl = true;
|
||||
};
|
||||
|
||||
# if `tee` isn't trustworthy we have bigger problems
|
||||
@@ -244,8 +229,10 @@ in
|
||||
|
||||
"sane-scripts.wipe".sandbox = {
|
||||
method = "bunpen";
|
||||
whitelistDbus = [ "user" ]; #< for `secret-tool`
|
||||
whitelistS6 = true; #< for stopping services before wiping
|
||||
whitelistDbus = [
|
||||
"user" #< for `secret-tool`
|
||||
];
|
||||
whitelistSystemctl = true;
|
||||
extraHomePaths = [
|
||||
# could be more specific, but at a maintenance cost.
|
||||
# TODO: needs updating, now that persisted data lives behind symlinks!
|
||||
|
@@ -81,7 +81,7 @@ bindsym --locked XF86MonBrightnessDown exec brightnessctl set 5%-
|
||||
bindsym Print exec sane-open --application sane-screenshot.desktop
|
||||
bindsym $mod+Print exec sane-open --application sane-screenshot.desktop
|
||||
bindsym $mod+p exec sane-open --application sane-screenshot.desktop
|
||||
bindsym $mod+l exec s6-rc -b start $locker
|
||||
bindsym $mod+l exec systemctl start $locker
|
||||
bindsym $mod+s exec sane-open --application rofi-snippets.desktop
|
||||
# bindsym $mod+slash exec sane-open splatmoji.desktop
|
||||
bindsym $mod+d exec sane-open --application rofi.desktop
|
||||
|
@@ -158,7 +158,6 @@ in
|
||||
"playerctl" # for waybar & particularly to have playerctld running
|
||||
"rofi" # menu/launcher
|
||||
"rofi-snippets"
|
||||
"s6-rc" # used by sway config
|
||||
"sane-screenshot"
|
||||
"sane-open"
|
||||
"sane-theme"
|
||||
@@ -169,6 +168,7 @@ in
|
||||
"swaynotificationcenter" # notification daemon
|
||||
"switchboard" # network/bluetooth/sound control panel
|
||||
"syshud" # volume notifier
|
||||
"systemctl" # used by sway config
|
||||
"unl0kr" # greeter
|
||||
# "waybar"
|
||||
"wdisplays" # like xrandr
|
||||
@@ -202,7 +202,7 @@ in
|
||||
sandbox.whitelistAudio = true; # it runs playerctl directly
|
||||
sandbox.whitelistDbus = [ "system" "user" ]; # to e.g. launch apps
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistS6 = true; #< for Super+L to start the screen locker service
|
||||
sandbox.whitelistSystemctl = true; #< for Super+L to start the screen locker service
|
||||
sandbox.whitelistX = true; # sway invokes xwayland itself
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraRuntimePaths = [
|
||||
|
@@ -38,7 +38,7 @@ let
|
||||
lib.escapeShellArgs [ "sane-open" "--application" "${config.desktop}" ])
|
||||
)
|
||||
(lib.mkIf (config.service != null) (
|
||||
lib.escapeShellArgs [ "s6-rc" "start" "${config.service}" ])
|
||||
lib.escapeShellArgs [ "systemctl" "start" "${config.service}" ])
|
||||
)
|
||||
];
|
||||
});
|
||||
@@ -85,8 +85,10 @@ in
|
||||
# "sway" #< required, but circular dep
|
||||
];
|
||||
|
||||
sandbox.whitelistDbus = [ "user" ]; #< might need system too, for inhibitors
|
||||
sandbox.whitelistS6 = true;
|
||||
sandbox.whitelistDbus = [
|
||||
"user" #< ??
|
||||
];
|
||||
sandbox.whitelistSystemctl = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraRuntimePaths = [ "sway" ];
|
||||
|
||||
|
@@ -434,6 +434,13 @@ let
|
||||
allow the program to start/stop s6 services.
|
||||
'';
|
||||
};
|
||||
sandbox.whitelistSystemctl = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
allow the program to start/stop systemd system services.
|
||||
'';
|
||||
};
|
||||
sandbox.whitelistWayland = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
@@ -530,6 +537,8 @@ let
|
||||
|
||||
sandbox.keepPids = lib.mkIf config.sandbox.keepPidsAndProc true;
|
||||
|
||||
sandbox.whitelistDbus = lib.mkIf config.sandbox.whitelistSystemctl [ "system" ];
|
||||
|
||||
sandbox.extraPaths =
|
||||
lib.optionals config.sandbox.whitelistDri [
|
||||
# /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
|
||||
@@ -563,6 +572,8 @@ let
|
||||
"/sys/devices"
|
||||
"/sys/firmware" #< for moby camera, to parse its devicetree
|
||||
# "/dev"
|
||||
] ++ lib.optionals config.sandbox.whitelistSystemctl [
|
||||
"/run/systemd/system"
|
||||
]
|
||||
;
|
||||
sandbox.extraRuntimePaths =
|
||||
|
@@ -216,7 +216,7 @@ let
|
||||
wipe = static-nix-shell.mkBash {
|
||||
pname = "sane-wipe";
|
||||
srcRoot = ./src;
|
||||
pkgs = [ "dconf" "libsecret" "procps" "s6-rc" ];
|
||||
pkgs = [ "dconf" "libsecret" "procps" "systemdMinimal" ];
|
||||
};
|
||||
};
|
||||
in sane-bin // {
|
||||
|
@@ -1,5 +1,5 @@
|
||||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -i bash -p bash -p dconf -p libsecret -p procps -p s6-rc
|
||||
#!nix-shell -i bash -p bash -p dconf -p libsecret -p procps -p systemdMinimal
|
||||
|
||||
help() {
|
||||
echo "usage: sane-wipe <resource>"
|
||||
@@ -52,7 +52,7 @@ wipe_flare() {
|
||||
}
|
||||
|
||||
wipe_fractal() {
|
||||
s6-rc stop fractal
|
||||
systemctl stop fractal
|
||||
|
||||
# first, ensure the relevant secrets are unlocked
|
||||
secret-tool search --all --unlock 'xdg:schema' 'org.gnome.Fractal'
|
||||
|
Reference in New Issue
Block a user