programs: don't include dbus in the sandbox by default
This commit is contained in:
parent
18eec98cae
commit
1a18ed533b
|
@ -224,6 +224,7 @@ in
|
|||
blanket.sandbox.method = "bwrap";
|
||||
blanket.sandbox.wrapperType = "wrappedDerivation";
|
||||
blanket.sandbox.whitelistAudio = true;
|
||||
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
||||
|
||||
brightnessctl.sandbox.method = "landlock"; # also bwrap, but landlock is more responsive
|
||||
brightnessctl.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
@ -241,6 +242,7 @@ in
|
|||
delfin.sandbox.method = "bwrap";
|
||||
delfin.sandbox.wrapperType = "wrappedDerivation";
|
||||
delfin.sandbox.whitelistAudio = true;
|
||||
# delfin.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
||||
delfin.sandbox.whitelistDri = true;
|
||||
delfin.sandbox.net = "clearnet";
|
||||
delfin.persist.byStore.private = [ ".config/delfin" ];
|
||||
|
@ -249,6 +251,7 @@ in
|
|||
discord.sandbox.method = "bwrap";
|
||||
discord.sandbox.wrapperType = "inplace"; #< /opt-style packaging
|
||||
discord.sandbox.whitelistAudio = true;
|
||||
# discord.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
||||
discord.sandbox.net = "clearnet";
|
||||
discord.persist.byStore.private = [ ".config/discord" ];
|
||||
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
sandbox.method = "bwrap"; # landlock gives: _multiprocessing.SemLock: Permission Denied
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.extraHomePaths = [
|
||||
"Books"
|
||||
"Books/servo"
|
||||
|
|
|
@ -49,6 +49,7 @@ in
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true; #< not strictly necessary, but we need all the perf we can get on moby
|
||||
|
||||
persist.byStore.private = [ ".local/share/dino" ];
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true;
|
||||
packageUnwrapped = pkgs.element-desktop.override {
|
||||
# use pre-build electron because otherwise it takes 4 hrs to build from source.
|
||||
|
|
|
@ -237,6 +237,7 @@ in
|
|||
sandbox.wrapperType = "inplace"; # probably wrappedDerivation could work too.
|
||||
sandbox.net = "all";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.extraHomePaths = [
|
||||
"dev" # for developing anything web-related
|
||||
"tmp"
|
||||
|
|
|
@ -31,6 +31,7 @@ in
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true; # otherwise video playback buuuuurns CPU
|
||||
|
||||
configOption = with lib; mkOption {
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
];
|
||||
|
|
|
@ -22,6 +22,7 @@ in
|
|||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.extraPaths = [
|
||||
# geary sandboxes *itself* with bwrap, and dbus-proxy which, confusingly, causes it to *require* these paths.
|
||||
# TODO: these could maybe be mounted empty. or maybe there's an env-var to disable geary's dbus-proxy.
|
||||
|
|
|
@ -35,6 +35,7 @@ in
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true;
|
||||
|
||||
persist.byStore.private = [
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
sane.programs.handbrake = {
|
||||
sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
"Pictures" # i have some videos in there too.
|
||||
|
|
|
@ -12,6 +12,7 @@
|
|||
"tmp"
|
||||
];
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistDri = true;
|
||||
packageUnwrapped = pkgs.kdenlive.override {
|
||||
ffmpeg-full = pkgs.ffmpeg-full.override {
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
{
|
||||
sane.programs.playerctl = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace";
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
|
||||
services.playerctld = {
|
||||
description = "playerctl daemon to keep track of which MPRIS players were recently active";
|
||||
documentation = [ "https://github.com/altdesktop/playerctl/issues/161" ];
|
||||
|
|
|
@ -26,6 +26,7 @@ in
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
# sandbox.whitelistDbus = [ "user" ]; # TODO: needed?
|
||||
|
||||
# creds, media
|
||||
persist.byStore.private = [
|
||||
|
|
|
@ -5,6 +5,8 @@
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
|
||||
secrets.".cache/spot/librespot/credentials/credentials.json" = ../../../secrets/common/spot_credentials.json.bin;
|
||||
persist.byStore.plaintext = [
|
||||
".cache/spot/img" # album art
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "inplace"; # nontraditional package structure, where binaries live in /share/spotify
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistAudio = true;
|
||||
|
||||
persist.byStore.plaintext = [
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
suggestedPrograms = [ "gnome-keyring" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -19,6 +19,7 @@ in
|
|||
sandbox.net = "clearnet";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
persist.byStore.private = [
|
||||
# vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
|
||||
# filenames are stored in plaintext (unlike mpv, which i think hashes them)
|
||||
|
|
|
@ -364,7 +364,7 @@ let
|
|||
};
|
||||
sandbox.whitelistDbus = mkOption {
|
||||
type = types.listOf (types.enum [ "user" "system" ]);
|
||||
default = [ "user" ]; #< TODO: harden default!
|
||||
default = [ ];
|
||||
description = ''
|
||||
allow sandbox to freely interact with dbus services.
|
||||
'';
|
||||
|
|
Loading…
Reference in New Issue
Block a user