programs: sandboxing: only permit wayland socket access to those specific apps which require it

hosts/common/programs/animatch.nix

@@ -29,8 +29,11 @@
         ];
       });
     };
+
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistWayland = true;
+
     persist.byStore.plaintext = [
       # ".config/Holy Pangolin/Animatch"  #< used for SuperDerpy config (e.g. debug, disableTouch, fullscreen, enable sound, etc). SuperDerpy.ini
       ".local/share/Holy Pangolin/Animatch"  #< used for game state (level clears). SuperDerpy.ini

hosts/common/programs/assorted.nix

@@ -225,6 +225,7 @@ in
     blanket.sandbox.wrapperType = "wrappedDerivation";
     blanket.sandbox.whitelistAudio = true;
     # blanket.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
+    blanket.sandbox.whitelistWayland = true;
 
     brightnessctl.sandbox.method = "landlock";  # also bwrap, but landlock is more responsive
     brightnessctl.sandbox.wrapperType = "wrappedDerivation";
@@ -244,6 +245,7 @@ in
     delfin.sandbox.whitelistAudio = true;
     # delfin.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
     delfin.sandbox.whitelistDri = true;
+    delfin.sandbox.whitelistWayland = true;
     delfin.sandbox.net = "clearnet";
     delfin.persist.byStore.private = [ ".config/delfin" ];
 
@@ -252,6 +254,7 @@ in
     discord.sandbox.wrapperType = "inplace";  #< /opt-style packaging
     discord.sandbox.whitelistAudio = true;
     # discord.sandbox.whitelistDbus = [ "user" ];  # TODO: untested
+    discord.sandbox.whitelistWayland = true;
     discord.sandbox.net = "clearnet";
     discord.persist.byStore.private = [ ".config/discord" ];
 
@@ -298,6 +301,7 @@ in
     fuzzel.sandbox.enable = false;
     fuzzel.sandbox.method = "bwrap";  #< landlock nearly works, but unable to open ~/.cache
     fuzzel.sandbox.wrapperType = "wrappedDerivation";
+    fuzzel.sandbox.whitelistWayland = true;
     fuzzel.persist.byStore.private = [ ".cache/fuzzel" ];  #< this is a file of recent selections
 
     gawk.sandbox.method = "bwrap";  # TODO:sandbox: untested
@@ -315,6 +319,7 @@ in
 
     gimp.sandbox.method = "bwrap";
     gimp.sandbox.wrapperType = "wrappedDerivation";
+    gimp.sandbox.whitelistWayland = true;
     gimp.sandbox.extraHomePaths = [
       "Pictures"
       "Pictures/servo-macros"
@@ -326,19 +331,23 @@ in
 
     "gnome.gnome-calculator".sandbox.method = "bwrap";
     "gnome.gnome-calculator".sandbox.wrapperType = "inplace";  # /libexec/gnome-calculator-search-provider
+    "gnome.gnome-calculator".sandbox.whitelistWayland = true;
 
     # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
     "gnome.gnome-calendar".sandbox.method = "bwrap";
     "gnome.gnome-calendar".sandbox.wrapperType = "wrappedDerivation";
+    "gnome.gnome-calendar".sandbox.whitelistWayland = true;
 
     "gnome.gnome-clocks".sandbox.method = "bwrap";
     "gnome.gnome-clocks".sandbox.wrapperType = "wrappedDerivation";
+    "gnome.gnome-clocks".sandbox.whitelistWayland = true;
     "gnome.gnome-clocks".persist.byStore.private = [
       ".config/dconf"
     ];
 
     gnome-2048.sandbox.method = "bwrap";
     gnome-2048.sandbox.wrapperType = "wrappedDerivation";
+    gnome-2048.sandbox.whitelistWayland = true;
     gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
 
     # TODO: gnome-maps: move to own file
@@ -352,11 +361,13 @@ in
     # - win once (1) and (2) are satisfied
     "gnome.hitori".sandbox.method = "bwrap";
     "gnome.hitori".sandbox.wrapperType = "wrappedDerivation";
+    "gnome.hitori".sandbox.whitelistWayland = true;
 
     # jq.sandbox.autodetectCliPaths = true;  # liable to over-detect
 
     krita.sandbox.method = "bwrap";
     krita.sandbox.wrapperType = "wrappedDerivation";
+    krita.sandbox.whitelistWayland = true;
     krita.sandbox.autodetectCliPaths = "existing";
     krita.sandbox.extraHomePaths = [
       "dev"
@@ -387,9 +398,11 @@ in
 
     pavucontrol.sandbox.method = "bwrap";
     pavucontrol.sandbox.wrapperType = "wrappedDerivation";
+    pavucontrol.sandbox.whitelistWayland = true;
 
     pwvucontrol.sandbox.method = "bwrap";
     pwvucontrol.sandbox.wrapperType = "wrappedDerivation";
+    pwvucontrol.sandbox.whitelistWayland = true;
 
     python3-repl.packageUnwrapped = pkgs.python3.withPackages (ps: with ps; [
       requests
@@ -432,6 +445,7 @@ in
     superTux.sandbox.wrapperType = "wrappedDerivation";
     superTux.sandbox.whitelistAudio = true;
     superTux.sandbox.whitelistDri = true;
+    superTux.sandbox.whitelistWayland = true;
     superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
 
     swaylock.sandbox.enable = false;  #< neither landlock nor bwrap works. pam_authenticate failed: invalid credentials. does it rely on SUID?
@@ -463,6 +477,7 @@ in
     vvvvvv.sandbox.wrapperType = "wrappedDerivation";
     vvvvvv.sandbox.whitelistAudio = true;
     vvvvvv.sandbox.whitelistDri = true;  #< playable without, but burns noticably more CPU
+    vvvvvv.sandbox.whitelistWayland = true;
     vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
 
     wget.sandbox.method = "bwrap";

hosts/common/programs/audacity.nix

@@ -12,6 +12,7 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistAudio = true;
+    sandbox.whitelistWayland = true;
     sandbox.autodetectCliPaths = true;
     sandbox.extraHomePaths = [
       # support media imports via file->open dir to some common media directories

hosts/common/programs/brave.nix

@@ -10,6 +10,8 @@
     ];
     sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+
     persist.byStore.cryptClearOnBoot = [
       ".cache/BraveSoftware"
       ".config/BraveSoftware"

hosts/common/programs/conky/default.nix

@@ -10,6 +10,8 @@
       # "/sys/devices/cpu"
       # "/sys/devices/system"
     ];
+    sandbox.whitelistWayland = true;
+
     fs.".config/conky/conky.conf".symlink.target =
       let
         battery_estimate = pkgs.static-nix-shell.mkBash {

hosts/common/programs/cozy.nix

@@ -6,6 +6,7 @@
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Books"
       "Books/servo"

hosts/common/programs/dialect.nix

@@ -3,6 +3,7 @@
   sane.programs.dialect = {
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # share/search_providers/ calls back into the binary, weird wrap semantics
+    sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
     sandbox.extraHomePaths = [
       ".config/dconf"  # to persist settings

hosts/common/programs/dino.nix

@@ -51,6 +51,7 @@ in
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;  #< not strictly necessary, but we need all the perf we can get on moby
+    sandbox.whitelistWayland = true;
 
     persist.byStore.private = [ ".local/share/dino" ];
 

hosts/common/programs/element-desktop.nix

@@ -13,6 +13,8 @@
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+
     packageUnwrapped = pkgs.element-desktop.override {
       # use pre-build electron because otherwise it takes 4 hrs to build from source.
       electron = pkgs.electron-bin;

hosts/common/programs/epiphany.nix

@@ -15,6 +15,7 @@
     # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
     # enabling DRI/DRM (as below) seems to fix that.
     sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       ".config/epiphany"  #< else it gets angry at launch
       "tmp"

hosts/common/programs/evince.nix

@@ -3,6 +3,8 @@
   sane.programs.evince = {
     sandbox.method = "bwrap";
     sandbox.autodetectCliPaths = true;
+    sandbox.whitelistWayland = true;
+
     mime.associations."application/pdf" = "org.gnome.Evince.desktop";
   };
 }

hosts/common/programs/firefox.nix

@@ -238,6 +238,7 @@ in
         sandbox.net = "all";
         sandbox.whitelistAudio = true;
         sandbox.whitelistDbus = [ "user" ];  # mpris
+        sandbox.whitelistWayland = true;
         sandbox.extraHomePaths = [
           "dev"  # for developing anything web-related
           "tmp"

hosts/common/programs/fractal.nix

@@ -33,6 +33,7 @@ in
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;  # otherwise video playback buuuuurns CPU
+    sandbox.whitelistWayland = true;
 
     configOption = with lib; mkOption {
       default = {};

hosts/common/programs/frozen-bubble.nix

@@ -6,6 +6,8 @@
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";  # net play
     sandbox.whitelistAudio = true;
+    sandbox.whitelistWayland = true;
+
     packageUnwrapped = pkgs.frozen-bubble.overrideAttrs (upstream: {
       # patch so it stores its dot-files not in root ~.
       postPatch = (upstream.postPatch or "") + ''
@@ -13,6 +15,7 @@
           --replace-fail '$FBHOME   = "$ENV{HOME}/.frozen-bubble"' '$FBHOME   = "$ENV{HOME}/.local/share/frozen-bubble"'
       '';
     });
+
     persist.byStore.plaintext = [
       ".local/share/frozen-bubble"  # preferences, high scores
     ];

hosts/common/programs/g4music.nix

@@ -12,6 +12,7 @@
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"
     ];

hosts/common/programs/geary.nix

@@ -23,6 +23,7 @@ in
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistWayland = true;
     sandbox.extraPaths = [
       # geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
       # TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.

hosts/common/programs/gnome-weather.nix

@@ -5,10 +5,12 @@
   sane.programs."gnome.gnome-weather" = {
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";
+    sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
     sandbox.extraHomePaths = [
       ".config/dconf"  # stores city/location settings
     ];
+
     persist.byStore.plaintext = [
       ".cache/libgweather"
     ];

hosts/common/programs/gpodder.nix

@@ -21,8 +21,10 @@ in {
         "--set" "GPODDER_DOWNLOAD_DIR" "~/Videos/gPodder"
       ];
     });
+
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistWayland = true;
     sandbox.net = "clearnet";
     sandbox.extraHomePaths = [ "Videos/gPodder" ];
 

hosts/common/programs/gtkcord4.nix

@@ -37,6 +37,7 @@ in
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
 
     persist.byStore.private = [
       ".cache/gtkcord4"

hosts/common/programs/handbrake.nix

@@ -4,6 +4,7 @@
     sandbox.method = "landlock";  #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Music"
       "Pictures"  # i have some videos in there too.

hosts/common/programs/kdenlive.nix

@@ -14,6 +14,8 @@
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+
     packageUnwrapped = pkgs.kdenlive.override {
       ffmpeg-full = pkgs.ffmpeg-full.override {
         # avoid expensive samba build for a feature i don't use

hosts/common/programs/komikku.nix

@@ -5,6 +5,8 @@
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistDri = true;  #< required
+    sandbox.whitelistWayland = true;
+
     secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
     # downloads end up here, and without the toplevel database komikku doesn't know they exist.
     persist.byStore.plaintext = [

hosts/common/programs/koreader/default.nix

@@ -49,10 +49,12 @@ in {
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistDri = true;  # reduces startup time and subjective page flip time
+    sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Books"
       "Books/servo"
     ];
+
     # koreader applies these lua "patches" at boot:
     # - <https://github.com/koreader/koreader/wiki/User-patches>
     # the naming is IMPORTANT. these must start with a `2-` in order to be invoked during the right initialization phase

hosts/common/programs/libreoffice.nix

@@ -7,6 +7,7 @@
     # packageUnwrapped = pkgs.libreoffice-still;
     packageUnwrapped = pkgs.libreoffice-fresh;
     sandbox.method = "bwrap";
+    sandbox.whitelistWayland = true;
     sandbox.autodetectCliPaths = true;
     sandbox.extraHomePaths = [
       # allow a spot to save files.

hosts/common/programs/loupe.nix

@@ -3,6 +3,7 @@
   sane.programs.loupe = {
     sandbox.method = "bwrap";
     sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       "Pictures"
       "Pictures/servo-macros"
@@ -13,6 +14,7 @@
       "ref"
       "tmp"
     ];
+
     mime.associations = {
       "image/gif" = "org.gnome.Loupe.desktop";
       "image/heif" = "org.gnome.Loupe.desktop";  # apple codec

hosts/common/programs/nicotine-plus.nix

@@ -9,9 +9,12 @@
         rm $out/bin/nicotine-plus
       '';
     });
+
     sandbox.method = "firejail";
     sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistWayland = true;
     sandbox.net = "vpn";
+
     # ".config/nicotine": contains the config file, with plaintext creds.
     # TODO: define this as a secret instead of persisting it.
     persist.byStore.private = [ ".config/nicotine" ];

hosts/common/programs/signal-desktop.nix

@@ -26,7 +26,7 @@ in
     sandbox.wrapperType = "wrappedDerivation";
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
-    # sandbox.whitelistDbus = [ "user" ];  # TODO: needed?
+    sandbox.whitelistWayland = true;
 
     # creds, media
     persist.byStore.private = [

hosts/common/programs/spot.nix

@@ -6,6 +6,7 @@
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistWayland = true;
 
     secrets.".cache/spot/librespot/credentials/credentials.json" = ../../../secrets/common/spot_credentials.json.bin;
     persist.byStore.plaintext = [

hosts/common/programs/spotify.nix

@@ -4,8 +4,9 @@
     sandbox.method = "bwrap";
     sandbox.wrapperType = "inplace";  # nontraditional package structure, where binaries live in /share/spotify
     sandbox.net = "clearnet";
-    sandbox.whitelistDbus = [ "user" ];  # mpris
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistWayland = true;
 
     persist.byStore.plaintext = [
       # probably just songs and such (haven't checked)

hosts/common/programs/supertuxkart.nix

@@ -6,6 +6,8 @@
     sandbox.net = "clearnet";  # net play
     sandbox.whitelistAudio = true;
     sandbox.whitelistDri = true;
+    sandbox.whitelistWayland = true;
+
     persist.byStore.plaintext = [
       ".cache/supertuxkart"
       ".config/supertuxkart"

hosts/common/programs/tor-browser.nix

@@ -11,6 +11,7 @@
     sandbox.wrapperType = "inplace";
     sandbox.net = "clearnet";  # tor over VPN wouldn't make sense
     sandbox.whitelistAudio = true;
+    sandbox.whitelistWayland = true;
     persist.byStore.cryptClearOnBoot = [
       ".local/share/tor-browser"
     ];

hosts/common/programs/tuba.nix

@@ -6,6 +6,7 @@
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications
+    sandbox.whitelistWayland = true;
     suggestedPrograms = [ "gnome-keyring" ];
   };
 }

hosts/common/programs/vlc.nix

@@ -20,6 +20,7 @@ in
     sandbox.autodetectCliPaths = true;
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # mpris
+    sandbox.whitelistWayland = true;
     persist.byStore.private = [
       # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
       # filenames are stored in plaintext (unlike mpv, which i think hashes them)

hosts/common/programs/wike.nix

@@ -5,6 +5,7 @@
     sandbox.wrapperType = "inplace";  # share/wike/wike-sp refers back to the binaries and share
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
+    sandbox.whitelistWayland = true;
     sandbox.extraPaths = [
       # wike sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
       # TODO: these could maybe be mounted empty.

hosts/common/programs/wireshark.nix

@@ -6,12 +6,14 @@ in
   sane.programs.wireshark = {
     sandbox.method = "landlock";
     sandbox.wrapperType = "wrappedDerivation";
+    sandbox.whitelistWayland = true;
     sandbox.net = "all";
+    sandbox.capabilities = [ "net_admin" "net_raw" ];
     sandbox.extraPaths = [
       "/proc/net"  #< only needed if using landlock
     ];
+
     fs.".config/wireshark".dir = {};
-    sandbox.capabilities = [ "net_admin" "net_raw" ];
     slowToBuild = true;
   };
 }

modules/programs/default.nix

@@ -389,7 +389,7 @@ let
       };
       sandbox.whitelistWayland = mkOption {
         type = types.bool;
-        default = true;  #< TODO: harden default!
+        default = false;
         description = ''
           allow sandbox to communicate with the wayland server.
           note that this does NOT permit access to compositor admin tooling like `swaymsg`.