sanebox: remove the portal logic, and delegate it to manual handling by those few apps which truly need special casing

it's a questionable responsibility to give to the sandbox itself (unless i also have the sandbox do things like dbus proxying, someday). and it will make the bunpen implementation simpler
This commit is contained in:
2024-08-27 11:00:15 +00:00
parent 83ef250a34
commit 3417a9fd3f
11 changed files with 32 additions and 55 deletions

View File

@@ -25,6 +25,12 @@
substituteInPlace data/org.gnome.Maps.desktop.in.in \
--replace-fail 'Exec=gapplication launch @app-id@ %U' 'Exec=gnome-maps %U'
'';
# TODO: set up portal-based location services, but until that works, explicitly disable portals here.
preFixup = (base.preFixup or "") + ''
gappsWrapperArgs+=(
--unset GIO_USE_PORTALS
)
'';
}));
suggestedPrograms = [
"geoclue2"
@@ -39,7 +45,6 @@
];
sandbox.whitelistWayland = true;
sandbox.net = "clearnet";
sandbox.usePortal = false; # TODO: set up portal-based location services
persist.byStore.plaintext = [ ".cache/shumate" ];
persist.byStore.private = [

View File

@@ -1,9 +1,17 @@
# docs: <https://git.sr.ht/~mil/mepo>
# irc #mepo:irc.oftc.net
#
{ config, lib, ... }:
{ pkgs, ... }:
{
sane.programs.mepo = {
packageUnwrapped = pkgs.mepo.overrideAttrs (base: {
# TODO: set up portal-based location services, but until that works, explicitly disable portals here.
preFixup = (base.preFixup or "") + ''
gappsWrapperArgs+=(
--unset GIO_USE_PORTALS
)
'';
});
sandbox.method = "bwrap";
sandbox.net = "all"; # for tiles *and* for localhost comm to gpsd
sandbox.whitelistDri = true;
@@ -12,7 +20,6 @@
"system" # system is required for non-portal location services
"user" #< not sure if "user" is necessary?
];
sandbox.usePortal = false; # TODO: set up portal-based location services
persist.byStore.plaintext = [ ".cache/mepo/tiles" ];
# ~/.cache/mepo/savestate has precise coordinates and pins: keep those private

View File

@@ -74,7 +74,6 @@ in
"ipc_lock"
"sys_nice"
];
sandbox.usePortal = false;
sandbox.extraPaths = [
"/dev/snd"
# desko/lappy don't need these, but moby complains if not present

View File

@@ -2,17 +2,26 @@
{
sane.programs.where-am-i = {
# packageUnwrapped = pkgs.linkIntoOwnPackage config.sane.programs.geoclue2.packageUnwrapped "libexec/geoclue-2.0/demos/where-am-i";
packageUnwrapped = pkgs.linkFarm "where-am-i" [{
packageUnwrapped = (pkgs.linkFarm "where-am-i" [{
# bring the `where-am-i` tool into a `bin/` directory so it can be invokable via PATH
name = "bin/where-am-i";
path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/where-am-i";
}];
}]).overrideAttrs (base: {
# TODO: set up portal-based location services.
# until then disable portals here.
nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
pkgs.makeWrapper
];
buildCommand = base.buildCommand + ''
wrapProgram $out/bin/where-am-i \
--unset GIO_USE_PORTALS
'';
});
sandbox.method = "bwrap";
sandbox.net = "all"; # TODO: why does it require this? i think it just needs *some* net dev and any will do.
sandbox.whitelistDbus = [
"system" # system is required for non-portal location services
];
sandbox.usePortal = false; # TODO: set up portal-based location services
};
}

View File

@@ -55,6 +55,8 @@ in
# portal can use the same .desktop files from the rest of my config.
fs.".local/share/xdg-desktop-portal/applications".symlink.target = "../applications";
env.GIO_USE_PORTALS = "1"; # instruct gio/gtk apps to use portal services; mostly not needed, except for legacy gtk3 apps like `geary`
services.xdg-desktop-portal = {
description = "xdg-desktop-portal freedesktop.org portal (URI opener, file chooser, etc)";
partOf = [ "graphical-session" ];

View File

@@ -18,6 +18,8 @@
# "mimeopen" #< optional, unclear what benefit
];
env.NIXOS_XDG_OPEN_USE_PORTAL = "1";
# alternative to letting the sandbox decide for itself: forcibly use the portal
# if the mime association list is not visible/in scope.
# packageUnwrapped = pkgs.xdg-utils.overrideAttrs (base: {

View File

@@ -77,7 +77,6 @@ let
capabilities
extraConfig
method
usePortal
whitelistPwd
;
netDev = if vpn != null then
@@ -460,14 +459,6 @@ let
]
'';
};
sandbox.usePortal = mkOption {
type = types.bool;
default = true;
description = ''
instruct the sandboxed program to open external applications
via calls to xdg-desktop-portal.
'';
};
configOption = mkOption {
type = types.raw;
default = mkOption {

View File

@@ -11,7 +11,6 @@
keepUsers ? false,
netDev ? null,
netGateway ? null,
usePortal ? false,
whitelistPwd ? false,
extraConfig ? [],
}:
@@ -28,14 +27,12 @@ let
path = p: [ "--sanebox-path" p ];
path-home = p: [ "--sanebox-home-path" p ];
path-run = p: [ "--sanebox-run-path" p ];
usePortal = [ "--sanebox-portal" ];
whitelistPwd = [ "--sanebox-add-pwd" ];
};
bunpenGenerators = {
method = m: assert m == "bunpen"; [];
netDev = n: assert n == "all"; [ "--bunpen-keep-net" ];
path = p: [ "--bunpen-path" p ];
usePortal = []; #< TODO: the sandboxer really shouldn't have to know about portals.
};
gen = if method == "bunpen" then
bunpenGenerators
@@ -62,5 +59,4 @@ in
++ lib.optionals keepPids gen.keepPids
++ lib.optionals keepUsers gen.keepUsers
++ lib.optionals whitelistPwd gen.whitelistPwd
++ lib.optionals usePortal gen.usePortal
++ extraConfig

View File

@@ -41,10 +41,6 @@ export fn usage() void = {
// fmt::println(" --bunpen-cap <all|sys_admin|net_raw|net_admin|...>")!;
// fmt::println(" allow the sandboxed program to use the provided linux capability (both inside and outside the sandbox)")!;
// fmt::println(" special cap "all" to preserve all capabilities possible")!;
// fmt::println(" --bunpen-portal")!;
// fmt::println(" set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files")!;
// fmt::println(" --bunpen-no-portal")!;
// fmt::println(" undo a previous `--bunpen-portal` arg")!;
// fmt::println(" --bunpen-bwrap-arg <arg>")!;
// fmt::println(" --bunpen-capsh-arg <arg>")!;
// fmt::println(" --bunpen-pasta-arg <arg>")!;

View File

@@ -239,7 +239,6 @@ def vpn_do(config: VpnConfig, cmd: list[str]) -> None:
"--sanebox-method", "bwrap",
"--sanebox-keep-namespace", "all",
"--sanebox-path", "/",
"--sanebox-no-portal",
] + net_flags + cmd
logger.debug(f"exec {wrapped_cmd}")

View File

@@ -94,8 +94,6 @@ netDev=
netGateway=default
# list of IP addresses to use for DNS servers inside the sandbox (not supported by all backends)
dns=()
# VAR -> VALUE map of environment variables to add to the sandboxed program's environment
declare -A portalEnv
argv0=
case "${0:-8}" in
("sanebox"|"/sanebox")
@@ -135,10 +133,6 @@ usage() {
echo ' --sanebox-cap <all|sys_admin|net_raw|net_admin|...>'
echo ' allow the sandboxed program to use the provided linux capability (both inside and outside the sandbox)'
echo ' special cap "all" to preserve all capabilities possible'
echo ' --sanebox-portal'
echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files'
echo ' --sanebox-no-portal'
echo ' undo a previous `--sanebox-portal` arg'
echo ' --sanebox-bwrap-arg <arg>'
echo ' --sanebox-capsh-arg <arg>'
echo ' --sanebox-pasta-arg <arg>'
@@ -564,20 +558,6 @@ parseArgs() {
capabilities+=("$cap")
fi
;;
(--sanebox-portal)
# instruct glib/gtk apps to perform actions such as opening external files via dbus calls to org.freedesktop.portal.*.
# note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
# this switch is typically accompanied by removing all MIME associations from the app's view, then.
# GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
portalEnv[GIO_USE_PORTALS]=1
portalEnv[GTK_USE_PORTAL]=1
portalEnv[NIXOS_XDG_OPEN_USE_PORTAL]=1
;;
(--sanebox-no-portal)
# override a previous --sanebox-portal call
unset portalEnv
declare -A portalEnv
;;
(--sanebox-bwrap-arg)
local bwrapArg=$1
shift
@@ -773,10 +753,6 @@ bwrapGetCli() {
)
fi
for envName in "${!portalEnv[@]}"; do
bwrapArgs+=(--setenv "$envName" "${portalEnv[$envName]}")
done
cliArgs=(
"$_bwrap"
--argv0 "$argv0"
@@ -950,13 +926,8 @@ capshonlyGetCli() {
locate _capsh "capsh" "$CAPSH_FALLBACK"
locate _env "env" "$ENV_FALLBACK"
local envArgs=(-a "$argv0")
for envName in "${!portalEnv[@]}"; do
envArgs+=("$envName=${portalEnv[$envName]}")
done
cliArgs=(
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" "${capshArgs[@]}" -- "${envArgs[@]}" "${cliArgs[@]}"
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" "${capshArgs[@]}" -- -a "$argv0" "${cliArgs[@]}"
)
}