bonsai: place the socket in a subdirectory to improve sandboxing
This commit is contained in:
parent
e55b75c333
commit
2531cc1cf6
|
@ -103,11 +103,19 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
packageUnwrapped = pkgs.bonsai.overrideAttrs (upstream: {
|
||||
# patch to place the socket in a subdirectory where it can be sandboxed
|
||||
postPatch = (upstream.postPatch or "") + ''
|
||||
substituteInPlace cmd/{bonsaictl,bonsaid}/main.ha \
|
||||
--replace-fail 'path::set(&buf, statedir, "bonsai")' 'path::set(&buf, statedir, "bonsai/bonsai")'
|
||||
'';
|
||||
});
|
||||
|
||||
fs.".config/bonsai/bonsai_tree.json".symlink.text = builtins.toJSON cfg.config.transitions;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.extraRuntimePaths = [
|
||||
"/" #< just needs "bonsai", but needs to create it first...
|
||||
"bonsai"
|
||||
];
|
||||
|
||||
services.bonsaid = {
|
||||
|
@ -115,10 +123,13 @@ in
|
|||
dependencyOf = [ "sway" ]; # to ensure `$XDG_RUNTIME_DIR/bonsai` exists before sway binds it
|
||||
partOf = [ "graphical-session" ];
|
||||
# nice -n -11 chosen arbitrarily. i hope this will allow for faster response to inputs, but without audio underruns (pipewire is -21, dino -15-ish)
|
||||
command = "nice -n -11 bonsaid -t $HOME/.config/bonsai/bonsai_tree.json";
|
||||
cleanupCommand = "rm -f $XDG_RUNTIME_DIR/bonsai";
|
||||
command = pkgs.writeShellScript "bonsai-start" ''
|
||||
mkdir -p $XDG_RUNTIME_DIR/bonsai
|
||||
exec nice -n -11 bonsaid -t $HOME/.config/bonsai/bonsai_tree.json
|
||||
'';
|
||||
cleanupCommand = "rm -f $XDG_RUNTIME_DIR/bonsai/bonsai";
|
||||
readiness.waitExists = [
|
||||
"$XDG_RUNTIME_DIR/bonsai"
|
||||
"$XDG_RUNTIME_DIR/bonsai/bonsai"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue
Block a user