modules/programs: add new options for whitelisting audio/dbus

This commit is contained in:
2024-02-12 15:22:49 +00:00
parent d82b4b0f62
commit 27fd81ad80

View File

@@ -69,7 +69,11 @@ let
fullRuntimePaths = lib.optionals (userName != null) (
builtins.map
(p: path-lib.concat [ xdgRuntimeDir p ])
sandbox.extraRuntimePaths
(
sandbox.extraRuntimePaths
++ lib.optionals sandbox.whitelistDbus [ "bus" ]
++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ] # also pipewire-0-manager, unknown purpose
)
);
allowedPaths = [
"/nix/store"
@@ -331,13 +335,6 @@ let
- "existingFileOrParent" => add the file if it exists; if not, add its parent if that exists. useful for programs which create files.
'';
};
sandbox.whitelistPwd = mkOption {
type = types.bool;
default = false;
description = ''
allow the program full access to whichever directory it was launched from.
'';
};
sandbox.binMap = mkOption {
type = types.attrsOf types.str;
default = {};
@@ -356,6 +353,20 @@ let
e.g. sandbox.capabilities = [ "net_admin" "net_raw" ];
'';
};
sandbox.whitelistAudio = mkOption {
type = types.bool;
default = true; #< TODO: harden default!
description = ''
allow sandbox to freely interact with pulse/pipewire.
'';
};
sandbox.whitelistDbus = mkOption {
type = types.bool;
default = true; #< TODO: harden default!
description = ''
allow sandbox to freely interact with dbus services.
'';
};
sandbox.whitelistDri = mkOption {
type = types.bool;
default = false;
@@ -367,6 +378,14 @@ let
broad and unaudited attack surface.
'';
};
sandbox.whitelistPwd = mkOption {
type = types.bool;
default = false;
description = ''
allow the program full access to whichever directory it was launched from.
'';
};
sandbox.extraPaths = mkOption {
type = types.listOf types.str;
default = [];