programs: sandboxing: only permit wayland socket access to those specific apps which require it
This commit is contained in:
parent
548a95a7e1
commit
080bd856ec
|
@ -29,8 +29,11 @@
|
|||
];
|
||||
});
|
||||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
persist.byStore.plaintext = [
|
||||
# ".config/Holy Pangolin/Animatch" #< used for SuperDerpy config (e.g. debug, disableTouch, fullscreen, enable sound, etc). SuperDerpy.ini
|
||||
".local/share/Holy Pangolin/Animatch" #< used for game state (level clears). SuperDerpy.ini
|
||||
|
|
|
@ -225,6 +225,7 @@ in
|
|||
blanket.sandbox.wrapperType = "wrappedDerivation";
|
||||
blanket.sandbox.whitelistAudio = true;
|
||||
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
||||
blanket.sandbox.whitelistWayland = true;
|
||||
|
||||
brightnessctl.sandbox.method = "landlock"; # also bwrap, but landlock is more responsive
|
||||
brightnessctl.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
@ -244,6 +245,7 @@ in
|
|||
delfin.sandbox.whitelistAudio = true;
|
||||
# delfin.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
||||
delfin.sandbox.whitelistDri = true;
|
||||
delfin.sandbox.whitelistWayland = true;
|
||||
delfin.sandbox.net = "clearnet";
|
||||
delfin.persist.byStore.private = [ ".config/delfin" ];
|
||||
|
||||
|
@ -252,6 +254,7 @@ in
|
|||
discord.sandbox.wrapperType = "inplace"; #< /opt-style packaging
|
||||
discord.sandbox.whitelistAudio = true;
|
||||
# discord.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
||||
discord.sandbox.whitelistWayland = true;
|
||||
discord.sandbox.net = "clearnet";
|
||||
discord.persist.byStore.private = [ ".config/discord" ];
|
||||
|
||||
|
@ -298,6 +301,7 @@ in
|
|||
fuzzel.sandbox.enable = false;
|
||||
fuzzel.sandbox.method = "bwrap"; #< landlock nearly works, but unable to open ~/.cache
|
||||
fuzzel.sandbox.wrapperType = "wrappedDerivation";
|
||||
fuzzel.sandbox.whitelistWayland = true;
|
||||
fuzzel.persist.byStore.private = [ ".cache/fuzzel" ]; #< this is a file of recent selections
|
||||
|
||||
gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
|
@ -315,6 +319,7 @@ in
|
|||
|
||||
gimp.sandbox.method = "bwrap";
|
||||
gimp.sandbox.wrapperType = "wrappedDerivation";
|
||||
gimp.sandbox.whitelistWayland = true;
|
||||
gimp.sandbox.extraHomePaths = [
|
||||
"Pictures"
|
||||
"Pictures/servo-macros"
|
||||
|
@ -326,19 +331,23 @@ in
|
|||
|
||||
"gnome.gnome-calculator".sandbox.method = "bwrap";
|
||||
"gnome.gnome-calculator".sandbox.wrapperType = "inplace"; # /libexec/gnome-calculator-search-provider
|
||||
"gnome.gnome-calculator".sandbox.whitelistWayland = true;
|
||||
|
||||
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
||||
"gnome.gnome-calendar".sandbox.method = "bwrap";
|
||||
"gnome.gnome-calendar".sandbox.wrapperType = "wrappedDerivation";
|
||||
"gnome.gnome-calendar".sandbox.whitelistWayland = true;
|
||||
|
||||
"gnome.gnome-clocks".sandbox.method = "bwrap";
|
||||
"gnome.gnome-clocks".sandbox.wrapperType = "wrappedDerivation";
|
||||
"gnome.gnome-clocks".sandbox.whitelistWayland = true;
|
||||
"gnome.gnome-clocks".persist.byStore.private = [
|
||||
".config/dconf"
|
||||
];
|
||||
|
||||
gnome-2048.sandbox.method = "bwrap";
|
||||
gnome-2048.sandbox.wrapperType = "wrappedDerivation";
|
||||
gnome-2048.sandbox.whitelistWayland = true;
|
||||
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
||||
|
||||
# TODO: gnome-maps: move to own file
|
||||
|
@ -352,11 +361,13 @@ in
|
|||
# - win once (1) and (2) are satisfied
|
||||
"gnome.hitori".sandbox.method = "bwrap";
|
||||
"gnome.hitori".sandbox.wrapperType = "wrappedDerivation";
|
||||
"gnome.hitori".sandbox.whitelistWayland = true;
|
||||
|
||||
# jq.sandbox.autodetectCliPaths = true; # liable to over-detect
|
||||
|
||||
krita.sandbox.method = "bwrap";
|
||||
krita.sandbox.wrapperType = "wrappedDerivation";
|
||||
krita.sandbox.whitelistWayland = true;
|
||||
krita.sandbox.autodetectCliPaths = "existing";
|
||||
krita.sandbox.extraHomePaths = [
|
||||
"dev"
|
||||
|
@ -387,9 +398,11 @@ in
|
|||
|
||||
pavucontrol.sandbox.method = "bwrap";
|
||||
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
|
||||
pavucontrol.sandbox.whitelistWayland = true;
|
||||
|
||||
pwvucontrol.sandbox.method = "bwrap";
|
||||
pwvucontrol.sandbox.wrapperType = "wrappedDerivation";
|
||||
pwvucontrol.sandbox.whitelistWayland = true;
|
||||
|
||||
python3-repl.packageUnwrapped = pkgs.python3.withPackages (ps: with ps; [
|
||||
requests
|
||||
|
@ -432,6 +445,7 @@ in
|
|||
superTux.sandbox.wrapperType = "wrappedDerivation";
|
||||
superTux.sandbox.whitelistAudio = true;
|
||||
superTux.sandbox.whitelistDri = true;
|
||||
superTux.sandbox.whitelistWayland = true;
|
||||
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
|
||||
|
||||
swaylock.sandbox.enable = false; #< neither landlock nor bwrap works. pam_authenticate failed: invalid credentials. does it rely on SUID?
|
||||
|
@ -463,6 +477,7 @@ in
|
|||
vvvvvv.sandbox.wrapperType = "wrappedDerivation";
|
||||
vvvvvv.sandbox.whitelistAudio = true;
|
||||
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
||||
vvvvvv.sandbox.whitelistWayland = true;
|
||||
vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
|
||||
|
||||
wget.sandbox.method = "bwrap";
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.extraHomePaths = [
|
||||
# support media imports via file->open dir to some common media directories
|
||||
|
|
|
@ -10,6 +10,8 @@
|
|||
];
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
persist.byStore.cryptClearOnBoot = [
|
||||
".cache/BraveSoftware"
|
||||
".config/BraveSoftware"
|
||||
|
|
|
@ -10,6 +10,8 @@
|
|||
# "/sys/devices/cpu"
|
||||
# "/sys/devices/system"
|
||||
];
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
fs.".config/conky/conky.conf".symlink.target =
|
||||
let
|
||||
battery_estimate = pkgs.static-nix-shell.mkBash {
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
"Books"
|
||||
"Books/servo"
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
sane.programs.dialect = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace"; # share/search_providers/ calls back into the binary, weird wrap semantics
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.extraHomePaths = [
|
||||
".config/dconf" # to persist settings
|
||||
|
|
|
@ -51,6 +51,7 @@ in
|
|||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true; #< not strictly necessary, but we need all the perf we can get on moby
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
persist.byStore.private = [ ".local/share/dino" ];
|
||||
|
||||
|
|
|
@ -13,6 +13,8 @@
|
|||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
packageUnwrapped = pkgs.element-desktop.override {
|
||||
# use pre-build electron because otherwise it takes 4 hrs to build from source.
|
||||
electron = pkgs.electron-bin;
|
||||
|
|
|
@ -15,6 +15,7 @@
|
|||
# default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled.
|
||||
# enabling DRI/DRM (as below) seems to fix that.
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
".config/epiphany" #< else it gets angry at launch
|
||||
"tmp"
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
sane.programs.evince = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
mime.associations."application/pdf" = "org.gnome.Evince.desktop";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -238,6 +238,7 @@ in
|
|||
sandbox.net = "all";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
"dev" # for developing anything web-related
|
||||
"tmp"
|
||||
|
|
|
@ -33,6 +33,7 @@ in
|
|||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true; # otherwise video playback buuuuurns CPU
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
configOption = with lib; mkOption {
|
||||
default = {};
|
||||
|
|
|
@ -6,6 +6,8 @@
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet"; # net play
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
packageUnwrapped = pkgs.frozen-bubble.overrideAttrs (upstream: {
|
||||
# patch so it stores its dot-files not in root ~.
|
||||
postPatch = (upstream.postPatch or "") + ''
|
||||
|
@ -13,6 +15,7 @@
|
|||
--replace-fail '$FBHOME = "$ENV{HOME}/.frozen-bubble"' '$FBHOME = "$ENV{HOME}/.local/share/frozen-bubble"'
|
||||
'';
|
||||
});
|
||||
|
||||
persist.byStore.plaintext = [
|
||||
".local/share/frozen-bubble" # preferences, high scores
|
||||
];
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
];
|
||||
|
|
|
@ -23,6 +23,7 @@ in
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraPaths = [
|
||||
# geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
|
||||
# TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.
|
||||
|
|
|
@ -5,10 +5,12 @@
|
|||
sane.programs."gnome.gnome-weather" = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.extraHomePaths = [
|
||||
".config/dconf" # stores city/location settings
|
||||
];
|
||||
|
||||
persist.byStore.plaintext = [
|
||||
".cache/libgweather"
|
||||
];
|
||||
|
|
|
@ -21,8 +21,10 @@ in {
|
|||
"--set" "GPODDER_DOWNLOAD_DIR" "~/Videos/gPodder"
|
||||
];
|
||||
});
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.extraHomePaths = [ "Videos/gPodder" ];
|
||||
|
||||
|
|
|
@ -37,6 +37,7 @@ in
|
|||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
persist.byStore.private = [
|
||||
".cache/gtkcord4"
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
"Pictures" # i have some videos in there too.
|
||||
|
|
|
@ -14,6 +14,8 @@
|
|||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
packageUnwrapped = pkgs.kdenlive.override {
|
||||
ffmpeg-full = pkgs.ffmpeg-full.override {
|
||||
# avoid expensive samba build for a feature i don't use
|
||||
|
|
|
@ -5,6 +5,8 @@
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDri = true; #< required
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin;
|
||||
# downloads end up here, and without the toplevel database komikku doesn't know they exist.
|
||||
persist.byStore.plaintext = [
|
||||
|
|
|
@ -49,10 +49,12 @@ in {
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDri = true; # reduces startup time and subjective page flip time
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
"Books"
|
||||
"Books/servo"
|
||||
];
|
||||
|
||||
# koreader applies these lua "patches" at boot:
|
||||
# - <https://github.com/koreader/koreader/wiki/User-patches>
|
||||
# the naming is IMPORTANT. these must start with a `2-` in order to be invoked during the right initialization phase
|
||||
|
|
|
@ -7,6 +7,7 @@
|
|||
# packageUnwrapped = pkgs.libreoffice-still;
|
||||
packageUnwrapped = pkgs.libreoffice-fresh;
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.extraHomePaths = [
|
||||
# allow a spot to save files.
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
sane.programs.loupe = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
"Pictures"
|
||||
"Pictures/servo-macros"
|
||||
|
@ -13,6 +14,7 @@
|
|||
"ref"
|
||||
"tmp"
|
||||
];
|
||||
|
||||
mime.associations = {
|
||||
"image/gif" = "org.gnome.Loupe.desktop";
|
||||
"image/heif" = "org.gnome.Loupe.desktop"; # apple codec
|
||||
|
|
|
@ -9,9 +9,12 @@
|
|||
rm $out/bin/nicotine-plus
|
||||
'';
|
||||
});
|
||||
|
||||
sandbox.method = "firejail";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "vpn";
|
||||
|
||||
# ".config/nicotine": contains the config file, with plaintext creds.
|
||||
# TODO: define this as a secret instead of persisting it.
|
||||
persist.byStore.private = [ ".config/nicotine" ];
|
||||
|
|
|
@ -26,7 +26,7 @@ in
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
# sandbox.whitelistDbus = [ "user" ]; # TODO: needed?
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
# creds, media
|
||||
persist.byStore.private = [
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
secrets.".cache/spot/librespot/credentials/credentials.json" = ../../../secrets/common/spot_credentials.json.bin;
|
||||
persist.byStore.plaintext = [
|
||||
|
|
|
@ -4,8 +4,9 @@
|
|||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace"; # nontraditional package structure, where binaries live in /share/spotify
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
persist.byStore.plaintext = [
|
||||
# probably just songs and such (haven't checked)
|
||||
|
|
|
@ -6,6 +6,8 @@
|
|||
sandbox.net = "clearnet"; # net play
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
persist.byStore.plaintext = [
|
||||
".cache/supertuxkart"
|
||||
".config/supertuxkart"
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
sandbox.wrapperType = "inplace";
|
||||
sandbox.net = "clearnet"; # tor over VPN wouldn't make sense
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
persist.byStore.cryptClearOnBoot = [
|
||||
".local/share/tor-browser"
|
||||
];
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistWayland = true;
|
||||
suggestedPrograms = [ "gnome-keyring" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -20,6 +20,7 @@ in
|
|||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistWayland = true;
|
||||
persist.byStore.private = [
|
||||
# vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
|
||||
# filenames are stored in plaintext (unlike mpv, which i think hashes them)
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
sandbox.wrapperType = "inplace"; # share/wike/wike-sp refers back to the binaries and share
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraPaths = [
|
||||
# wike sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
|
||||
# TODO: these could maybe be mounted empty.
|
||||
|
|
|
@ -6,12 +6,14 @@ in
|
|||
sane.programs.wireshark = {
|
||||
sandbox.method = "landlock";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "all";
|
||||
sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
sandbox.extraPaths = [
|
||||
"/proc/net" #< only needed if using landlock
|
||||
];
|
||||
|
||||
fs.".config/wireshark".dir = {};
|
||||
sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
slowToBuild = true;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -389,7 +389,7 @@ let
|
|||
};
|
||||
sandbox.whitelistWayland = mkOption {
|
||||
type = types.bool;
|
||||
default = true; #< TODO: harden default!
|
||||
default = false;
|
||||
description = ''
|
||||
allow sandbox to communicate with the wayland server.
|
||||
note that this does NOT permit access to compositor admin tooling like `swaymsg`.
|
||||
|
|
Loading…
Reference in New Issue
Block a user