diff --git a/hosts/common/programs/aerc.nix b/hosts/common/programs/aerc.nix index 96e0e35dd..c2db16bf5 100644 --- a/hosts/common/programs/aerc.nix +++ b/hosts/common/programs/aerc.nix @@ -3,7 +3,6 @@ { sane.programs.aerc = { - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; #< /share/aerc/aerc.conf mentions (in comments) other (non-sandboxed) /share files by absolute path sandbox.net = "clearnet"; secrets.".config/aerc/accounts.conf" = ../../../secrets/common/aerc_accounts.conf.bin; diff --git a/hosts/common/programs/animatch.nix b/hosts/common/programs/animatch.nix index c5b6be0e4..7bdd253f3 100644 --- a/hosts/common/programs/animatch.nix +++ b/hosts/common/programs/animatch.nix @@ -32,7 +32,6 @@ buildCost = 1; - sandbox.method = "bunpen"; sandbox.whitelistWayland = true; persist.byStore.plaintext = [ diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix index d47aec070..c308f4d90 100644 --- a/hosts/common/programs/assorted.nix +++ b/hosts/common/programs/assorted.nix @@ -415,12 +415,11 @@ in # INDIVIDUAL PACKAGE DEFINITIONS - alsaUtils.sandbox.method = "bunpen"; # amixer, aplay, speaker-test, ... + # alsaUtils amixer, aplay, speaker-test, ... alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary? backblaze-b2 = {}; - bash-language-server.sandbox.method = "bunpen"; bash-language-server.sandbox.whitelistPwd = true; blanket.buildCost = 1; @@ -442,7 +441,6 @@ in bridge-utils.sandbox.method = "bwrap"; #< bwrap, landlock: both work bridge-utils.sandbox.net = "all"; - btrfs-progs.sandbox.method = "bunpen"; #< bwrap, landlock: both work btrfs-progs.sandbox.autodetectCliPaths = "existing"; # e.g. `btrfs filesystem df /my/fs` btrfs-progs.sandbox.extraPaths = [ "/dev/btrfs-control" @@ -451,7 +449,7 @@ in "cacert.unbundled".sandbox.enable = false; #< data only cargo.persist.byStore.plaintext = [ ".cargo" ]; - cargo.sandbox.method = "bunpen"; # probably this is too restrictive; i'm sandboxing it for rust-analyzer / neovim LSP + # probably this sandboxing is too restrictive; i'm sandboxing it for rust-analyzer / neovim LSP cargo.sandbox.whitelistPwd = true; cargo.sandbox.net = "all"; cargo.sandbox.extraHomePaths = [ "dev" "ref" ]; @@ -461,13 +459,11 @@ in clang-tools.sandbox.method = "bwrap"; clang-tools.sandbox.whitelistPwd = true; - clightning-sane.sandbox.method = "bunpen"; clightning-sane.sandbox.extraPaths = [ "/var/lib/clightning/bitcoin/lightning-rpc" ]; # cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName` - cryptsetup.sandbox.method = "bunpen"; cryptsetup.sandbox.extraPaths = [ "/dev/mapper" "/dev/random" @@ -496,13 +492,11 @@ in # auth token, preferences delfin.persist.byStore.private = [ ".config/delfin" ]; - dig.sandbox.method = "bunpen"; dig.sandbox.net = "all"; # creds, but also 200 MB of node modules, etc discord.persist.byStore.private = [ ".config/discord" ]; discord.suggestedPrograms = [ "xwayland" ]; - discord.sandbox.method = "bunpen"; discord.sandbox.wrapperType = "inplace"; #< package contains broken symlinks that my wrapper can't handle discord.sandbox.whitelistAudio = true; discord.sandbox.whitelistDbus = [ "user" ]; # needed for xdg-open @@ -524,10 +518,8 @@ in duplicity = {}; - e2fsprogs.sandbox.method = "bunpen"; e2fsprogs.sandbox.autodetectCliPaths = "existing"; - efibootmgr.sandbox.method = "bunpen"; efibootmgr.sandbox.extraPaths = [ "/sys/firmware/efi" ]; @@ -540,7 +532,6 @@ in endless-sky.buildCost = 1; endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ]; - endless-sky.sandbox.method = "bunpen"; endless-sky.sandbox.whitelistAudio = true; endless-sky.sandbox.whitelistDri = true; endless-sky.sandbox.whitelistWayland = true; @@ -551,12 +542,10 @@ in # TODO: package [smile](https://github.com/mijorus/smile) for probably a better mobile experience. emote.persist.byStore.plaintext = [ ".local/share/Emote" ]; - ethtool.sandbox.method = "bunpen"; ethtool.sandbox.capabilities = [ "net_admin" ]; ethtool.sandbox.net = "all"; ethtool.sandbox.tryKeepUsers = true; - evtest.sandbox.method = "bunpen"; evtest.sandbox.autodetectCliPaths = "existingFile"; # `evtest /dev/foo` to monitor events for a specific device evtest.sandbox.extraPaths = [ "/dev/input" @@ -565,7 +554,6 @@ in # eza `ls` replacement # bwrap causes `/proc` files to be listed differently (e.g. `eza /proc/sys/net/ipv6/conf/`) # bwrap loses group info (so files owned by other users appear as owner "nobody") - eza.sandbox.method = "bunpen"; eza.sandbox.tryKeepUsers = true; #< to keep user/group info when running as root eza.sandbox.autodetectCliPaths = "existing"; eza.sandbox.whitelistPwd = true; @@ -575,11 +563,9 @@ in ".persist/plaintext" ]; - fatresize.sandbox.method = "bunpen"; fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda fatresize.sandbox.tryKeepUsers = true; - fd.sandbox.method = "bunpen"; fd.sandbox.autodetectCliPaths = "existing"; fd.sandbox.whitelistPwd = true; fd.sandbox.extraHomePaths = [ @@ -589,13 +575,10 @@ in ]; ffmpeg.buildCost = 1; - ffmpeg.sandbox.method = "bunpen"; ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting - file.sandbox.method = "bunpen"; file.sandbox.autodetectCliPaths = "existing"; #< file OR directory, yes - findutils.sandbox.method = "bunpen"; findutils.sandbox.autodetectCliPaths = "existing"; findutils.sandbox.whitelistPwd = true; findutils.sandbox.extraHomePaths = [ @@ -607,14 +590,12 @@ in fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; font-manager.buildCost = 1; - font-manager.sandbox.method = "bunpen"; font-manager.sandbox.whitelistWayland = true; font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override { # build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0 withWebkit = false; }); - forkstat.sandbox.method = "bunpen"; forkstat.sandbox.keepPidsAndProc = true; forkstat.sandbox.tryKeepUsers = true; forkstat.sandbox.net = "all"; #< it errors without this, wish i knew why @@ -626,7 +607,6 @@ in { path=".cache/fuzzel"; type="file"; } ]; - gawk.sandbox.method = "bunpen"; gawk.sandbox.wrapperType = "inplace"; # /share/gawk libraries refer to /libexec gawk.sandbox.autodetectCliPaths = "existingFile"; @@ -637,7 +617,6 @@ in gh.persist.byStore.private = [ ".config/gh" ]; gimp.buildCost = 1; - gimp.sandbox.method = "bunpen"; gimp.sandbox.whitelistX = true; gimp.sandbox.whitelistWayland = true; gimp.sandbox.extraHomePaths = [ @@ -659,19 +638,16 @@ in gitea = {}; gnome-calculator.buildCost = 1; - gnome-calculator.sandbox.method = "bunpen"; gnome-calculator.sandbox.whitelistWayland = true; gnome-calendar.buildCost = 1; # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events. - gnome-calendar.sandbox.method = "bunpen"; gnome-calendar.sandbox.whitelistWayland = true; gnome-calendar.sandbox.whitelistDbus = [ "user" ]; # gnome-disks # XXX(2024-09-02): fails to show any disks even when run as `SANEBOX_DISABLE=1 sudo -E gnome-disks`. gnome-disk-utility.buildCost = 1; - gnome-disk-utility.sandbox.method = "bwrap"; gnome-disk-utility.sandbox.whitelistDbus = [ "system" ]; gnome-disk-utility.sandbox.whitelistWayland = true; gnome-disk-utility.sandbox.extraHomePaths = [ @@ -685,7 +661,6 @@ in google-chrome.sandbox.enable = false; # google-chrome is my "pleeeaaase work" fallback, so let it do anything. # gparted: run with `sudo -E gparted` (-E to keep the wayland socket) - gparted.sandbox.method = "bunpen"; gparted.sandbox.tryKeepUsers = true; gparted.sandbox.capabilities = [ "dac_override" "sys_admin" ]; gparted.sandbox.extraPaths = [ @@ -698,7 +673,6 @@ in ]; gparted.sandbox.whitelistWayland = true; - hping.sandbox.method = "bunpen"; hping.sandbox.net = "all"; hping.sandbox.capabilities = [ "net_raw" ]; hping.sandbox.autodetectCliPaths = "existingFile"; # for sending packet data from file @@ -707,17 +681,14 @@ in # seahorse: dump gnome-keyring secrets. seahorse.buildCost = 1; # N.B. it can lso manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now. - seahorse.sandbox.method = "bunpen"; seahorse.sandbox.whitelistDbus = [ "user" ]; seahorse.sandbox.whitelistWayland = true; gnome-2048.buildCost = 1; - gnome-2048.sandbox.method = "bunpen"; gnome-2048.sandbox.whitelistWayland = true; gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ]; gnome-frog.buildCost = 1; - gnome-frog.sandbox.method = "bunpen"; gnome-frog.sandbox.whitelistWayland = true; gnome-frog.sandbox.whitelistDbus = [ "user" ]; gnome-frog.sandbox.extraPaths = [ @@ -744,10 +715,8 @@ in # 2. no two shaded tiles can be direct N/S/E/W neighbors # - win once (1) and (2) are satisfied hitori.buildCost = 1; - hitori.sandbox.method = "bunpen"; hitori.sandbox.whitelistWayland = true; - gnugrep.sandbox.method = "bunpen"; gnugrep.sandbox.autodetectCliPaths = "existing"; gnugrep.sandbox.whitelistPwd = true; gnugrep.sandbox.extraHomePaths = [ @@ -756,51 +725,42 @@ in ".persist/plaintext" ]; - gnused.sandbox.method = "bunpen"; gnused.sandbox.autodetectCliPaths = "existingFile"; gnused.sandbox.whitelistPwd = true; #< `-i` flag creates a temporary file in pwd (?) and then moves it. gpsd = {}; - gptfdisk.sandbox.method = "bunpen"; gptfdisk.sandbox.extraPaths = [ "/dev" ]; gptfdisk.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use gdisk on a device file. # N.B.: if the user doesn't specify an output path, `grim` will output to ~/Pictures (which isn't included in this sandbox) - grim.sandbox.method = "bunpen"; grim.sandbox.autodetectCliPaths = "existingOrParent"; grim.sandbox.whitelistWayland = true; hase.buildCost = 1; - hase.sandbox.method = "bunpen"; hase.sandbox.net = "clearnet"; hase.sandbox.whitelistAudio = true; hase.sandbox.whitelistDri = true; hase.sandbox.whitelistWayland = true; # hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda` - hdparm.sandbox.method = "bunpen"; hdparm.sandbox.autodetectCliPaths = "existingFile"; hdparm.sandbox.tryKeepUsers = true; - host.sandbox.method = "bunpen"; host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server - iftop.sandbox.method = "bunpen"; iftop.sandbox.net = "all"; iftop.sandbox.capabilities = [ "net_raw" ]; iftop.sandbox.tryKeepUsers = true; # inetutils: ping, ifconfig, hostname, traceroute, whois, .... # N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally). - inetutils.sandbox.method = "bunpen"; # want to keep the same netns, at least. inetutils.sandbox.net = "all"; inetutils.sandbox.capabilities = [ "net_raw" ]; # for `sudo traceroute google.com` inetutils.sandbox.tryKeepUsers = true; - iotop.sandbox.method = "bunpen"; iotop.sandbox.capabilities = [ "net_admin" ]; iotop.sandbox.keepPidsAndProc = true; iotop.sandbox.tryKeepUsers = true; @@ -817,37 +777,30 @@ in # "/var/run/netns" # ]; - iptables = {}; # TODO: sandbox - # iptables.sandbox.method = "landlock"; + iptables.sandbox.method = null; # TODO: sandbox # iptables.sandbox.net = "all"; # iptables.sandbox.capabilities = [ "net_admin" ]; # iputils provides `ping` (and arping, clockdiff, tracepath) - iputils.sandbox.method = "bunpen"; iputils.sandbox.net = "all"; iputils.sandbox.capabilities = [ "net_raw" ]; iputils.sandbox.tryKeepUsers = true; # for `sudo arping 10.78.79.1` - iw.sandbox.method = "bunpen"; iw.sandbox.net = "all"; iw.sandbox.capabilities = [ "net_admin" ]; iw.sandbox.tryKeepUsers = true; - jq.sandbox.method = "bunpen"; jq.sandbox.autodetectCliPaths = "existingFile"; - killall.sandbox.method = "bunpen"; killall.sandbox.keepPidsAndProc = true; landlock-sandboxer.sandbox.enable = false; #< sandbox helper libcap_ng.sandbox.enable = false; # TODO: `pscap` can sandbox with bwrap, `captest` and `netcap` with landlock - libnotify.sandbox.method = "bunpen"; libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send lightning-cli.packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.clightning "lightning-cli"; - lightning-cli.sandbox.method = "bunpen"; lightning-cli.sandbox.extraHomePaths = [ ".lightning/bitcoin/lightning-rpc" ]; @@ -855,7 +808,6 @@ in lightning-cli.fs.".lightning".symlink.target = "/var/lib/clightning"; losslesscut-bin.buildCost = 1; - losslesscut-bin.sandbox.method = "bunpen"; losslesscut-bin.sandbox.extraHomePaths = [ "Music" "Pictures/from" # videos from e.g. mobile phone @@ -870,7 +822,6 @@ in losslesscut-bin.sandbox.whitelistX = true; # use: `lsof`; `sudo lsof -i 4` - lsof.sandbox.method = "bunpen"; lsof.sandbox.keepPidsAndProc = true; lsof.sandbox.capabilities = [ "dac_override" "sys_ptrace" ]; # `lsof -i 4` demands we keep net, and also for some reason `/`. @@ -885,20 +836,17 @@ in lua = {}; - lua-language-server.sandbox.method = "bunpen"; lua-language-server.sandbox.whitelistPwd = true; man-pages.sandbox.enable = false; #< data only man-pages-posix.sandbox.enable = false; #< data only - marksman.sandbox.method = "bunpen"; marksman.sandbox.whitelistPwd = true; mercurial.sandbox.method = "bwrap"; mercurial.sandbox.net = "clearnet"; mercurial.sandbox.whitelistPwd = true; - mesa-demos.sandbox.method = "bunpen"; mesa-demos.sandbox.whitelistDri = true; mesa-demos.sandbox.whitelistWayland = true; mesa-demos.sandbox.whitelistX = true; @@ -922,23 +870,18 @@ in mumble.buildCost = 1; mumble.persist.byStore.private = [ ".local/share/Mumble" ]; - nano.sandbox.method = "bunpen"; nano.sandbox.autodetectCliPaths = "existingFileOrParent"; - netcat.sandbox.method = "bunpen"; netcat.sandbox.net = "all"; - nethogs.sandbox.method = "bunpen"; # *partially* works under landlock w/ full access to / nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ]; nethogs.sandbox.tryKeepUsers = true; nethogs.sandbox.net = "all"; # provides `arp`, `hostname`, `route`, `ifconfig` - nettools.sandbox.method = "bunpen"; nettools.sandbox.net = "all"; nettools.sandbox.capabilities = [ "net_admin" "net_raw" ]; - networkmanagerapplet.sandbox.method = "bunpen"; networkmanagerapplet.sandbox.whitelistWayland = true; networkmanagerapplet.sandbox.whitelistDbus = [ "system" ]; @@ -946,10 +889,8 @@ in nil.sandbox.whitelistPwd = true; nil.sandbox.keepPids = true; - nixd.sandbox.method = "bunpen"; nixd.sandbox.whitelistPwd = true; - nixfmt-rfc-style.sandbox.method = "bunpen"; nixfmt-rfc-style.sandbox.autodetectCliPaths = "existingDirOrParent"; #< it formats via rename nixpkgs-review.sandbox.method = "bwrap"; @@ -966,17 +907,14 @@ in ".cache/nixpkgs-review" #< help it not exhaust / tmpfs ]; - nmap.sandbox.method = "bunpen"; nmap.sandbox.net = "all"; # clearnet and lan - nmon.sandbox.method = "bunpen"; nmon.sandbox.keepPidsAndProc = true; nmon.sandbox.net = "all"; nodejs = {}; # `nvme list` - nvme-cli.sandbox.method = "bunpen"; nvme-cli.sandbox.extraPaths = [ "/sys/devices" "/sys/class/nvme" @@ -987,29 +925,25 @@ in # nvme-cli.sandbox.capabilities = [ "sys_rawio" ]; # contains only `oathtool`, which i only use for evaluating TOTP codes from CLI/stdin - oath-toolkit.sandbox.method = "bunpen"; + oath-toolkit = {}; # settings (electron app) obsidian.persist.byStore.plaintext = [ ".config/obsidian" ]; - openscad-lsp.sandbox.method = "bunpen"; openscad-lsp.sandbox.whitelistPwd = true; passt.sandbox.enable = false; #< sandbox helper (netns specifically) - parted.sandbox.method = "bunpen"; parted.sandbox.extraPaths = [ "/dev" ]; parted.sandbox.autodetectCliPaths = "existing"; #< sometimes you'll use parted on a device file. - patchelf = {}; + patchelf.sandbox.method = null; #< TODO: sandbox - pavucontrol.sandbox.method = "bunpen"; pavucontrol.sandbox.whitelistAudio = true; pavucontrol.sandbox.whitelistWayland = true; - pciutils.sandbox.method = "bunpen"; pciutils.sandbox.extraPaths = [ "/sys/bus/pci" "/sys/devices" @@ -1017,7 +951,6 @@ in "perlPackages.FileMimeInfo" = {}; - powertop.sandbox.method = "bunpen"; powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ]; powertop.sandbox.tryKeepUsers = true; powertop.sandbox.extraPaths = [ @@ -1028,24 +961,19 @@ in ]; # procps: free, pgrep, pidof, pkill, ps, pwait, top, uptime, couple others - procps.sandbox.method = "bunpen"; procps.sandbox.keepPidsAndProc = true; - pstree.sandbox.method = "bunpen"; pstree.sandbox.keepPidsAndProc = true; - pulseaudio = {}; + pulseaudio.sandbox.method = null; #< TODO: sandbox - pulsemixer.sandbox.method = "bunpen"; pulsemixer.sandbox.whitelistAudio = true; pwvucontrol.buildCost = 1; - pwvucontrol.sandbox.method = "bunpen"; pwvucontrol.sandbox.whitelistAudio = true; pwvucontrol.sandbox.whitelistDri = true; # else perf on moby is unusable pwvucontrol.sandbox.whitelistWayland = true; - pyright.sandbox.method = "bunpen"; pyright.sandbox.whitelistPwd = true; python3-repl.packageUnwrapped = pkgs.python3.withPackages (ps: with ps; [ @@ -1055,7 +983,6 @@ in requests unidecode ]); - python3-repl.sandbox.method = "bunpen"; python3-repl.sandbox.net = "clearnet"; python3-repl.sandbox.extraHomePaths = [ "/" #< this is 'safe' because with don't expose .persist/private, so no .ssh/id_ed25519 @@ -1065,12 +992,10 @@ in qemu.sandbox.enable = false; #< it's a launcher qemu.buildCost = 2; - rsync.sandbox.method = "bunpen"; rsync.sandbox.net = "clearnet"; rsync.sandbox.autodetectCliPaths = "existingOrParent"; rsync.sandbox.tryKeepUsers = true; # if running as root, keep the user namespace so that `-a` can set the correct owners, etc - rust-analyzer.sandbox.method = "bunpen"; rust-analyzer.sandbox.whitelistPwd = true; rust-analyzer.suggestedPrograms = [ "cargo" @@ -1080,7 +1005,6 @@ in rustup = {}; - sane-cast.sandbox.method = "bunpen"; sane-cast.sandbox.net = "clearnet"; sane-cast.sandbox.autodetectCliPaths = "existingFile"; sane-cast.sandbox.whitelistAudio = true; #< for blast audio casting @@ -1088,10 +1012,8 @@ in sane-die-with-parent.sandbox.enable = false; #< it's a launcher; can't sandbox - sane-weather.sandbox.method = "bunpen"; sane-weather.sandbox.net = "clearnet"; - sc-im.sandbox.method = "bunpen"; sc-im.sandbox.autodetectCliPaths = "existingFile"; screen.sandbox.enable = false; #< tty; needs to run anything @@ -1101,13 +1023,11 @@ in doCheck = false; }); sequoia.buildCost = 1; - sequoia.sandbox.method = "bunpen"; sequoia.sandbox.whitelistPwd = true; sequoia.sandbox.autodetectCliPaths = "existingFileOrParent"; # supports `-o ` shattered-pixel-dungeon.buildCost = 1; shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ]; - shattered-pixel-dungeon.sandbox.method = "bunpen"; shattered-pixel-dungeon.sandbox.whitelistAudio = true; shattered-pixel-dungeon.sandbox.whitelistDri = true; shattered-pixel-dungeon.sandbox.whitelistWayland = true; @@ -1117,14 +1037,11 @@ in # slic3r.persist.byStore.plaintext = [ # ".Slic3r" #< printer/filament settings # ]; - slic3r.sandbox.method = "bunpen"; slic3r.sandbox.autodetectCliPaths = "existingFileOrParent"; # slic3r .stl -o .gcode - slurp.sandbox.method = "bunpen"; slurp.sandbox.whitelistWayland = true; # use like `sudo smartctl /dev/sda -a` - smartmontools.sandbox.method = "bunpen"; smartmontools.sandbox.wrapperType = "inplace"; # ships a script in /etc that calls into its bin smartmontools.sandbox.autodetectCliPaths = "existing"; smartmontools.sandbox.capabilities = [ "sys_rawio" ]; @@ -1133,7 +1050,6 @@ in # TODO: enable dma heaps for more efficient buffer sharing: snapshot.sandbox.method = null; #< TODO: sandbox - sops.sandbox.method = "bunpen"; sops.sandbox.extraHomePaths = [ ".config/sops" "nixos" @@ -1142,23 +1058,20 @@ in "knowledge" ]; - sox.sandbox.method = "bunpen"; sox.sandbox.autodetectCliPaths = "existingFileOrParent"; sox.sandbox.whitelistAudio = true; space-cadet-pinball.buildCost = 1; space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ]; - space-cadet-pinball.sandbox.method = "bunpen"; space-cadet-pinball.sandbox.whitelistAudio = true; space-cadet-pinball.sandbox.whitelistDri = true; space-cadet-pinball.sandbox.whitelistWayland = true; - speedtest-cli.sandbox.method = "bunpen"; speedtest-cli.sandbox.net = "all"; sqlite = {}; - sshfs-fuse.sandbox.method = "bunpen"; #< N.B. if you call this from the CLI -- without `mount.fuse` -- set this to `none` + # N.B. if you call sshfs-fuse from the CLI -- without `mount.fuse` -- disable sandboxing sshfs-fuse.sandbox.net = "all"; sshfs-fuse.sandbox.autodetectCliPaths = "parent"; # sshfs-fuse.sandbox.extraPaths = [ @@ -1178,18 +1091,15 @@ in sudo.sandbox.enable = false; superTux.buildCost = 1; - superTux.sandbox.method = "bunpen"; superTux.sandbox.whitelistAudio = true; superTux.sandbox.whitelistDri = true; superTux.sandbox.whitelistWayland = true; superTux.sandbox.whitelistX = true; superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ]; - swappy.sandbox.method = "bunpen"; swappy.sandbox.autodetectCliPaths = "existingFileOrParent"; swappy.sandbox.whitelistWayland = true; - tcpdump.sandbox.method = "bunpen"; tcpdump.sandbox.net = "all"; tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent"; tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ]; @@ -1200,15 +1110,12 @@ in tokodon.buildCost = 1; tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ]; - tree.sandbox.method = "bunpen"; tree.sandbox.autodetectCliPaths = "existing"; tree.sandbox.whitelistPwd = true; - typescript-language-server.sandbox.method = "bunpen"; typescript-language-server.sandbox.whitelistPwd = true; tumiki-fighters.buildCost = 1; - tumiki-fighters.sandbox.method = "bunpen"; tumiki-fighters.sandbox.whitelistAudio = true; tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf tumiki-fighters.sandbox.whitelistWayland = true; @@ -1216,11 +1123,10 @@ in util-linux.sandbox.method = null; #< TODO: possible to sandbox if i specify a different profile for each of its ~50 binaries - unzip.sandbox.method = "bunpen"; unzip.sandbox.autodetectCliPaths = "existingOrParent"; unzip.sandbox.whitelistPwd = true; - usbutils.sandbox.method = "bunpen"; # breaks `usbhid-dump`, but `lsusb`, `usb-devices` work + # usbutils.sandbox.method = null; # fixes `usbhid-dump`. OTOH `lsusb`, `usb-devices` work under bunpen usbutils.sandbox.extraPaths = [ "/sys/devices" "/sys/bus/usb" @@ -1237,7 +1143,6 @@ in valgrind.sandbox.enable = false; #< it's a launcher: can't sandbox # `vulkaninfo`, `vkcube` - vulkan-tools.sandbox.method = "bunpen"; vulkan-tools.sandbox.whitelistDri = true; vulkan-tools.sandbox.whitelistWayland = true; vulkan-tools.sandbox.whitelistX = true; @@ -1247,13 +1152,11 @@ in ]; vvvvvv.buildCost = 1; - vvvvvv.sandbox.method = "bunpen"; vvvvvv.sandbox.whitelistAudio = true; vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU vvvvvv.sandbox.whitelistWayland = true; vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ]; - w3m.sandbox.method = "bunpen"; w3m.sandbox.net = "all"; w3m.sandbox.extraHomePaths = [ # little-used feature, but you can save web pages :) @@ -1262,10 +1165,8 @@ in watch.sandbox.enable = false; #< it executes the command it's given - wdisplays.sandbox.method = "bunpen"; wdisplays.sandbox.whitelistWayland = true; - wget.sandbox.method = "bunpen"; wget.sandbox.net = "all"; wget.sandbox.whitelistPwd = true; # saves to pwd by default @@ -1273,26 +1174,21 @@ in whalebird.persist.byStore.private = [ ".config/Whalebird" ]; # `wg`, `wg-quick` - wireguard-tools.sandbox.method = "bunpen"; wireguard-tools.sandbox.net = "all"; wireguard-tools.sandbox.capabilities = [ "net_admin" ]; wireguard-tools.sandbox.tryKeepUsers = true; # provides `iwconfig`, `iwlist`, `iwpriv`, ... - wirelesstools.sandbox.method = "bunpen"; wirelesstools.sandbox.net = "all"; wirelesstools.sandbox.capabilities = [ "net_admin" ]; wirelesstools.sandbox.tryKeepUsers = true; - wl-clipboard.sandbox.method = "bunpen"; wl-clipboard.sandbox.whitelistWayland = true; wl-clipboard.sandbox.keepPids = true; #< this is needed, but not sure why? wtype = {}; - wtype.sandbox.method = "bunpen"; wtype.sandbox.whitelistWayland = true; - xwayland.sandbox.method = "bunpen"; xwayland.sandbox.wrapperType = "inplace"; #< consumers use it as a library (e.g. wlroots) xwayland.sandbox.whitelistWayland = true; #< just assuming this is needed xwayland.sandbox.whitelistX = true; diff --git a/hosts/common/programs/audacity.nix b/hosts/common/programs/audacity.nix index bffa84b79..048dac0dd 100644 --- a/hosts/common/programs/audacity.nix +++ b/hosts/common/programs/audacity.nix @@ -16,7 +16,6 @@ buildCost = 1; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistWayland = true; sandbox.autodetectCliPaths = "existingFile"; diff --git a/hosts/common/programs/ausyscall.nix b/hosts/common/programs/ausyscall.nix index 598bfc7fe..4d7bbf650 100644 --- a/hosts/common/programs/ausyscall.nix +++ b/hosts/common/programs/ausyscall.nix @@ -4,7 +4,6 @@ sane.programs.ausyscall = { packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.audit "ausyscall"; - sandbox.method = "bunpen"; }; } diff --git a/hosts/common/programs/avahi.nix b/hosts/common/programs/avahi.nix index 4568e7f93..21c8ec074 100644 --- a/hosts/common/programs/avahi.nix +++ b/hosts/common/programs/avahi.nix @@ -28,7 +28,6 @@ in pkgs.makeBinaryWrapper ]; }); - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "system" ]; sandbox.net = "all"; #< otherwise it will show 'null' in place of each interface name. # sandbox.extraPaths = [ ]; #< may be missing some paths; only tried service discovery, not service advertisement. diff --git a/hosts/common/programs/blast-ugjka/default.nix b/hosts/common/programs/blast-ugjka/default.nix index 1e7319a89..24b93db78 100644 --- a/hosts/common/programs/blast-ugjka/default.nix +++ b/hosts/common/programs/blast-ugjka/default.nix @@ -24,7 +24,6 @@ let in { sane.programs.blast-ugjka = { - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.net = "clearnet"; }; @@ -36,7 +35,6 @@ in pkgs = [ "blast-ugjka" ]; srcRoot = ./.; }; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.net = "clearnet"; #v else it fails to reap its children (or, maybe, it fails to hook its parent's death signal?) diff --git a/hosts/common/programs/bonsai.nix b/hosts/common/programs/bonsai.nix index 28965c6b9..26dbf0874 100644 --- a/hosts/common/programs/bonsai.nix +++ b/hosts/common/programs/bonsai.nix @@ -113,7 +113,6 @@ in fs.".config/bonsai/bonsai_tree.json".symlink.target = pkgs.writers.writeJSON "bonsai_tree.json" cfg.config.transitions; - sandbox.method = "bunpen"; sandbox.extraRuntimePaths = [ "bonsai" ]; diff --git a/hosts/common/programs/brave.nix b/hosts/common/programs/brave.nix index 8f66eb1e0..a88af27f6 100644 --- a/hosts/common/programs/brave.nix +++ b/hosts/common/programs/brave.nix @@ -13,7 +13,6 @@ else pkgs.runCommandLocal "brave-not-supported" {} "false" ; - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; #< package contains dangling symlinks which my wrapper doesn't understand sandbox.net = "all"; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/brightnessctl.nix b/hosts/common/programs/brightnessctl.nix index 50449d09b..959a4524e 100644 --- a/hosts/common/programs/brightnessctl.nix +++ b/hosts/common/programs/brightnessctl.nix @@ -4,7 +4,6 @@ let in { sane.programs.brightnessctl = { - sandbox.method = "bunpen"; sandbox.extraPaths = [ "/sys/class/backlight" "/sys/class/leds" diff --git a/hosts/common/programs/callaudiod.nix b/hosts/common/programs/callaudiod.nix index 4e5bb94ab..3e8a5f8ae 100644 --- a/hosts/common/programs/callaudiod.nix +++ b/hosts/common/programs/callaudiod.nix @@ -13,7 +13,6 @@ sane.programs.callaudiod = { packageUnwrapped = pkgs.rmDbusServices pkgs.callaudiod; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; diff --git a/hosts/common/programs/calls.nix b/hosts/common/programs/calls.nix index b12699af3..f7527125a 100644 --- a/hosts/common/programs/calls.nix +++ b/hosts/common/programs/calls.nix @@ -96,7 +96,6 @@ in ]; })); - sandbox.method = "bunpen"; sandbox.net = "vpn.wg-home"; #< XXX(2024/07/05): my cell carrier seems to block RTP, so tunnel it. sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # necessary for secrets, at the minimum diff --git a/hosts/common/programs/captree.nix b/hosts/common/programs/captree.nix index 901c2a8d9..e5be22e2e 100644 --- a/hosts/common/programs/captree.nix +++ b/hosts/common/programs/captree.nix @@ -2,7 +2,6 @@ { sane.programs.captree = { packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.libcap-with-captree "captree"; - sandbox.method = "bunpen"; sandbox.keepPidsAndProc = true; }; } diff --git a/hosts/common/programs/celeste64.nix b/hosts/common/programs/celeste64.nix index 4705cfba7..1ff91a81f 100644 --- a/hosts/common/programs/celeste64.nix +++ b/hosts/common/programs/celeste64.nix @@ -3,7 +3,6 @@ sane.programs.celeste64 = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistDri = true; sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/conky/default.nix b/hosts/common/programs/conky/default.nix index 9a298904f..a8504b944 100644 --- a/hosts/common/programs/conky/default.nix +++ b/hosts/common/programs/conky/default.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.conky = { - sandbox.method = "bunpen"; sandbox.net = "clearnet"; #< for the scripts it calls (weather) sandbox.extraPaths = [ "/sys/class/power_supply" diff --git a/hosts/common/programs/curl.nix b/hosts/common/programs/curl.nix index 706253cfa..2fb846ab9 100644 --- a/hosts/common/programs/curl.nix +++ b/hosts/common/programs/curl.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.curl = { - sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.autodetectCliPaths = "parent"; #< for `-o` option }; diff --git a/hosts/common/programs/curlftpfs.nix b/hosts/common/programs/curlftpfs.nix index 9c96bb039..3291d2a29 100644 --- a/hosts/common/programs/curlftpfs.nix +++ b/hosts/common/programs/curlftpfs.nix @@ -2,7 +2,6 @@ { sane.programs.curlftpfs = { packageUnwrapped = pkgs.curlftpfs-sane; - sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.autodetectCliPaths = "existing"; sandbox.keepPids = true; diff --git a/hosts/common/programs/dbus.nix b/hosts/common/programs/dbus.nix index 155f21faf..81e4b11ce 100644 --- a/hosts/common/programs/dbus.nix +++ b/hosts/common/programs/dbus.nix @@ -32,7 +32,6 @@ in ''; }); - sandbox.method = "bunpen"; sandbox.extraRuntimePaths = [ "dbus" ]; diff --git a/hosts/common/programs/dconf.nix b/hosts/common/programs/dconf.nix index 7b454604f..db09e5c60 100644 --- a/hosts/common/programs/dconf.nix +++ b/hosts/common/programs/dconf.nix @@ -25,7 +25,6 @@ in }; packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.dconf; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; persist.byStore.private = [ ".config/dconf" diff --git a/hosts/common/programs/dialect.nix b/hosts/common/programs/dialect.nix index 53245109b..abdc0b440 100644 --- a/hosts/common/programs/dialect.nix +++ b/hosts/common/programs/dialect.nix @@ -14,7 +14,6 @@ buildCost = 1; - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; # share/search_providers/ calls back into the binary, weird wrap semantics sandbox.whitelistWayland = true; sandbox.net = "clearnet"; diff --git a/hosts/common/programs/dino.nix b/hosts/common/programs/dino.nix index 69d8d2c9a..df730d93c 100644 --- a/hosts/common/programs/dino.nix +++ b/hosts/common/programs/dino.nix @@ -58,7 +58,6 @@ in webrtc-audio-processing = null; }; - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/dissent.nix b/hosts/common/programs/dissent.nix index 42595dcd4..34d8dfb84 100644 --- a/hosts/common/programs/dissent.nix +++ b/hosts/common/programs/dissent.nix @@ -31,7 +31,6 @@ in --replace-fail '"login"' '"Default_keyring"' ''; }); - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/dtrx.nix b/hosts/common/programs/dtrx.nix index 55dfb6a26..27a537fb6 100644 --- a/hosts/common/programs/dtrx.nix +++ b/hosts/common/programs/dtrx.nix @@ -9,7 +9,6 @@ # build without rpm support, since `rpm` package doesn't cross-compile. rpm = null; }; - sandbox.method = "bunpen"; sandbox.whitelistPwd = true; sandbox.autodetectCliPaths = "existing"; #< for the archive }; diff --git a/hosts/common/programs/eg25-control.nix b/hosts/common/programs/eg25-control.nix index 4d27b66de..7f71f123c 100644 --- a/hosts/common/programs/eg25-control.nix +++ b/hosts/common/programs/eg25-control.nix @@ -6,7 +6,6 @@ in sane.programs.eg25-control = { suggestedPrograms = [ "mmcli" ]; - sandbox.method = "bunpen"; sandbox.extraPaths = [ "/dev/gpiochip1" "/sys/class/modem-power" diff --git a/hosts/common/programs/element-desktop.nix b/hosts/common/programs/element-desktop.nix index 3c7bf649d..0268919c7 100644 --- a/hosts/common/programs/element-desktop.nix +++ b/hosts/common/programs/element-desktop.nix @@ -27,7 +27,6 @@ buildCost = 1; - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/engrampa.nix b/hosts/common/programs/engrampa.nix index 237c1bdfb..9eca362e8 100644 --- a/hosts/common/programs/engrampa.nix +++ b/hosts/common/programs/engrampa.nix @@ -2,7 +2,6 @@ { sane.programs."mate.engrampa" = { packageUnwrapped = pkgs.rmDbusServices pkgs.mate.engrampa; - sandbox.method = "bunpen"; sandbox.whitelistWayland = true; sandbox.autodetectCliPaths = "existingOrParent"; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/epiphany.nix b/hosts/common/programs/epiphany.nix index 0fd15eab2..07bdcf72d 100644 --- a/hosts/common/programs/epiphany.nix +++ b/hosts/common/programs/epiphany.nix @@ -8,7 +8,6 @@ { pkgs, ... }: { sane.programs.epiphany = { - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; # /share/epiphany/default-bookmarks.rdf refers back to /share; dbus files to /libexec sandbox.net = "clearnet"; sandbox.whitelistAudio = true; diff --git a/hosts/common/programs/errno.nix b/hosts/common/programs/errno.nix index 92336596d..b598fbad6 100644 --- a/hosts/common/programs/errno.nix +++ b/hosts/common/programs/errno.nix @@ -12,6 +12,5 @@ buildInputs = []; #< errno has no runtime perl deps, and they don't cross compile, so disable them. }); - sandbox.method = "bunpen"; }; } diff --git a/hosts/common/programs/exiftool.nix b/hosts/common/programs/exiftool.nix index 4b1f9aa6f..d738415e9 100644 --- a/hosts/common/programs/exiftool.nix +++ b/hosts/common/programs/exiftool.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.exiftool = { - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existingFile"; }; } diff --git a/hosts/common/programs/fcitx5.nix b/hosts/common/programs/fcitx5.nix index b45431876..6f2da2c3c 100644 --- a/hosts/common/programs/fcitx5.nix +++ b/hosts/common/programs/fcitx5.nix @@ -34,7 +34,6 @@ ]; }; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; sandbox.whitelistWayland = true; # for `fcitx5-configtool, if nothing else` sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/feedbackd.nix b/hosts/common/programs/feedbackd.nix index f41af1912..35892fad1 100644 --- a/hosts/common/programs/feedbackd.nix +++ b/hosts/common/programs/feedbackd.nix @@ -24,7 +24,6 @@ in default = {}; }; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; sandbox.whitelistAudio = true; diff --git a/hosts/common/programs/firefox-xdg-open.nix b/hosts/common/programs/firefox-xdg-open.nix index 8fba81e5f..866c8c26a 100644 --- a/hosts/common/programs/firefox-xdg-open.nix +++ b/hosts/common/programs/firefox-xdg-open.nix @@ -3,7 +3,6 @@ sane.programs.firefox-xdg-open = { packageUnwrapped = pkgs.firefox-extensions.firefox-xdg-open.systemComponent; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; # for xdg-open/portals mime.associations."x-scheme-handler/xdg-open" = "xdg-open.desktop"; diff --git a/hosts/common/programs/firefox/default.nix b/hosts/common/programs/firefox/default.nix index 6a4836082..ee15a7291 100644 --- a/hosts/common/programs/firefox/default.nix +++ b/hosts/common/programs/firefox/default.nix @@ -204,7 +204,6 @@ in inherit packageUnwrapped; - sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.whitelistAudio = true; sandbox.whitelistAvDev = true; #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12) diff --git a/hosts/common/programs/foliate.nix b/hosts/common/programs/foliate.nix index 4cf48520f..9a711cc4f 100644 --- a/hosts/common/programs/foliate.nix +++ b/hosts/common/programs/foliate.nix @@ -2,7 +2,6 @@ { ... }: { sane.programs.foliate = { - sandbox.method = "bunpen"; sandbox.net = "clearnet"; #< for dictionary, wikipedia, online book libraries sandbox.whitelistDbus = [ "user" ]; #< when clicking on links sandbox.whitelistDri = true; # reduces startup time and subjective page flip time diff --git a/hosts/common/programs/fontconfig.nix b/hosts/common/programs/fontconfig.nix index 739b3489c..ccf55a0da 100644 --- a/hosts/common/programs/fontconfig.nix +++ b/hosts/common/programs/fontconfig.nix @@ -55,7 +55,6 @@ let in { sane.programs.fontconfig = { - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existingOrParent"; #< this might be overkill; or, how many programs reference fontconfig internally? # persist.byStore.plaintext = [ diff --git a/hosts/common/programs/fractal.nix b/hosts/common/programs/fractal.nix index 8463d24c3..290970588 100644 --- a/hosts/common/programs/fractal.nix +++ b/hosts/common/programs/fractal.nix @@ -26,7 +26,6 @@ in packageUnwrapped = pkgs.fractal-nixified.optimized; # packageUnwrapped = pkgs.fractal; - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/free.nix b/hosts/common/programs/free.nix index b075e85d0..8cf89039f 100644 --- a/hosts/common/programs/free.nix +++ b/hosts/common/programs/free.nix @@ -2,7 +2,6 @@ { sane.programs.free = { packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "free"; - sandbox.method = "bunpen"; sandbox.extraPaths = [ "/proc/meminfo" ]; }; } diff --git a/hosts/common/programs/frozen-bubble.nix b/hosts/common/programs/frozen-bubble.nix index c2358ee90..f5194af02 100644 --- a/hosts/common/programs/frozen-bubble.nix +++ b/hosts/common/programs/frozen-bubble.nix @@ -11,7 +11,6 @@ }); buildCost = 1; - sandbox.method = "bunpen"; sandbox.net = "clearnet"; # net play sandbox.whitelistAudio = true; sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/g4music.nix b/hosts/common/programs/g4music.nix index b2abf98b0..b1159f3f9 100644 --- a/hosts/common/programs/g4music.nix +++ b/hosts/common/programs/g4music.nix @@ -10,7 +10,6 @@ sane.programs.g4music = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/gdbus.nix b/hosts/common/programs/gdbus.nix index fa82e2b5d..e1111ebd5 100644 --- a/hosts/common/programs/gdbus.nix +++ b/hosts/common/programs/gdbus.nix @@ -3,7 +3,6 @@ sane.programs.gdbus = { packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.glib "gdbus"; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; #< XXX: maybe future users will also want system access }; } diff --git a/hosts/common/programs/geary.nix b/hosts/common/programs/geary.nix index d226416f2..19faa8e94 100644 --- a/hosts/common/programs/geary.nix +++ b/hosts/common/programs/geary.nix @@ -19,7 +19,6 @@ in }; }; - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; #< XXX(2024-08-20): if executed from a directory different than the configured prefix, it fails to locate its sql migration files sandbox.net = "clearnet"; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/geoclue-demo-agent.nix b/hosts/common/programs/geoclue-demo-agent.nix index cabcf61d5..271e60743 100644 --- a/hosts/common/programs/geoclue-demo-agent.nix +++ b/hosts/common/programs/geoclue-demo-agent.nix @@ -7,7 +7,6 @@ path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/agent"; }]; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "system" ]; diff --git a/hosts/common/programs/git.nix b/hosts/common/programs/git.nix index 88d79c550..2ce0f7467 100644 --- a/hosts/common/programs/git.nix +++ b/hosts/common/programs/git.nix @@ -18,7 +18,6 @@ in rm "$out/bin/git-jump" ''; }); - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.whitelistPwd = true; sandbox.autodetectCliPaths = true; # necessary for git-upload-pack diff --git a/hosts/common/programs/gnome-clocks.nix b/hosts/common/programs/gnome-clocks.nix index be67196f4..c551bebc1 100644 --- a/hosts/common/programs/gnome-clocks.nix +++ b/hosts/common/programs/gnome-clocks.nix @@ -12,7 +12,6 @@ }); buildCost = 1; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; #< required (alongside .config/dconf) to remember timers sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/gnome-keyring/default.nix b/hosts/common/programs/gnome-keyring/default.nix index f0c5cc813..25fb26bc7 100644 --- a/hosts/common/programs/gnome-keyring/default.nix +++ b/hosts/common/programs/gnome-keyring/default.nix @@ -3,7 +3,6 @@ { sane.programs.gnome-keyring = { packageUnwrapped = pkgs.rmDbusServices pkgs.gnome-keyring; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; sandbox.extraRuntimePaths = [ "keyring" #< only needs keyring/control, but has to *create* that. diff --git a/hosts/common/programs/gnome-maps.nix b/hosts/common/programs/gnome-maps.nix index a10d21ed2..1dd03b6af 100644 --- a/hosts/common/programs/gnome-maps.nix +++ b/hosts/common/programs/gnome-maps.nix @@ -37,7 +37,6 @@ ]; sandbox.wrapperType = "inplace"; #< /share directory contains Gir info which references libgnome-maps.so by path - sandbox.method = "bunpen"; sandbox.whitelistDri = true; # for perf sandbox.whitelistDbus = [ "system" # system is required for non-portal location services diff --git a/hosts/common/programs/gnome-weather.nix b/hosts/common/programs/gnome-weather.nix index a94e450db..c2ba3b937 100644 --- a/hosts/common/programs/gnome-weather.nix +++ b/hosts/common/programs/gnome-weather.nix @@ -5,7 +5,6 @@ sane.programs.gnome-weather = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; #< /share/org.gnome.Weather/org.gnome.Weather file refers to bins by full path sandbox.whitelistWayland = true; sandbox.net = "clearnet"; diff --git a/hosts/common/programs/go2tv.nix b/hosts/common/programs/go2tv.nix index 72cf210bc..a8b76170d 100644 --- a/hosts/common/programs/go2tv.nix +++ b/hosts/common/programs/go2tv.nix @@ -48,7 +48,6 @@ let in { sane.programs.go2tv = { - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.autodetectCliPaths = "existingFile"; # for GUI invocation, allow the common media directories diff --git a/hosts/common/programs/gocryptfs.nix b/hosts/common/programs/gocryptfs.nix index 62d84a2f1..e19f835b7 100644 --- a/hosts/common/programs/gocryptfs.nix +++ b/hosts/common/programs/gocryptfs.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.gocryptfs = { - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existing"; sandbox.capabilities = [ # CAP_SYS_ADMIN is only required if directly invoking gocryptfs. diff --git a/hosts/common/programs/gpodder.nix b/hosts/common/programs/gpodder.nix index 4e8972556..5af1bb597 100644 --- a/hosts/common/programs/gpodder.nix +++ b/hosts/common/programs/gpodder.nix @@ -22,7 +22,6 @@ in { ]; }); - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; # it won't launch without it, dunno exactly why. sandbox.whitelistWayland = true; sandbox.net = "clearnet"; diff --git a/hosts/common/programs/gps-share.nix b/hosts/common/programs/gps-share.nix index 49156e376..703aea75e 100644 --- a/hosts/common/programs/gps-share.nix +++ b/hosts/common/programs/gps-share.nix @@ -26,7 +26,6 @@ in # and systemd, for udevadm ]; - sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.autodetectCliPaths = "existing"; #< N.B.: `test -f /dev/ttyUSB1` fails, we can't use `existingFile` sandbox.whitelistDbus = [ "system" ]; #< to register with Avahi diff --git a/hosts/common/programs/grimshot.nix b/hosts/common/programs/grimshot.nix index 969a69892..81a053ea4 100644 --- a/hosts/common/programs/grimshot.nix +++ b/hosts/common/programs/grimshot.nix @@ -14,7 +14,6 @@ # "sway" "wl-clipboard" ]; - sandbox.method = "bunpen"; sandbox.keepPids = true; #< needed by wl-clipboard sandbox.whitelistWayland = true; sandbox.whitelistDbus = [ "user" ]; diff --git a/hosts/common/programs/gst-device-monitor.nix b/hosts/common/programs/gst-device-monitor.nix index 23fbdd0b9..984cc44bf 100644 --- a/hosts/common/programs/gst-device-monitor.nix +++ b/hosts/common/programs/gst-device-monitor.nix @@ -23,7 +23,6 @@ ]; }); - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.extraPaths = [ "/dev" # tried, but failed to narrow this down (moby) diff --git a/hosts/common/programs/handbrake.nix b/hosts/common/programs/handbrake.nix index 815566cbf..496dca92e 100644 --- a/hosts/common/programs/handbrake.nix +++ b/hosts/common/programs/handbrake.nix @@ -3,7 +3,6 @@ sane.programs.handbrake = { buildCost = 1; - sandbox.method = "bunpen"; #< untested sandbox.whitelistDbus = [ "user" ]; # notifications sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/haredoc.nix b/hosts/common/programs/haredoc.nix index b1873a9cc..570caf5f4 100644 --- a/hosts/common/programs/haredoc.nix +++ b/hosts/common/programs/haredoc.nix @@ -2,7 +2,6 @@ { pkgs, ... }: { sane.programs.haredoc = { - sandbox.method = "bunpen"; sandbox.whitelistPwd = true; #< search for function documentation below the current directory env.HAREPATH = "${pkgs.hare}/src/hare/stdlib"; }; diff --git a/hosts/common/programs/htop/default.nix b/hosts/common/programs/htop/default.nix index 52a4178b2..c26b3b199 100644 --- a/hosts/common/programs/htop/default.nix +++ b/hosts/common/programs/htop/default.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.htop = { - sandbox.method = "bunpen"; sandbox.keepPidsAndProc = true; sandbox.extraPaths = [ "/sys/devices" diff --git a/hosts/common/programs/imagemagick.nix b/hosts/common/programs/imagemagick.nix index feb98bd77..b3429ced4 100644 --- a/hosts/common/programs/imagemagick.nix +++ b/hosts/common/programs/imagemagick.nix @@ -3,7 +3,6 @@ sane.programs.imagemagick = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path sandbox.whitelistPwd = true; sandbox.autodetectCliPaths = "existingOrParent"; #< arg formatting is complicated enough that this won't always work. diff --git a/hosts/common/programs/inkscape.nix b/hosts/common/programs/inkscape.nix index 55bfb408b..6571bd2c9 100644 --- a/hosts/common/programs/inkscape.nix +++ b/hosts/common/programs/inkscape.nix @@ -2,7 +2,6 @@ { sane.programs.inkscape = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ ".config/dconf" #< else opening images fails diff --git a/hosts/common/programs/kdenlive.nix b/hosts/common/programs/kdenlive.nix index 7f3dfe107..4649a8198 100644 --- a/hosts/common/programs/kdenlive.nix +++ b/hosts/common/programs/kdenlive.nix @@ -3,7 +3,6 @@ sane.programs.kdenlive = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.extraHomePaths = [ "Music" "Pictures/from" # e.g. Videos taken from my phone diff --git a/hosts/common/programs/komikku.nix b/hosts/common/programs/komikku.nix index 69ac43979..76b662abf 100644 --- a/hosts/common/programs/komikku.nix +++ b/hosts/common/programs/komikku.nix @@ -10,7 +10,6 @@ '' + (upstream.preFixup or ""); }); - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.whitelistDbus = [ "user" ]; # needs to connect to dconf via dbus sandbox.whitelistDri = true; #< required diff --git a/hosts/common/programs/krita.nix b/hosts/common/programs/krita.nix index c5e3beaac..1f4fd5410 100644 --- a/hosts/common/programs/krita.nix +++ b/hosts/common/programs/krita.nix @@ -2,7 +2,6 @@ { sane.programs.krita = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.whitelistWayland = true; sandbox.whitelistX = true; sandbox.autodetectCliPaths = "existing"; diff --git a/hosts/common/programs/less.nix b/hosts/common/programs/less.nix index 8c03790b4..708d927c2 100644 --- a/hosts/common/programs/less.nix +++ b/hosts/common/programs/less.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.less = { - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existingFile"; env.PAGER = "less"; # LESS flags: diff --git a/hosts/common/programs/lftp.nix b/hosts/common/programs/lftp.nix index bbb5a6ddd..027afddf0 100644 --- a/hosts/common/programs/lftp.nix +++ b/hosts/common/programs/lftp.nix @@ -9,7 +9,6 @@ { ... }: { sane.programs.lftp = { - sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.extraPaths = [ "Music" diff --git a/hosts/common/programs/libreoffice.nix b/hosts/common/programs/libreoffice.nix index 785fac59d..a84d43d53 100644 --- a/hosts/common/programs/libreoffice.nix +++ b/hosts/common/programs/libreoffice.nix @@ -6,7 +6,6 @@ # packageUnwrapped = pkgs.libreoffice-bin; # packageUnwrapped = pkgs.libreoffice-still; packageUnwrapped = pkgs.libreoffice-fresh; - sandbox.method = "bunpen"; sandbox.whitelistWayland = true; sandbox.autodetectCliPaths = "existingFile"; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/loupe.nix b/hosts/common/programs/loupe.nix index 02c6d7363..3d7b065c9 100644 --- a/hosts/common/programs/loupe.nix +++ b/hosts/common/programs/loupe.nix @@ -12,7 +12,6 @@ # ''; # })); - sandbox.method = "bunpen"; sandbox.whitelistDri = true; #< faster rendering sandbox.whitelistWayland = true; sandbox.autodetectCliPaths = "parent"; diff --git a/hosts/common/programs/megapixels-next.nix b/hosts/common/programs/megapixels-next.nix index 45b295676..3ca1dfe6b 100644 --- a/hosts/common/programs/megapixels-next.nix +++ b/hosts/common/programs/megapixels-next.nix @@ -24,7 +24,6 @@ }); # this sandboxing was derived from original megapixels: possibly inaccurate - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; #< for share/megapixels/movie.sh sandbox.whitelistDri = true; sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/mepo.nix b/hosts/common/programs/mepo.nix index a44b444ce..8b37c2d9f 100644 --- a/hosts/common/programs/mepo.nix +++ b/hosts/common/programs/mepo.nix @@ -12,7 +12,6 @@ ) ''; }); - sandbox.method = "bunpen"; sandbox.net = "all"; # for tiles *and* for localhost comm to gpsd sandbox.whitelistDri = true; sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/mimetype.nix b/hosts/common/programs/mimetype.nix index 9fc7af24c..f399b8b8b 100644 --- a/hosts/common/programs/mimetype.nix +++ b/hosts/common/programs/mimetype.nix @@ -2,7 +2,6 @@ { sane.programs.mimetype = { packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.perlPackages.FileMimeInfo "mimetype"; - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existing"; }; } diff --git a/hosts/common/programs/mpv/default.nix b/hosts/common/programs/mpv/default.nix index 2943516b4..26e53be4a 100644 --- a/hosts/common/programs/mpv/default.nix +++ b/hosts/common/programs/mpv/default.nix @@ -179,7 +179,6 @@ in "yt-dlp" ]; - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "parent"; #< especially for subtitle downloader; also nice for viewing albums sandbox.net = "all"; sandbox.whitelistAudio = true; diff --git a/hosts/common/programs/nautilus.nix b/hosts/common/programs/nautilus.nix index 2e0a45b0e..514453a04 100644 --- a/hosts/common/programs/nautilus.nix +++ b/hosts/common/programs/nautilus.nix @@ -14,7 +14,6 @@ # "gvfs" # browse ftp://, etc (TODO: fix!) # ]; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; # for portals launching apps sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/neovim/default.nix b/hosts/common/programs/neovim/default.nix index d5614ecca..db7b984f7 100644 --- a/hosts/common/programs/neovim/default.nix +++ b/hosts/common/programs/neovim/default.nix @@ -40,7 +40,6 @@ in # "vala-language-server" #< 2024-08-26: fails to recognize any imported types, complains they're all `null` ]; - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existingOrParent"; sandbox.whitelistWayland = true; # for system clipboard integration # sandbox.whitelistPwd = true; diff --git a/hosts/common/programs/networkmanager_dmenu/default.nix b/hosts/common/programs/networkmanager_dmenu/default.nix index dc9527ae2..9fb8da6a5 100644 --- a/hosts/common/programs/networkmanager_dmenu/default.nix +++ b/hosts/common/programs/networkmanager_dmenu/default.nix @@ -2,7 +2,6 @@ { ... }: { sane.programs.networkmanager_dmenu = { - sandbox.method = "bunpen"; # sandbox.keepPidsAndProc = true; #< else it can't connect to NetworkManager (?) sandbox.whitelistDbus = [ "system" diff --git a/hosts/common/programs/newsflash.nix b/hosts/common/programs/newsflash.nix index fea16ea58..502f7769c 100644 --- a/hosts/common/programs/newsflash.nix +++ b/hosts/common/programs/newsflash.nix @@ -15,7 +15,6 @@ let wanted-feeds = feeds.filterByFormat [ "text" "image" "podcast" "video" ] all-feeds; in { sane.programs.newsflash = { - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; #< for embedded videos sandbox.whitelistDbus = [ "user" ]; diff --git a/hosts/common/programs/nicotine-plus.nix b/hosts/common/programs/nicotine-plus.nix index 13e8fc358..08559730e 100644 --- a/hosts/common/programs/nicotine-plus.nix +++ b/hosts/common/programs/nicotine-plus.nix @@ -13,7 +13,6 @@ ${upstream.postInstall} ''; }); - sandbox.method = "bunpen"; sandbox.whitelistDri = true; #< required, else it fails to launch the gui sandbox.whitelistWayland = true; sandbox.net = "vpn"; diff --git a/hosts/common/programs/nix-index.nix b/hosts/common/programs/nix-index.nix index 926280541..594ebf84c 100644 --- a/hosts/common/programs/nix-index.nix +++ b/hosts/common/programs/nix-index.nix @@ -2,7 +2,6 @@ { # provides `nix-locate`, backed by the manually run `nix-index` sane.programs.nix-index = { - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.extraPaths = [ "/nix" diff --git a/hosts/common/programs/nmcli.nix b/hosts/common/programs/nmcli.nix index 55da5e928..59b3f609e 100644 --- a/hosts/common/programs/nmcli.nix +++ b/hosts/common/programs/nmcli.nix @@ -2,7 +2,6 @@ { sane.programs.nmcli = { packageUnwrapped = pkgs.networkmanager-split.nmcli; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "system" ]; diff --git a/hosts/common/programs/nwg-panel/default.nix b/hosts/common/programs/nwg-panel/default.nix index 811a4a098..a64a57e36 100644 --- a/hosts/common/programs/nwg-panel/default.nix +++ b/hosts/common/programs/nwg-panel/default.nix @@ -187,7 +187,6 @@ in playerctlChars = if cfg.config.mediaTitle then 60 else 0; }); - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistDri = true; sandbox.whitelistS6 = true; diff --git a/hosts/common/programs/objdump.nix b/hosts/common/programs/objdump.nix index f32dbf72a..0fd503d3d 100644 --- a/hosts/common/programs/objdump.nix +++ b/hosts/common/programs/objdump.nix @@ -4,7 +4,6 @@ # binutils-unwrapped is like 80 MiB, just for this one binary; # dynamic linking means copying the binary doesn't reduce the closure much at all compared to just symlinking it. packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.binutils-unwrapped "objdump"; - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existingFile"; }; } diff --git a/hosts/common/programs/ols.nix b/hosts/common/programs/ols.nix index 4a4e36dcd..1ab1cbe26 100644 --- a/hosts/common/programs/ols.nix +++ b/hosts/common/programs/ols.nix @@ -39,7 +39,6 @@ secrets.".config/ols/ols.toml" = ../../../secrets/common/ols.toml.bin; - sandbox.method = "bunpen"; sandbox.net = "all"; services.ols = { diff --git a/hosts/common/programs/pactl.nix b/hosts/common/programs/pactl.nix index a3f8c059e..69766ec71 100644 --- a/hosts/common/programs/pactl.nix +++ b/hosts/common/programs/pactl.nix @@ -2,7 +2,6 @@ { sane.programs.pactl = { packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.pulseaudio "pactl"; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; }; } diff --git a/hosts/common/programs/papers.nix b/hosts/common/programs/papers.nix index eafb87410..cb24b8de6 100644 --- a/hosts/common/programs/papers.nix +++ b/hosts/common/programs/papers.nix @@ -2,7 +2,6 @@ { sane.programs.papers = { buildCost = 2; #< webkitgtk - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; #< for clicking links sandbox.whitelistDri = true; #< speedier sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/pidof.nix b/hosts/common/programs/pidof.nix index 12a8d3e91..dc2c9b2dd 100644 --- a/hosts/common/programs/pidof.nix +++ b/hosts/common/programs/pidof.nix @@ -2,7 +2,6 @@ { sane.programs.pidof = { packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "pidof"; - sandbox.method = "bunpen"; sandbox.keepPidsAndProc = true; }; } diff --git a/hosts/common/programs/pipewire/default.nix b/hosts/common/programs/pipewire/default.nix index 0a73c6ac3..3ff4c4517 100644 --- a/hosts/common/programs/pipewire/default.nix +++ b/hosts/common/programs/pipewire/default.nix @@ -54,8 +54,6 @@ in "wireplumber" ]; - # sandbox.method = "landlock"; #< works, including without rtkit - sandbox.method = "bunpen"; #< also works, but can't claim the full scheduling priority it wants sandbox.whitelistAudio = true; # sandbox.whitelistDbus = [ # # dbus is used for rtkit integration diff --git a/hosts/common/programs/pkill.nix b/hosts/common/programs/pkill.nix index ed4d30f56..05d947a00 100644 --- a/hosts/common/programs/pkill.nix +++ b/hosts/common/programs/pkill.nix @@ -2,7 +2,6 @@ { sane.programs.pkill = { packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "pkill"; - sandbox.method = "bunpen"; sandbox.keepPidsAndProc = true; }; } diff --git a/hosts/common/programs/playerctl.nix b/hosts/common/programs/playerctl.nix index ec7f5b7c1..f786d4b6e 100644 --- a/hosts/common/programs/playerctl.nix +++ b/hosts/common/programs/playerctl.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.playerctl = { - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; #< /lib/pkgconfig/playerctl.pc refers to $out by full path sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/portfolio-filemanager.nix b/hosts/common/programs/portfolio-filemanager.nix index 20c5106b7..e736b5eff 100644 --- a/hosts/common/programs/portfolio-filemanager.nix +++ b/hosts/common/programs/portfolio-filemanager.nix @@ -2,7 +2,6 @@ { sane.programs.portfolio-filemanager = { # this is all taken pretty directly from nautilus config - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; # for portals launching apps sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/ps.nix b/hosts/common/programs/ps.nix index 81021cf46..88d9e377b 100644 --- a/hosts/common/programs/ps.nix +++ b/hosts/common/programs/ps.nix @@ -2,7 +2,6 @@ { sane.programs.ps = { packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.procps "ps"; - sandbox.method = "bunpen"; sandbox.keepPidsAndProc = true; }; } diff --git a/hosts/common/programs/ripgrep.nix b/hosts/common/programs/ripgrep.nix index 8c88889d5..9ebf26794 100644 --- a/hosts/common/programs/ripgrep.nix +++ b/hosts/common/programs/ripgrep.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.ripgrep = { - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existing"; sandbox.whitelistPwd = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/rofi/default.nix b/hosts/common/programs/rofi/default.nix index fc2f1f799..492116721 100644 --- a/hosts/common/programs/rofi/default.nix +++ b/hosts/common/programs/rofi/default.nix @@ -94,7 +94,6 @@ in "rofi-run-command" ]; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; #< to launch apps via the portal sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ @@ -167,7 +166,6 @@ in }) ]; }; - sandbox.method = "bunpen"; sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ ".cache/rofi" diff --git a/hosts/common/programs/sane-deadlines.nix b/hosts/common/programs/sane-deadlines.nix index b3784b983..f16d94ee5 100644 --- a/hosts/common/programs/sane-deadlines.nix +++ b/hosts/common/programs/sane-deadlines.nix @@ -15,7 +15,6 @@ in }; packageUnwrapped = pkgs.sane-scripts.deadlines; - sandbox.method = "bunpen"; sandbox.extraHomePaths = [ "knowledge/planner/deadlines.tsv" ]; fs.".profile".symlink.text = lib.mkIf cfg.config.showOnLogin '' diff --git a/hosts/common/programs/sane-input-handler/default.nix b/hosts/common/programs/sane-input-handler/default.nix index d00517825..8533d4ede 100644 --- a/hosts/common/programs/sane-input-handler/default.nix +++ b/hosts/common/programs/sane-input-handler/default.nix @@ -93,7 +93,6 @@ in "xdg-terminal-exec" "wvkbd" ]; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; #< to launch applications sandbox.extraRuntimePaths = [ "sway" ]; diff --git a/hosts/common/programs/sane-open.nix b/hosts/common/programs/sane-open.nix index 484fcdfeb..87fadebff 100644 --- a/hosts/common/programs/sane-open.nix +++ b/hosts/common/programs/sane-open.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.sane-open = { - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existing"; # for when opening a file sandbox.whitelistDbus = [ "user" ]; sandbox.keepPidsAndProc = true; #< to toggle keyboard diff --git a/hosts/common/programs/sane-private-unlock-remote.nix b/hosts/common/programs/sane-private-unlock-remote.nix index 736a58a72..c116bf624 100644 --- a/hosts/common/programs/sane-private-unlock-remote.nix +++ b/hosts/common/programs/sane-private-unlock-remote.nix @@ -5,7 +5,6 @@ in { sane.programs."sane-private-unlock-remote" = { packageUnwrapped = pkgs.sane-scripts.private-unlock-remote; - sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.extraHomePaths = [ ".config/sops" diff --git a/hosts/common/programs/sane-screenshot.nix b/hosts/common/programs/sane-screenshot.nix index 63fffb419..fcbcd11df 100644 --- a/hosts/common/programs/sane-screenshot.nix +++ b/hosts/common/programs/sane-screenshot.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.sane-screenshot = { - sandbox.method = "bunpen"; sandbox.whitelistWayland = true; sandbox.whitelistDbus = [ "user" ]; #< to send notifications sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix index b00aa7bc5..bb917f5c4 100644 --- a/hosts/common/programs/sane-scripts.nix +++ b/hosts/common/programs/sane-scripts.nix @@ -153,7 +153,6 @@ in tryKeepUsers = true; }; - "sane-scripts.secrets-dump".sandbox.method = "bunpen"; "sane-scripts.secrets-dump".sandbox.extraHomePaths = [ ".config/sops" "knowledge/secrets" @@ -241,7 +240,7 @@ in "sane-scripts.ip-check" ]; - "sane-scripts.which".sandbox.method = "bunpen"; + "sane-scripts.which" = {}; "sane-scripts.wipe".sandbox = { method = "bunpen"; diff --git a/hosts/common/programs/sane-secrets-unlock.nix b/hosts/common/programs/sane-secrets-unlock.nix index b941e4547..f6cb5fb59 100644 --- a/hosts/common/programs/sane-secrets-unlock.nix +++ b/hosts/common/programs/sane-secrets-unlock.nix @@ -2,7 +2,6 @@ { sane.programs."sane-secrets-unlock" = { packageUnwrapped = pkgs.sane-scripts.secrets-unlock; - sandbox.method = "bunpen"; sandbox.extraHomePaths = [ ".ssh/id_ed25519" ".ssh/id_ed25519.pub" diff --git a/hosts/common/programs/sane-sysload.nix b/hosts/common/programs/sane-sysload.nix index a24c90197..b850340af 100644 --- a/hosts/common/programs/sane-sysload.nix +++ b/hosts/common/programs/sane-sysload.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.sane-sysload = { - sandbox.method = "bunpen"; sandbox.extraPaths = [ "/sys/class/power_supply" "/sys/devices" diff --git a/hosts/common/programs/satellite.nix b/hosts/common/programs/satellite.nix index f67c752f7..26252805b 100644 --- a/hosts/common/programs/satellite.nix +++ b/hosts/common/programs/satellite.nix @@ -50,7 +50,6 @@ { ... }: { sane.programs.satellite = { - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "system" #< reads NMEA data via ModemManager ]; diff --git a/hosts/common/programs/schlock.nix b/hosts/common/programs/schlock.nix index bfbc8666f..65ca28c05 100644 --- a/hosts/common/programs/schlock.nix +++ b/hosts/common/programs/schlock.nix @@ -24,7 +24,6 @@ in }; }; - sandbox.method = "bunpen"; sandbox.whitelistWayland = true; secrets.".config/schlock/schlock.pin" = ../../../secrets/common/schlock.pin.bin; diff --git a/hosts/common/programs/seatd.nix b/hosts/common/programs/seatd.nix index 267ca785d..b3bb87eae 100644 --- a/hosts/common/programs/seatd.nix +++ b/hosts/common/programs/seatd.nix @@ -13,7 +13,6 @@ lib.mkMerge [ "-Ddefaultpath=${seatdSock}" ]; }); - sandbox.method = "bunpen"; sandbox.capabilities = [ "dac_override" #< TODO: is there no way to get rid of this? (use the `tty` group?) # "sys_admin" diff --git a/hosts/common/programs/signal-desktop.nix b/hosts/common/programs/signal-desktop.nix index bdcba3f57..6e9b04c71 100644 --- a/hosts/common/programs/signal-desktop.nix +++ b/hosts/common/programs/signal-desktop.nix @@ -22,7 +22,6 @@ in }; packageUnwrapped = pkgs.signal-desktop-from-src; - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ diff --git a/hosts/common/programs/sm64ex-coop-deluxe.nix b/hosts/common/programs/sm64ex-coop-deluxe.nix index 6e572144e..ae7be0e88 100644 --- a/hosts/common/programs/sm64ex-coop-deluxe.nix +++ b/hosts/common/programs/sm64ex-coop-deluxe.nix @@ -4,7 +4,6 @@ let in { sane.programs.sm64ex-coop-deluxe = { - sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.whitelistAudio = true; sandbox.whitelistDri = true; diff --git a/hosts/common/programs/sm64ex-coop.nix b/hosts/common/programs/sm64ex-coop.nix index 7bdd94415..05d3e4930 100644 --- a/hosts/common/programs/sm64ex-coop.nix +++ b/hosts/common/programs/sm64ex-coop.nix @@ -4,7 +4,6 @@ let in { sane.programs.sm64ex-coop = { - sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.whitelistAudio = true; sandbox.whitelistDri = true; diff --git a/hosts/common/programs/soundconverter.nix b/hosts/common/programs/soundconverter.nix index 2919538a2..4eb1fad9a 100644 --- a/hosts/common/programs/soundconverter.nix +++ b/hosts/common/programs/soundconverter.nix @@ -5,7 +5,6 @@ { sane.programs.soundconverter = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ "Music" diff --git a/hosts/common/programs/stepmania.nix b/hosts/common/programs/stepmania.nix index 6d40caab5..def0920ab 100644 --- a/hosts/common/programs/stepmania.nix +++ b/hosts/common/programs/stepmania.nix @@ -18,7 +18,6 @@ sane.programs.stepmania = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistDri = true; sandbox.whitelistX = true; diff --git a/hosts/common/programs/strings.nix b/hosts/common/programs/strings.nix index 2b1b0c0f9..603958feb 100644 --- a/hosts/common/programs/strings.nix +++ b/hosts/common/programs/strings.nix @@ -5,7 +5,6 @@ # dynamic linking means copying the binary doesn't reduce the closure much at all compared to just symlinking it. packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.binutils-unwrapped "strings"; - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; # trivial package; cheaper to wrap in place sandbox.autodetectCliPaths = "existing"; }; diff --git a/hosts/common/programs/supertuxkart.nix b/hosts/common/programs/supertuxkart.nix index a0582eb4b..395e4f7ae 100644 --- a/hosts/common/programs/supertuxkart.nix +++ b/hosts/common/programs/supertuxkart.nix @@ -3,7 +3,6 @@ sane.programs.superTuxKart = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.net = "clearnet"; # net play sandbox.whitelistAudio = true; sandbox.whitelistDri = true; diff --git a/hosts/common/programs/sway/default.nix b/hosts/common/programs/sway/default.nix index 499bb3fea..43b013f28 100644 --- a/hosts/common/programs/sway/default.nix +++ b/hosts/common/programs/sway/default.nix @@ -198,7 +198,6 @@ in cfg.config.locker ]; - sandbox.method = "bunpen"; sandbox.net = "all"; # TODO: shouldn't be needed! but without this, mouse/kb hotplug doesn't work. sandbox.whitelistAudio = true; # it runs playerctl directly sandbox.whitelistDbus = [ "system" "user" ]; # to e.g. launch apps diff --git a/hosts/common/programs/swayidle.nix b/hosts/common/programs/swayidle.nix index 0267a522b..0fa58e227 100644 --- a/hosts/common/programs/swayidle.nix +++ b/hosts/common/programs/swayidle.nix @@ -85,7 +85,6 @@ in # "sway" #< required, but circular dep ]; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; #< might need system too, for inhibitors sandbox.whitelistS6 = true; sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/swaylock.nix b/hosts/common/programs/swaylock.nix index 0dd4d28a8..ad7580b35 100644 --- a/hosts/common/programs/swaylock.nix +++ b/hosts/common/programs/swaylock.nix @@ -30,7 +30,6 @@ in # ]; # }); - sandbox.method = "bunpen"; sandbox.extraPaths = [ # N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked. # swaylock seems (?) to offload password checking to pam's `unix_chkpwd`, diff --git a/hosts/common/programs/swaynotificationcenter/default.nix b/hosts/common/programs/swaynotificationcenter/default.nix index 9d28f28ba..bd97670b1 100644 --- a/hosts/common/programs/swaynotificationcenter/default.nix +++ b/hosts/common/programs/swaynotificationcenter/default.nix @@ -36,7 +36,6 @@ in "s6-rc" ]; }; - sandbox.method = "bunpen"; sandbox.whitelistS6 = true; sandbox.keepPidsAndProc = true; #< XXX: not sure why, but swaync segfaults under load without this! }; @@ -52,7 +51,6 @@ in "util-linux" ]; }; - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; sandbox.keepPidsAndProc = true; # `swaync-fbcli stop` needs to be able to find the corresponding `swaync-fbcli start` process }; @@ -103,7 +101,6 @@ in "swaync-service-dispatcher" #< used when toggling buttons ]; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" # mpris; portal diff --git a/hosts/common/programs/syshud.nix b/hosts/common/programs/syshud.nix index 0043687f3..516b6767d 100644 --- a/hosts/common/programs/syshud.nix +++ b/hosts/common/programs/syshud.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.syshud = { - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistWayland = true; sandbox.extraPaths = [ diff --git a/hosts/common/programs/tor-browser.nix b/hosts/common/programs/tor-browser.nix index d62432e56..8714ed11c 100644 --- a/hosts/common/programs/tor-browser.nix +++ b/hosts/common/programs/tor-browser.nix @@ -9,7 +9,6 @@ } ''; }); - sandbox.method = "bunpen"; sandbox.net = "clearnet"; # tor over VPN wouldn't make sense sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; #< so `tor-browser http://...` can open using an existing instance diff --git a/hosts/common/programs/tuba.nix b/hosts/common/programs/tuba.nix index 9195c56db..fa3c1b871 100644 --- a/hosts/common/programs/tuba.nix +++ b/hosts/common/programs/tuba.nix @@ -3,7 +3,6 @@ sane.programs.tuba = { buildCost = 1; - sandbox.method = "bunpen"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/unl0kr/default.nix b/hosts/common/programs/unl0kr/default.nix index f43de5933..f78788718 100644 --- a/hosts/common/programs/unl0kr/default.nix +++ b/hosts/common/programs/unl0kr/default.nix @@ -21,7 +21,6 @@ in # N.B.: this sandboxing applies to `unl0kr` itself -- the on-screen-keyboard; # NOT to the wrapper which invokes `login`. - sandbox.method = "bunpen"; sandbox.whitelistDri = true; sandbox.extraPaths = [ "/dev/fb0" diff --git a/hosts/common/programs/visidata.nix b/hosts/common/programs/visidata.nix index ef2c8bf80..4112a97c3 100644 --- a/hosts/common/programs/visidata.nix +++ b/hosts/common/programs/visidata.nix @@ -8,7 +8,6 @@ doCheck = false; }); - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = true; }; } diff --git a/hosts/common/programs/where-am-i.nix b/hosts/common/programs/where-am-i.nix index e50cad4d8..af43439d9 100644 --- a/hosts/common/programs/where-am-i.nix +++ b/hosts/common/programs/where-am-i.nix @@ -18,7 +18,6 @@ ''; }); - sandbox.method = "bunpen"; sandbox.net = "all"; # TODO: why does it require this? i think it just needs *some* net dev and any will do. sandbox.whitelistDbus = [ "system" # system is required for non-portal location services diff --git a/hosts/common/programs/wike.nix b/hosts/common/programs/wike.nix index e7c7e729e..76c2a5602 100644 --- a/hosts/common/programs/wike.nix +++ b/hosts/common/programs/wike.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.wike = { - sandbox.method = "bunpen"; sandbox.wrapperType = "inplace"; # share/wike/wike-sp refers back to the binaries and share sandbox.net = "clearnet"; sandbox.whitelistAudio = true; diff --git a/hosts/common/programs/wireplumber.nix b/hosts/common/programs/wireplumber.nix index 07f04839c..a5ed0807b 100644 --- a/hosts/common/programs/wireplumber.nix +++ b/hosts/common/programs/wireplumber.nix @@ -6,7 +6,6 @@ pipewire = config.sane.programs.pipewire.packageUnwrapped; }; - sandbox.method = "bunpen"; # sandbox.whitelistDbus = [ # "system" #< so it can request better scheduling from rtkit # # "user" #< apparently not needed? diff --git a/hosts/common/programs/wireshark.nix b/hosts/common/programs/wireshark.nix index a7caa8629..9519493d9 100644 --- a/hosts/common/programs/wireshark.nix +++ b/hosts/common/programs/wireshark.nix @@ -6,7 +6,6 @@ # which causes sandboxing errors (it won't sandbox recursively). packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.wireshark "wireshark"; - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existingFile"; #< for loading pcap files on CLI sandbox.whitelistWayland = true; sandbox.net = "all"; diff --git a/hosts/common/programs/wvkbd.nix b/hosts/common/programs/wvkbd.nix index 9cf047f6b..0862d4801 100644 --- a/hosts/common/programs/wvkbd.nix +++ b/hosts/common/programs/wvkbd.nix @@ -8,7 +8,6 @@ ''; }); - sandbox.method = "bunpen"; sandbox.whitelistWayland = true; env.KEYBOARD = "wvkbd-mobintl"; diff --git a/hosts/common/programs/xdg-desktop-portal-gnome/default.nix b/hosts/common/programs/xdg-desktop-portal-gnome/default.nix index c35101178..7ddd48dea 100644 --- a/hosts/common/programs/xdg-desktop-portal-gnome/default.nix +++ b/hosts/common/programs/xdg-desktop-portal-gnome/default.nix @@ -13,7 +13,6 @@ in ]; }); - sandbox.method = "bunpen"; sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/xdg-desktop-portal-wlr.nix b/hosts/common/programs/xdg-desktop-portal-wlr.nix index 6ead076de..ff580607b 100644 --- a/hosts/common/programs/xdg-desktop-portal-wlr.nix +++ b/hosts/common/programs/xdg-desktop-portal-wlr.nix @@ -7,7 +7,6 @@ in # rmDbusServices: because we care about ordering with the rest of the desktop, and don't want something else to auto-start this. packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-wlr; - sandbox.method = "bunpen"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal sandbox.whitelistDri = true; diff --git a/hosts/common/programs/youtube-tui.nix b/hosts/common/programs/youtube-tui.nix index 0fa868d92..f3e7d57ba 100644 --- a/hosts/common/programs/youtube-tui.nix +++ b/hosts/common/programs/youtube-tui.nix @@ -62,7 +62,6 @@ sync_channel_info: true sync_videos_cooldown_secs: 600 ''; - sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.extraHomePaths = [ # ".config/youtube-tui" #< it populates its own config, other than just main.yml diff --git a/hosts/common/programs/yt-dlp.nix b/hosts/common/programs/yt-dlp.nix index 2ab4756f2..4d9a5bd95 100644 --- a/hosts/common/programs/yt-dlp.nix +++ b/hosts/common/programs/yt-dlp.nix @@ -19,7 +19,6 @@ in }; }; - sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.whitelistPwd = true; # saves to pwd by default fs.".config/yt-dlp.config".symlink.text = '' diff --git a/hosts/common/programs/zfs-tools.nix b/hosts/common/programs/zfs-tools.nix index f45eb737f..1d9e07d61 100644 --- a/hosts/common/programs/zfs-tools.nix +++ b/hosts/common/programs/zfs-tools.nix @@ -17,7 +17,6 @@ "zstreamdump" ]; - sandbox.method = "bunpen"; sandbox.tryKeepUsers = true; sandbox.extraPaths = [ "/dev" ]; }; diff --git a/modules/persist/stores/ephemeral/default.nix b/modules/persist/stores/ephemeral/default.nix index c1d908cea..cdcd1e317 100644 --- a/modules/persist/stores/ephemeral/default.nix +++ b/modules/persist/stores/ephemeral/default.nix @@ -19,7 +19,6 @@ lib.mkIf config.sane.persist.enable }; suggestedPrograms = [ "gocryptfs" ]; - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existing"; sandbox.capabilities = [ "sys_admin" #< XXX: this is required to keep user mappings; for single-user it's actually not necessary if using fuse3-sane with -o pass_fuse_fd diff --git a/modules/persist/stores/private/default.nix b/modules/persist/stores/private/default.nix index 94c0db397..2cc1d3fbf 100644 --- a/modules/persist/stores/private/default.nix +++ b/modules/persist/stores/private/default.nix @@ -17,7 +17,6 @@ lib.mkIf config.sane.persist.enable "inotify-tools" ]; }; - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "parent"; # XXX: if provisioning fails, try `sudo chown root:root /nix/persist/private/gocryptfs.*` # else re-enable the below: @@ -30,7 +29,6 @@ lib.mkIf config.sane.persist.enable srcRoot = ./.; pkgs = [ "gocryptfs" ]; }; - sandbox.method = "bunpen"; sandbox.autodetectCliPaths = "existing"; sandbox.capabilities = [ "sys_admin" #< XXX: this is required to keep user mappings; for single-user it's actually not necessary if using fuse3-sane with -o pass_fuse_fd