diff --git a/hosts/common/programs/animatch.nix b/hosts/common/programs/animatch.nix index ed0de738..c18c55b8 100644 --- a/hosts/common/programs/animatch.nix +++ b/hosts/common/programs/animatch.nix @@ -29,8 +29,11 @@ ]; }); }; + sandbox.method = "bwrap"; sandbox.wrapperType = "wrappedDerivation"; + sandbox.whitelistWayland = true; + persist.byStore.plaintext = [ # ".config/Holy Pangolin/Animatch" #< used for SuperDerpy config (e.g. debug, disableTouch, fullscreen, enable sound, etc). SuperDerpy.ini ".local/share/Holy Pangolin/Animatch" #< used for game state (level clears). SuperDerpy.ini diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix index 379535b9..aeb7ab6e 100644 --- a/hosts/common/programs/assorted.nix +++ b/hosts/common/programs/assorted.nix @@ -225,6 +225,7 @@ in blanket.sandbox.wrapperType = "wrappedDerivation"; blanket.sandbox.whitelistAudio = true; # blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested + blanket.sandbox.whitelistWayland = true; brightnessctl.sandbox.method = "landlock"; # also bwrap, but landlock is more responsive brightnessctl.sandbox.wrapperType = "wrappedDerivation"; @@ -244,6 +245,7 @@ in delfin.sandbox.whitelistAudio = true; # delfin.sandbox.whitelistDbus = [ "user" ]; # TODO: untested delfin.sandbox.whitelistDri = true; + delfin.sandbox.whitelistWayland = true; delfin.sandbox.net = "clearnet"; delfin.persist.byStore.private = [ ".config/delfin" ]; @@ -252,6 +254,7 @@ in discord.sandbox.wrapperType = "inplace"; #< /opt-style packaging discord.sandbox.whitelistAudio = true; # discord.sandbox.whitelistDbus = [ "user" ]; # TODO: untested + discord.sandbox.whitelistWayland = true; discord.sandbox.net = "clearnet"; discord.persist.byStore.private = [ ".config/discord" ]; @@ -298,6 +301,7 @@ in fuzzel.sandbox.enable = false; fuzzel.sandbox.method = "bwrap"; #< landlock nearly works, but unable to open ~/.cache fuzzel.sandbox.wrapperType = "wrappedDerivation"; + fuzzel.sandbox.whitelistWayland = true; fuzzel.persist.byStore.private = [ ".cache/fuzzel" ]; #< this is a file of recent selections gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested @@ -315,6 +319,7 @@ in gimp.sandbox.method = "bwrap"; gimp.sandbox.wrapperType = "wrappedDerivation"; + gimp.sandbox.whitelistWayland = true; gimp.sandbox.extraHomePaths = [ "Pictures" "Pictures/servo-macros" @@ -326,19 +331,23 @@ in "gnome.gnome-calculator".sandbox.method = "bwrap"; "gnome.gnome-calculator".sandbox.wrapperType = "inplace"; # /libexec/gnome-calculator-search-provider + "gnome.gnome-calculator".sandbox.whitelistWayland = true; # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events. "gnome.gnome-calendar".sandbox.method = "bwrap"; "gnome.gnome-calendar".sandbox.wrapperType = "wrappedDerivation"; + "gnome.gnome-calendar".sandbox.whitelistWayland = true; "gnome.gnome-clocks".sandbox.method = "bwrap"; "gnome.gnome-clocks".sandbox.wrapperType = "wrappedDerivation"; + "gnome.gnome-clocks".sandbox.whitelistWayland = true; "gnome.gnome-clocks".persist.byStore.private = [ ".config/dconf" ]; gnome-2048.sandbox.method = "bwrap"; gnome-2048.sandbox.wrapperType = "wrappedDerivation"; + gnome-2048.sandbox.whitelistWayland = true; gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ]; # TODO: gnome-maps: move to own file @@ -352,11 +361,13 @@ in # - win once (1) and (2) are satisfied "gnome.hitori".sandbox.method = "bwrap"; "gnome.hitori".sandbox.wrapperType = "wrappedDerivation"; + "gnome.hitori".sandbox.whitelistWayland = true; # jq.sandbox.autodetectCliPaths = true; # liable to over-detect krita.sandbox.method = "bwrap"; krita.sandbox.wrapperType = "wrappedDerivation"; + krita.sandbox.whitelistWayland = true; krita.sandbox.autodetectCliPaths = "existing"; krita.sandbox.extraHomePaths = [ "dev" @@ -387,9 +398,11 @@ in pavucontrol.sandbox.method = "bwrap"; pavucontrol.sandbox.wrapperType = "wrappedDerivation"; + pavucontrol.sandbox.whitelistWayland = true; pwvucontrol.sandbox.method = "bwrap"; pwvucontrol.sandbox.wrapperType = "wrappedDerivation"; + pwvucontrol.sandbox.whitelistWayland = true; python3-repl.packageUnwrapped = pkgs.python3.withPackages (ps: with ps; [ requests @@ -432,6 +445,7 @@ in superTux.sandbox.wrapperType = "wrappedDerivation"; superTux.sandbox.whitelistAudio = true; superTux.sandbox.whitelistDri = true; + superTux.sandbox.whitelistWayland = true; superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ]; swaylock.sandbox.enable = false; #< neither landlock nor bwrap works. pam_authenticate failed: invalid credentials. does it rely on SUID? @@ -463,6 +477,7 @@ in vvvvvv.sandbox.wrapperType = "wrappedDerivation"; vvvvvv.sandbox.whitelistAudio = true; vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU + vvvvvv.sandbox.whitelistWayland = true; vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ]; wget.sandbox.method = "bwrap"; diff --git a/hosts/common/programs/audacity.nix b/hosts/common/programs/audacity.nix index a94edebf..e27194bd 100644 --- a/hosts/common/programs/audacity.nix +++ b/hosts/common/programs/audacity.nix @@ -12,6 +12,7 @@ sandbox.method = "bwrap"; sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistAudio = true; + sandbox.whitelistWayland = true; sandbox.autodetectCliPaths = true; sandbox.extraHomePaths = [ # support media imports via file->open dir to some common media directories diff --git a/hosts/common/programs/brave.nix b/hosts/common/programs/brave.nix index 11f631f3..fad2fca1 100644 --- a/hosts/common/programs/brave.nix +++ b/hosts/common/programs/brave.nix @@ -10,6 +10,8 @@ ]; sandbox.whitelistAudio = true; sandbox.whitelistDri = true; + sandbox.whitelistWayland = true; + persist.byStore.cryptClearOnBoot = [ ".cache/BraveSoftware" ".config/BraveSoftware" diff --git a/hosts/common/programs/conky/default.nix b/hosts/common/programs/conky/default.nix index 54bdcfc4..be1d99a8 100644 --- a/hosts/common/programs/conky/default.nix +++ b/hosts/common/programs/conky/default.nix @@ -10,6 +10,8 @@ # "/sys/devices/cpu" # "/sys/devices/system" ]; + sandbox.whitelistWayland = true; + fs.".config/conky/conky.conf".symlink.target = let battery_estimate = pkgs.static-nix-shell.mkBash { diff --git a/hosts/common/programs/cozy.nix b/hosts/common/programs/cozy.nix index 69613bfe..66d8e279 100644 --- a/hosts/common/programs/cozy.nix +++ b/hosts/common/programs/cozy.nix @@ -6,6 +6,7 @@ sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris + sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ "Books" "Books/servo" diff --git a/hosts/common/programs/dialect.nix b/hosts/common/programs/dialect.nix index 29e9a7e8..0cc6fc7a 100644 --- a/hosts/common/programs/dialect.nix +++ b/hosts/common/programs/dialect.nix @@ -3,6 +3,7 @@ sane.programs.dialect = { sandbox.method = "bwrap"; sandbox.wrapperType = "inplace"; # share/search_providers/ calls back into the binary, weird wrap semantics + sandbox.whitelistWayland = true; sandbox.net = "clearnet"; sandbox.extraHomePaths = [ ".config/dconf" # to persist settings diff --git a/hosts/common/programs/dino.nix b/hosts/common/programs/dino.nix index f19b937f..da27a24e 100644 --- a/hosts/common/programs/dino.nix +++ b/hosts/common/programs/dino.nix @@ -51,6 +51,7 @@ in sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications sandbox.whitelistDri = true; #< not strictly necessary, but we need all the perf we can get on moby + sandbox.whitelistWayland = true; persist.byStore.private = [ ".local/share/dino" ]; diff --git a/hosts/common/programs/element-desktop.nix b/hosts/common/programs/element-desktop.nix index 02c386c5..e6857c66 100644 --- a/hosts/common/programs/element-desktop.nix +++ b/hosts/common/programs/element-desktop.nix @@ -13,6 +13,8 @@ sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications sandbox.whitelistDri = true; + sandbox.whitelistWayland = true; + packageUnwrapped = pkgs.element-desktop.override { # use pre-build electron because otherwise it takes 4 hrs to build from source. electron = pkgs.electron-bin; diff --git a/hosts/common/programs/epiphany.nix b/hosts/common/programs/epiphany.nix index 6f0d1d60..5a283641 100644 --- a/hosts/common/programs/epiphany.nix +++ b/hosts/common/programs/epiphany.nix @@ -15,6 +15,7 @@ # default sandboxing breaks rendering in weird ways. sites are super zoomed in / not scaled. # enabling DRI/DRM (as below) seems to fix that. sandbox.whitelistDri = true; + sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ ".config/epiphany" #< else it gets angry at launch "tmp" diff --git a/hosts/common/programs/evince.nix b/hosts/common/programs/evince.nix index d4aeb37a..2fa30c41 100644 --- a/hosts/common/programs/evince.nix +++ b/hosts/common/programs/evince.nix @@ -3,6 +3,8 @@ sane.programs.evince = { sandbox.method = "bwrap"; sandbox.autodetectCliPaths = true; + sandbox.whitelistWayland = true; + mime.associations."application/pdf" = "org.gnome.Evince.desktop"; }; } diff --git a/hosts/common/programs/firefox.nix b/hosts/common/programs/firefox.nix index b1fa03ce..175dcd49 100644 --- a/hosts/common/programs/firefox.nix +++ b/hosts/common/programs/firefox.nix @@ -238,6 +238,7 @@ in sandbox.net = "all"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris + sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ "dev" # for developing anything web-related "tmp" diff --git a/hosts/common/programs/fractal.nix b/hosts/common/programs/fractal.nix index 7427dd83..c4f8e7a5 100644 --- a/hosts/common/programs/fractal.nix +++ b/hosts/common/programs/fractal.nix @@ -33,6 +33,7 @@ in sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications sandbox.whitelistDri = true; # otherwise video playback buuuuurns CPU + sandbox.whitelistWayland = true; configOption = with lib; mkOption { default = {}; diff --git a/hosts/common/programs/frozen-bubble.nix b/hosts/common/programs/frozen-bubble.nix index 2abe974c..382c1fb9 100644 --- a/hosts/common/programs/frozen-bubble.nix +++ b/hosts/common/programs/frozen-bubble.nix @@ -6,6 +6,8 @@ sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; # net play sandbox.whitelistAudio = true; + sandbox.whitelistWayland = true; + packageUnwrapped = pkgs.frozen-bubble.overrideAttrs (upstream: { # patch so it stores its dot-files not in root ~. postPatch = (upstream.postPatch or "") + '' @@ -13,6 +15,7 @@ --replace-fail '$FBHOME = "$ENV{HOME}/.frozen-bubble"' '$FBHOME = "$ENV{HOME}/.local/share/frozen-bubble"' ''; }); + persist.byStore.plaintext = [ ".local/share/frozen-bubble" # preferences, high scores ]; diff --git a/hosts/common/programs/g4music.nix b/hosts/common/programs/g4music.nix index c2915faa..1ad30364 100644 --- a/hosts/common/programs/g4music.nix +++ b/hosts/common/programs/g4music.nix @@ -12,6 +12,7 @@ sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris + sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ "Music" ]; diff --git a/hosts/common/programs/geary.nix b/hosts/common/programs/geary.nix index dc9f1cfa..e6f538ef 100644 --- a/hosts/common/programs/geary.nix +++ b/hosts/common/programs/geary.nix @@ -23,6 +23,7 @@ in sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistDbus = [ "user" ]; # notifications + sandbox.whitelistWayland = true; sandbox.extraPaths = [ # geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths. # TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy. diff --git a/hosts/common/programs/gnome-weather.nix b/hosts/common/programs/gnome-weather.nix index 8216f648..fa181d13 100644 --- a/hosts/common/programs/gnome-weather.nix +++ b/hosts/common/programs/gnome-weather.nix @@ -5,10 +5,12 @@ sane.programs."gnome.gnome-weather" = { sandbox.method = "bwrap"; sandbox.wrapperType = "inplace"; + sandbox.whitelistWayland = true; sandbox.net = "clearnet"; sandbox.extraHomePaths = [ ".config/dconf" # stores city/location settings ]; + persist.byStore.plaintext = [ ".cache/libgweather" ]; diff --git a/hosts/common/programs/gpodder.nix b/hosts/common/programs/gpodder.nix index 7d2f977a..8fd49331 100644 --- a/hosts/common/programs/gpodder.nix +++ b/hosts/common/programs/gpodder.nix @@ -21,8 +21,10 @@ in { "--set" "GPODDER_DOWNLOAD_DIR" "~/Videos/gPodder" ]; }); + sandbox.method = "bwrap"; sandbox.wrapperType = "wrappedDerivation"; + sandbox.whitelistWayland = true; sandbox.net = "clearnet"; sandbox.extraHomePaths = [ "Videos/gPodder" ]; diff --git a/hosts/common/programs/gtkcord4.nix b/hosts/common/programs/gtkcord4.nix index ae027cc5..cccc6bd7 100644 --- a/hosts/common/programs/gtkcord4.nix +++ b/hosts/common/programs/gtkcord4.nix @@ -37,6 +37,7 @@ in sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications sandbox.whitelistDri = true; + sandbox.whitelistWayland = true; persist.byStore.private = [ ".cache/gtkcord4" diff --git a/hosts/common/programs/handbrake.nix b/hosts/common/programs/handbrake.nix index d2bad68b..660a0801 100644 --- a/hosts/common/programs/handbrake.nix +++ b/hosts/common/programs/handbrake.nix @@ -4,6 +4,7 @@ sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; # notifications + sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ "Music" "Pictures" # i have some videos in there too. diff --git a/hosts/common/programs/kdenlive.nix b/hosts/common/programs/kdenlive.nix index 6f91bbc9..d8763776 100644 --- a/hosts/common/programs/kdenlive.nix +++ b/hosts/common/programs/kdenlive.nix @@ -14,6 +14,8 @@ sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications sandbox.whitelistDri = true; + sandbox.whitelistWayland = true; + packageUnwrapped = pkgs.kdenlive.override { ffmpeg-full = pkgs.ffmpeg-full.override { # avoid expensive samba build for a feature i don't use diff --git a/hosts/common/programs/komikku.nix b/hosts/common/programs/komikku.nix index a655784f..6de72775 100644 --- a/hosts/common/programs/komikku.nix +++ b/hosts/common/programs/komikku.nix @@ -5,6 +5,8 @@ sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistDri = true; #< required + sandbox.whitelistWayland = true; + secrets.".local/share/komikku/keyrings/plaintext.keyring" = ../../../secrets/common/komikku_accounts.json.bin; # downloads end up here, and without the toplevel database komikku doesn't know they exist. persist.byStore.plaintext = [ diff --git a/hosts/common/programs/koreader/default.nix b/hosts/common/programs/koreader/default.nix index 7bce6869..12125e03 100644 --- a/hosts/common/programs/koreader/default.nix +++ b/hosts/common/programs/koreader/default.nix @@ -49,10 +49,12 @@ in { sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistDri = true; # reduces startup time and subjective page flip time + sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ "Books" "Books/servo" ]; + # koreader applies these lua "patches" at boot: # - # the naming is IMPORTANT. these must start with a `2-` in order to be invoked during the right initialization phase diff --git a/hosts/common/programs/libreoffice.nix b/hosts/common/programs/libreoffice.nix index 0296d935..5e11fa82 100644 --- a/hosts/common/programs/libreoffice.nix +++ b/hosts/common/programs/libreoffice.nix @@ -7,6 +7,7 @@ # packageUnwrapped = pkgs.libreoffice-still; packageUnwrapped = pkgs.libreoffice-fresh; sandbox.method = "bwrap"; + sandbox.whitelistWayland = true; sandbox.autodetectCliPaths = true; sandbox.extraHomePaths = [ # allow a spot to save files. diff --git a/hosts/common/programs/loupe.nix b/hosts/common/programs/loupe.nix index 94adf656..8e206620 100644 --- a/hosts/common/programs/loupe.nix +++ b/hosts/common/programs/loupe.nix @@ -3,6 +3,7 @@ sane.programs.loupe = { sandbox.method = "bwrap"; sandbox.wrapperType = "wrappedDerivation"; + sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ "Pictures" "Pictures/servo-macros" @@ -13,6 +14,7 @@ "ref" "tmp" ]; + mime.associations = { "image/gif" = "org.gnome.Loupe.desktop"; "image/heif" = "org.gnome.Loupe.desktop"; # apple codec diff --git a/hosts/common/programs/nicotine-plus.nix b/hosts/common/programs/nicotine-plus.nix index 9775e907..870ac486 100644 --- a/hosts/common/programs/nicotine-plus.nix +++ b/hosts/common/programs/nicotine-plus.nix @@ -9,9 +9,12 @@ rm $out/bin/nicotine-plus ''; }); + sandbox.method = "firejail"; sandbox.wrapperType = "wrappedDerivation"; + sandbox.whitelistWayland = true; sandbox.net = "vpn"; + # ".config/nicotine": contains the config file, with plaintext creds. # TODO: define this as a secret instead of persisting it. persist.byStore.private = [ ".config/nicotine" ]; diff --git a/hosts/common/programs/signal-desktop.nix b/hosts/common/programs/signal-desktop.nix index da79352a..697cf633 100644 --- a/hosts/common/programs/signal-desktop.nix +++ b/hosts/common/programs/signal-desktop.nix @@ -26,7 +26,7 @@ in sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; - # sandbox.whitelistDbus = [ "user" ]; # TODO: needed? + sandbox.whitelistWayland = true; # creds, media persist.byStore.private = [ diff --git a/hosts/common/programs/spot.nix b/hosts/common/programs/spot.nix index 906f5850..1d2863cf 100644 --- a/hosts/common/programs/spot.nix +++ b/hosts/common/programs/spot.nix @@ -6,6 +6,7 @@ sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris + sandbox.whitelistWayland = true; secrets.".cache/spot/librespot/credentials/credentials.json" = ../../../secrets/common/spot_credentials.json.bin; persist.byStore.plaintext = [ diff --git a/hosts/common/programs/spotify.nix b/hosts/common/programs/spotify.nix index fa075ceb..4a62ffd1 100644 --- a/hosts/common/programs/spotify.nix +++ b/hosts/common/programs/spotify.nix @@ -4,8 +4,9 @@ sandbox.method = "bwrap"; sandbox.wrapperType = "inplace"; # nontraditional package structure, where binaries live in /share/spotify sandbox.net = "clearnet"; - sandbox.whitelistDbus = [ "user" ]; # mpris sandbox.whitelistAudio = true; + sandbox.whitelistDbus = [ "user" ]; # mpris + sandbox.whitelistWayland = true; persist.byStore.plaintext = [ # probably just songs and such (haven't checked) diff --git a/hosts/common/programs/supertuxkart.nix b/hosts/common/programs/supertuxkart.nix index 56ba2c5a..35552948 100644 --- a/hosts/common/programs/supertuxkart.nix +++ b/hosts/common/programs/supertuxkart.nix @@ -6,6 +6,8 @@ sandbox.net = "clearnet"; # net play sandbox.whitelistAudio = true; sandbox.whitelistDri = true; + sandbox.whitelistWayland = true; + persist.byStore.plaintext = [ ".cache/supertuxkart" ".config/supertuxkart" diff --git a/hosts/common/programs/tor-browser.nix b/hosts/common/programs/tor-browser.nix index 2dccb470..4c950106 100644 --- a/hosts/common/programs/tor-browser.nix +++ b/hosts/common/programs/tor-browser.nix @@ -11,6 +11,7 @@ sandbox.wrapperType = "inplace"; sandbox.net = "clearnet"; # tor over VPN wouldn't make sense sandbox.whitelistAudio = true; + sandbox.whitelistWayland = true; persist.byStore.cryptClearOnBoot = [ ".local/share/tor-browser" ]; diff --git a/hosts/common/programs/tuba.nix b/hosts/common/programs/tuba.nix index f4c69229..c030a607 100644 --- a/hosts/common/programs/tuba.nix +++ b/hosts/common/programs/tuba.nix @@ -6,6 +6,7 @@ sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications + sandbox.whitelistWayland = true; suggestedPrograms = [ "gnome-keyring" ]; }; } diff --git a/hosts/common/programs/vlc.nix b/hosts/common/programs/vlc.nix index bcb0157e..ed311fed 100644 --- a/hosts/common/programs/vlc.nix +++ b/hosts/common/programs/vlc.nix @@ -20,6 +20,7 @@ in sandbox.autodetectCliPaths = true; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris + sandbox.whitelistWayland = true; persist.byStore.private = [ # vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf # filenames are stored in plaintext (unlike mpv, which i think hashes them) diff --git a/hosts/common/programs/wike.nix b/hosts/common/programs/wike.nix index dee97e19..216daaee 100644 --- a/hosts/common/programs/wike.nix +++ b/hosts/common/programs/wike.nix @@ -5,6 +5,7 @@ sandbox.wrapperType = "inplace"; # share/wike/wike-sp refers back to the binaries and share sandbox.net = "clearnet"; sandbox.whitelistAudio = true; + sandbox.whitelistWayland = true; sandbox.extraPaths = [ # wike sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths. # TODO: these could maybe be mounted empty. diff --git a/hosts/common/programs/wireshark.nix b/hosts/common/programs/wireshark.nix index e7ccb137..79f4704e 100644 --- a/hosts/common/programs/wireshark.nix +++ b/hosts/common/programs/wireshark.nix @@ -6,12 +6,14 @@ in sane.programs.wireshark = { sandbox.method = "landlock"; sandbox.wrapperType = "wrappedDerivation"; + sandbox.whitelistWayland = true; sandbox.net = "all"; + sandbox.capabilities = [ "net_admin" "net_raw" ]; sandbox.extraPaths = [ "/proc/net" #< only needed if using landlock ]; + fs.".config/wireshark".dir = {}; - sandbox.capabilities = [ "net_admin" "net_raw" ]; slowToBuild = true; }; } diff --git a/modules/programs/default.nix b/modules/programs/default.nix index 47e64c5d..49004601 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -389,7 +389,7 @@ let }; sandbox.whitelistWayland = mkOption { type = types.bool; - default = true; #< TODO: harden default! + default = false; description = '' allow sandbox to communicate with the wayland server. note that this does NOT permit access to compositor admin tooling like `swaymsg`.