colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

modules/programs: add new options for whitelisting audio/dbus

Browse Source
This commit is contained in:
Colin
2024-02-12 15:22:49 +00:00
parent d82b4b0f62
commit 27fd81ad80
1 changed files with 27 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
modules/programs/default.nix
View File

@@ -69,7 +69,11 @@ let
fullRuntimePaths = lib.optionals (userName != null) ( fullRuntimePaths = lib.optionals (userName != null) (
builtins.map builtins.map
(p: path-lib.concat [ xdgRuntimeDir p ]) (p: path-lib.concat [ xdgRuntimeDir p ])
sandbox.extraRuntimePaths (
sandbox.extraRuntimePaths
++ lib.optionals sandbox.whitelistDbus [ "bus" ]
++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ] # also pipewire-0-manager, unknown purpose
)
); );
allowedPaths = [ allowedPaths = [
"/nix/store" "/nix/store"
@@ -331,13 +335,6 @@ let
- "existingFileOrParent" => add the file if it exists; if not, add its parent if that exists. useful for programs which create files. - "existingFileOrParent" => add the file if it exists; if not, add its parent if that exists. useful for programs which create files.
''; '';
}; };
sandbox.whitelistPwd = mkOption {
type = types.bool;
default = false;
description = ''
allow the program full access to whichever directory it was launched from.
'';
};
sandbox.binMap = mkOption { sandbox.binMap = mkOption {
type = types.attrsOf types.str; type = types.attrsOf types.str;
default = {}; default = {};
@@ -356,6 +353,20 @@ let
e.g. sandbox.capabilities = [ "net_admin" "net_raw" ]; e.g. sandbox.capabilities = [ "net_admin" "net_raw" ];
''; '';
}; };
sandbox.whitelistAudio = mkOption {
type = types.bool;
default = true; #< TODO: harden default!
description = ''
allow sandbox to freely interact with pulse/pipewire.
'';
};
sandbox.whitelistDbus = mkOption {
type = types.bool;
default = true; #< TODO: harden default!
description = ''
allow sandbox to freely interact with dbus services.
'';
};
sandbox.whitelistDri = mkOption { sandbox.whitelistDri = mkOption {
type = types.bool; type = types.bool;
default = false; default = false;
@@ -367,6 +378,14 @@ let
broad and unaudited attack surface. broad and unaudited attack surface.
''; '';
}; };
sandbox.whitelistPwd = mkOption {
type = types.bool;
default = false;
description = ''
allow the program full access to whichever directory it was launched from.
'';
};
sandbox.extraPaths = mkOption { sandbox.extraPaths = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = []; default = [];