sanebox: remove the portal logic, and delegate it to manual handling by those few apps which truly need special casing
it's a questionable responsibility to give to the sandbox itself (unless i also have the sandbox do things like dbus proxying, someday). and it will make the bunpen implementation simpler
This commit is contained in:
@@ -25,6 +25,12 @@
|
||||
substituteInPlace data/org.gnome.Maps.desktop.in.in \
|
||||
--replace-fail 'Exec=gapplication launch @app-id@ %U' 'Exec=gnome-maps %U'
|
||||
'';
|
||||
# TODO: set up portal-based location services, but until that works, explicitly disable portals here.
|
||||
preFixup = (base.preFixup or "") + ''
|
||||
gappsWrapperArgs+=(
|
||||
--unset GIO_USE_PORTALS
|
||||
)
|
||||
'';
|
||||
}));
|
||||
suggestedPrograms = [
|
||||
"geoclue2"
|
||||
@@ -39,7 +45,6 @@
|
||||
];
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.usePortal = false; # TODO: set up portal-based location services
|
||||
|
||||
persist.byStore.plaintext = [ ".cache/shumate" ];
|
||||
persist.byStore.private = [
|
||||
|
@@ -1,9 +1,17 @@
|
||||
# docs: <https://git.sr.ht/~mil/mepo>
|
||||
# irc #mepo:irc.oftc.net
|
||||
#
|
||||
{ config, lib, ... }:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
sane.programs.mepo = {
|
||||
packageUnwrapped = pkgs.mepo.overrideAttrs (base: {
|
||||
# TODO: set up portal-based location services, but until that works, explicitly disable portals here.
|
||||
preFixup = (base.preFixup or "") + ''
|
||||
gappsWrapperArgs+=(
|
||||
--unset GIO_USE_PORTALS
|
||||
)
|
||||
'';
|
||||
});
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "all"; # for tiles *and* for localhost comm to gpsd
|
||||
sandbox.whitelistDri = true;
|
||||
@@ -12,7 +20,6 @@
|
||||
"system" # system is required for non-portal location services
|
||||
"user" #< not sure if "user" is necessary?
|
||||
];
|
||||
sandbox.usePortal = false; # TODO: set up portal-based location services
|
||||
|
||||
persist.byStore.plaintext = [ ".cache/mepo/tiles" ];
|
||||
# ~/.cache/mepo/savestate has precise coordinates and pins: keep those private
|
||||
|
@@ -74,7 +74,6 @@ in
|
||||
"ipc_lock"
|
||||
"sys_nice"
|
||||
];
|
||||
sandbox.usePortal = false;
|
||||
sandbox.extraPaths = [
|
||||
"/dev/snd"
|
||||
# desko/lappy don't need these, but moby complains if not present
|
||||
|
@@ -2,17 +2,26 @@
|
||||
{
|
||||
sane.programs.where-am-i = {
|
||||
# packageUnwrapped = pkgs.linkIntoOwnPackage config.sane.programs.geoclue2.packageUnwrapped "libexec/geoclue-2.0/demos/where-am-i";
|
||||
packageUnwrapped = pkgs.linkFarm "where-am-i" [{
|
||||
packageUnwrapped = (pkgs.linkFarm "where-am-i" [{
|
||||
# bring the `where-am-i` tool into a `bin/` directory so it can be invokable via PATH
|
||||
name = "bin/where-am-i";
|
||||
path = "${config.sane.programs.geoclue2.packageUnwrapped}/libexec/geoclue-2.0/demos/where-am-i";
|
||||
}];
|
||||
}]).overrideAttrs (base: {
|
||||
# TODO: set up portal-based location services.
|
||||
# until then disable portals here.
|
||||
nativeBuildInputs = (base.nativeBuildInputs or []) ++ [
|
||||
pkgs.makeWrapper
|
||||
];
|
||||
buildCommand = base.buildCommand + ''
|
||||
wrapProgram $out/bin/where-am-i \
|
||||
--unset GIO_USE_PORTALS
|
||||
'';
|
||||
});
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "all"; # TODO: why does it require this? i think it just needs *some* net dev and any will do.
|
||||
sandbox.whitelistDbus = [
|
||||
"system" # system is required for non-portal location services
|
||||
];
|
||||
sandbox.usePortal = false; # TODO: set up portal-based location services
|
||||
};
|
||||
}
|
||||
|
@@ -55,6 +55,8 @@ in
|
||||
# portal can use the same .desktop files from the rest of my config.
|
||||
fs.".local/share/xdg-desktop-portal/applications".symlink.target = "../applications";
|
||||
|
||||
env.GIO_USE_PORTALS = "1"; # instruct gio/gtk apps to use portal services; mostly not needed, except for legacy gtk3 apps like `geary`
|
||||
|
||||
services.xdg-desktop-portal = {
|
||||
description = "xdg-desktop-portal freedesktop.org portal (URI opener, file chooser, etc)";
|
||||
partOf = [ "graphical-session" ];
|
||||
|
@@ -18,6 +18,8 @@
|
||||
# "mimeopen" #< optional, unclear what benefit
|
||||
];
|
||||
|
||||
env.NIXOS_XDG_OPEN_USE_PORTAL = "1";
|
||||
|
||||
# alternative to letting the sandbox decide for itself: forcibly use the portal
|
||||
# if the mime association list is not visible/in scope.
|
||||
# packageUnwrapped = pkgs.xdg-utils.overrideAttrs (base: {
|
||||
|
@@ -77,7 +77,6 @@ let
|
||||
capabilities
|
||||
extraConfig
|
||||
method
|
||||
usePortal
|
||||
whitelistPwd
|
||||
;
|
||||
netDev = if vpn != null then
|
||||
@@ -460,14 +459,6 @@ let
|
||||
]
|
||||
'';
|
||||
};
|
||||
sandbox.usePortal = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
instruct the sandboxed program to open external applications
|
||||
via calls to xdg-desktop-portal.
|
||||
'';
|
||||
};
|
||||
configOption = mkOption {
|
||||
type = types.raw;
|
||||
default = mkOption {
|
||||
|
@@ -11,7 +11,6 @@
|
||||
keepUsers ? false,
|
||||
netDev ? null,
|
||||
netGateway ? null,
|
||||
usePortal ? false,
|
||||
whitelistPwd ? false,
|
||||
extraConfig ? [],
|
||||
}:
|
||||
@@ -28,14 +27,12 @@ let
|
||||
path = p: [ "--sanebox-path" p ];
|
||||
path-home = p: [ "--sanebox-home-path" p ];
|
||||
path-run = p: [ "--sanebox-run-path" p ];
|
||||
usePortal = [ "--sanebox-portal" ];
|
||||
whitelistPwd = [ "--sanebox-add-pwd" ];
|
||||
};
|
||||
bunpenGenerators = {
|
||||
method = m: assert m == "bunpen"; [];
|
||||
netDev = n: assert n == "all"; [ "--bunpen-keep-net" ];
|
||||
path = p: [ "--bunpen-path" p ];
|
||||
usePortal = []; #< TODO: the sandboxer really shouldn't have to know about portals.
|
||||
};
|
||||
gen = if method == "bunpen" then
|
||||
bunpenGenerators
|
||||
@@ -62,5 +59,4 @@ in
|
||||
++ lib.optionals keepPids gen.keepPids
|
||||
++ lib.optionals keepUsers gen.keepUsers
|
||||
++ lib.optionals whitelistPwd gen.whitelistPwd
|
||||
++ lib.optionals usePortal gen.usePortal
|
||||
++ extraConfig
|
||||
|
@@ -41,10 +41,6 @@ export fn usage() void = {
|
||||
// fmt::println(" --bunpen-cap <all|sys_admin|net_raw|net_admin|...>")!;
|
||||
// fmt::println(" allow the sandboxed program to use the provided linux capability (both inside and outside the sandbox)")!;
|
||||
// fmt::println(" special cap "all" to preserve all capabilities possible")!;
|
||||
// fmt::println(" --bunpen-portal")!;
|
||||
// fmt::println(" set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files")!;
|
||||
// fmt::println(" --bunpen-no-portal")!;
|
||||
// fmt::println(" undo a previous `--bunpen-portal` arg")!;
|
||||
// fmt::println(" --bunpen-bwrap-arg <arg>")!;
|
||||
// fmt::println(" --bunpen-capsh-arg <arg>")!;
|
||||
// fmt::println(" --bunpen-pasta-arg <arg>")!;
|
||||
|
@@ -239,7 +239,6 @@ def vpn_do(config: VpnConfig, cmd: list[str]) -> None:
|
||||
"--sanebox-method", "bwrap",
|
||||
"--sanebox-keep-namespace", "all",
|
||||
"--sanebox-path", "/",
|
||||
"--sanebox-no-portal",
|
||||
] + net_flags + cmd
|
||||
|
||||
logger.debug(f"exec {wrapped_cmd}")
|
||||
|
@@ -94,8 +94,6 @@ netDev=
|
||||
netGateway=default
|
||||
# list of IP addresses to use for DNS servers inside the sandbox (not supported by all backends)
|
||||
dns=()
|
||||
# VAR -> VALUE map of environment variables to add to the sandboxed program's environment
|
||||
declare -A portalEnv
|
||||
argv0=
|
||||
case "${0:-8}" in
|
||||
("sanebox"|"/sanebox")
|
||||
@@ -135,10 +133,6 @@ usage() {
|
||||
echo ' --sanebox-cap <all|sys_admin|net_raw|net_admin|...>'
|
||||
echo ' allow the sandboxed program to use the provided linux capability (both inside and outside the sandbox)'
|
||||
echo ' special cap "all" to preserve all capabilities possible'
|
||||
echo ' --sanebox-portal'
|
||||
echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files'
|
||||
echo ' --sanebox-no-portal'
|
||||
echo ' undo a previous `--sanebox-portal` arg'
|
||||
echo ' --sanebox-bwrap-arg <arg>'
|
||||
echo ' --sanebox-capsh-arg <arg>'
|
||||
echo ' --sanebox-pasta-arg <arg>'
|
||||
@@ -564,20 +558,6 @@ parseArgs() {
|
||||
capabilities+=("$cap")
|
||||
fi
|
||||
;;
|
||||
(--sanebox-portal)
|
||||
# instruct glib/gtk apps to perform actions such as opening external files via dbus calls to org.freedesktop.portal.*.
|
||||
# note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
|
||||
# this switch is typically accompanied by removing all MIME associations from the app's view, then.
|
||||
# GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
|
||||
portalEnv[GIO_USE_PORTALS]=1
|
||||
portalEnv[GTK_USE_PORTAL]=1
|
||||
portalEnv[NIXOS_XDG_OPEN_USE_PORTAL]=1
|
||||
;;
|
||||
(--sanebox-no-portal)
|
||||
# override a previous --sanebox-portal call
|
||||
unset portalEnv
|
||||
declare -A portalEnv
|
||||
;;
|
||||
(--sanebox-bwrap-arg)
|
||||
local bwrapArg=$1
|
||||
shift
|
||||
@@ -773,10 +753,6 @@ bwrapGetCli() {
|
||||
)
|
||||
fi
|
||||
|
||||
for envName in "${!portalEnv[@]}"; do
|
||||
bwrapArgs+=(--setenv "$envName" "${portalEnv[$envName]}")
|
||||
done
|
||||
|
||||
cliArgs=(
|
||||
"$_bwrap"
|
||||
--argv0 "$argv0"
|
||||
@@ -950,13 +926,8 @@ capshonlyGetCli() {
|
||||
locate _capsh "capsh" "$CAPSH_FALLBACK"
|
||||
locate _env "env" "$ENV_FALLBACK"
|
||||
|
||||
local envArgs=(-a "$argv0")
|
||||
for envName in "${!portalEnv[@]}"; do
|
||||
envArgs+=("$envName=${portalEnv[$envName]}")
|
||||
done
|
||||
|
||||
cliArgs=(
|
||||
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" "${capshArgs[@]}" -- "${envArgs[@]}" "${cliArgs[@]}"
|
||||
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="$_env" "${capshArgs[@]}" -- -a "$argv0" "${cliArgs[@]}"
|
||||
)
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user