colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that

Browse Source
This commit is contained in:
Colin 2024-02-28 17:39:00 +00:00
parent 812c0c8029
commit 40e30cf2f8
62 changed files with 1 additions and 180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hosts/common/programs/animatch.nix
View File

@ -31,7 +31,6 @@
};
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true;
persist.byStore.plaintext = [

98
hosts/common/programs/assorted.nix
View File

@ -203,13 +203,11 @@ in
# INDIVIDUAL PACKAGE DEFINITIONS
alsaUtils.sandbox.method = "landlock";
alsaUtils.sandbox.wrapperType = "wrappedDerivation";
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
backblaze-b2 = {};
blanket.sandbox.method = "bwrap";
blanket.sandbox.wrapperType = "wrappedDerivation";
blanket.sandbox.whitelistAudio = true;
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
blanket.sandbox.whitelistWayland = true;
@ -225,11 +223,9 @@ in
];
bridge-utils.sandbox.method = "bwrap"; #< bwrap, landlock: both work
bridge-utils.sandbox.wrapperType = "wrappedDerivation";
bridge-utils.sandbox.net = "all";
brightnessctl.sandbox.method = "landlock"; # also bwrap, but landlock is more responsive
brightnessctl.sandbox.wrapperType = "wrappedDerivation";
brightnessctl.sandbox.extraPaths = [
"/sys/class/backlight"
"/sys/class/leds"
@ -238,7 +234,6 @@ in
brightnessctl.sandbox.whitelistDbus = [ "system" ];
btrfs-progs.sandbox.method = "bwrap"; #< bwrap, landlock: both work
btrfs-progs.sandbox.wrapperType = "wrappedDerivation";
btrfs-progs.sandbox.autodetectCliPaths = "existing"; # e.g. `btrfs filesystem df /my/fs`
"cacert.unbundled".sandbox.enable = false;
@ -249,7 +244,6 @@ in
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
cryptsetup.sandbox.method = "landlock";
cryptsetup.sandbox.wrapperType = "wrappedDerivation";
cryptsetup.sandbox.extraPaths = [
"/dev/mapper"
"/dev/random"
@ -263,12 +257,10 @@ in
cryptsetup.sandbox.autodetectCliPaths = "existing";
ddrescue.sandbox.method = "landlock"; # TODO:sandbox: untested
ddrescue.sandbox.wrapperType = "wrappedDerivation";
ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
# auth token, preferences
delfin.sandbox.method = "bwrap";
delfin.sandbox.wrapperType = "wrappedDerivation";
delfin.sandbox.whitelistAudio = true;
delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player
delfin.sandbox.whitelistDri = true;
@ -277,7 +269,6 @@ in
delfin.persist.byStore.private = [ ".config/delfin" ];
dig.sandbox.method = "bwrap";
dig.sandbox.wrapperType = "wrappedDerivation";
dig.sandbox.net = "all";
# creds, but also 200 MB of node modules, etc
@ -293,18 +284,15 @@ in
dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested
dtrx.sandbox.method = "bwrap";
dtrx.sandbox.wrapperType = "wrappedDerivation";
dtrx.sandbox.whitelistPwd = true;
dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive
duplicity = {};
e2fsprogs.sandbox.method = "landlock";
e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
e2fsprogs.sandbox.autodetectCliPaths = "existing";
efibootmgr.sandbox.method = "landlock";
efibootmgr.sandbox.wrapperType = "wrappedDerivation";
efibootmgr.sandbox.extraPaths = [
"/sys/firmware/efi"
];
@ -312,14 +300,12 @@ in
eg25-control = {};
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
electrum.sandbox.wrapperType = "wrappedDerivation";
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
electrum.sandbox.whitelistWayland = true;
electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs!
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
endless-sky.sandbox.method = "bwrap";
endless-sky.sandbox.wrapperType = "wrappedDerivation";
endless-sky.sandbox.whitelistAudio = true;
endless-sky.sandbox.whitelistDri = true;
endless-sky.sandbox.whitelistWayland = true;
@ -330,14 +316,12 @@ in
emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
ethtool.sandbox.method = "landlock";
ethtool.sandbox.wrapperType = "wrappedDerivation";
ethtool.sandbox.capabilities = [ "net_admin" ];
# eza `ls` replacement
# landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
# eza.sandbox.method = "landlock";
eza.sandbox.method = "bwrap";
eza.sandbox.wrapperType = "wrappedDerivation"; # slow to build
eza.sandbox.autodetectCliPaths = true;
eza.sandbox.whitelistPwd = true;
eza.sandbox.extraHomePaths = [
@ -347,11 +331,9 @@ in
];
fatresize.sandbox.method = "landlock";
fatresize.sandbox.wrapperType = "wrappedDerivation";
fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda
fd.sandbox.method = "landlock";
fd.sandbox.wrapperType = "wrappedDerivation"; # slow to build
fd.sandbox.autodetectCliPaths = true;
fd.sandbox.whitelistPwd = true;
fd.sandbox.extraHomePaths = [
@ -361,15 +343,12 @@ in
];
ffmpeg.sandbox.method = "bwrap";
ffmpeg.sandbox.wrapperType = "wrappedDerivation"; # slow to build
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
file.sandbox.method = "bwrap";
file.sandbox.wrapperType = "wrappedDerivation";
file.sandbox.autodetectCliPaths = true;
findutils.sandbox.method = "bwrap";
findutils.sandbox.wrapperType = "wrappedDerivation";
findutils.sandbox.autodetectCliPaths = true;
findutils.sandbox.whitelistPwd = true;
findutils.sandbox.extraHomePaths = [
@ -381,14 +360,12 @@ in
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
font-manager.sandbox.method = "bwrap";
font-manager.sandbox.wrapperType = "wrappedDerivation";
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
# build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
withWebkit = false;
});
forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap
forkstat.sandbox.wrapperType = "wrappedDerivation";
forkstat.sandbox.extraConfig = [
"--sane-sandbox-keep-namespace" "pid"
];
@ -401,7 +378,6 @@ in
# should probably make it not be an app-launcher
fuzzel.sandbox.enable = false;
fuzzel.sandbox.method = "bwrap"; #< landlock nearly works, but unable to open ~/.cache
fuzzel.sandbox.wrapperType = "wrappedDerivation";
fuzzel.sandbox.whitelistWayland = true;
fuzzel.persist.byStore.private = [
# this is a file of recent selections
@ -414,7 +390,6 @@ in
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
gdb.sandbox.wrapperType = "wrappedDerivation";
gdb.sandbox.autodetectCliPaths = true;
geoclue2-with-demo-agent = {};
@ -424,7 +399,6 @@ in
gh.persist.byStore.private = [ ".config/gh" ];
gimp.sandbox.method = "bwrap";
gimp.sandbox.wrapperType = "wrappedDerivation";
gimp.sandbox.whitelistWayland = true;
gimp.sandbox.extraHomePaths = [
"Pictures/albums"
@ -443,39 +417,32 @@ in
];
"gnome.gnome-calculator".sandbox.method = "bwrap";
"gnome.gnome-calculator".sandbox.wrapperType = "wrappedDerivation";
"gnome.gnome-calculator".sandbox.whitelistWayland = true;
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
"gnome.gnome-calendar".sandbox.method = "bwrap";
"gnome.gnome-calendar".sandbox.wrapperType = "wrappedDerivation";
"gnome.gnome-calendar".sandbox.whitelistWayland = true;
"gnome.gnome-clocks".sandbox.method = "bwrap";
"gnome.gnome-clocks".sandbox.wrapperType = "wrappedDerivation";
"gnome.gnome-clocks".sandbox.whitelistWayland = true;
"gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
# gnome-disks
"gnome.gnome-disk-utility".sandbox.method = "bwrap";
"gnome.gnome-disk-utility".sandbox.wrapperType = "wrappedDerivation";
"gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
"gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
# seahorse: dump gnome-keyring secrets.
# N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
"gnome.seahorse".sandbox.method = "bwrap";
"gnome.seahorse".sandbox.wrapperType = "wrappedDerivation";
"gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
"gnome.seahorse".sandbox.whitelistWayland = true;
gnome-2048.sandbox.method = "bwrap";
gnome-2048.sandbox.wrapperType = "wrappedDerivation";
gnome-2048.sandbox.whitelistWayland = true;
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
gnome-frog.sandbox.method = "bwrap";
gnome-frog.sandbox.wrapperType = "wrappedDerivation";
gnome-frog.sandbox.whitelistWayland = true;
gnome-frog.sandbox.whitelistDbus = [ "user" ];
gnome-frog.sandbox.extraPaths = [
@ -502,11 +469,9 @@ in
# 2. no two shaded tiles can be direct N/S/E/W neighbors
# - win once (1) and (2) are satisfied
"gnome.hitori".sandbox.method = "bwrap";
"gnome.hitori".sandbox.wrapperType = "wrappedDerivation";
"gnome.hitori".sandbox.whitelistWayland = true;
gnugrep.sandbox.method = "bwrap";
gnugrep.sandbox.wrapperType = "wrappedDerivation";
gnugrep.sandbox.autodetectCliPaths = true;
gnugrep.sandbox.whitelistPwd = true;
gnugrep.sandbox.extraHomePaths = [
@ -519,7 +484,6 @@ in
gpsd = {};
gptfdisk.sandbox.method = "landlock";
gptfdisk.sandbox.wrapperType = "wrappedDerivation";
gptfdisk.sandbox.extraPaths = [
"/dev"
];
@ -528,7 +492,6 @@ in
grim = {};
hase.sandbox.method = "bwrap";
hase.sandbox.wrapperType = "wrappedDerivation";
hase.sandbox.net = "clearnet";
hase.sandbox.whitelistAudio = true;
hase.sandbox.whitelistDri = true;
@ -536,15 +499,12 @@ in
# hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
hdparm.sandbox.method = "bwrap";
hdparm.sandbox.wrapperType = "wrappedDerivation";
hdparm.sandbox.autodetectCliPaths = true;
host.sandbox.method = "landlock";
host.sandbox.wrapperType = "wrappedDerivation";
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
htop.sandbox.method = "landlock";
htop.sandbox.wrapperType = "wrappedDerivation";
htop.sandbox.extraPaths = [
"/proc"
"/sys/devices"
@ -555,16 +515,13 @@ in
];
iftop.sandbox.method = "landlock";
iftop.sandbox.wrapperType = "wrappedDerivation";
iftop.sandbox.capabilities = [ "net_raw" ];
# inetutils: ping, ifconfig, hostname, traceroute, whois, ....
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
inetutils.sandbox.wrapperType = "wrappedDerivation";
inkscape.sandbox.method = "bwrap";
inkscape.sandbox.wrapperType = "wrappedDerivation";
inkscape.sandbox.whitelistWayland = true;
inkscape.sandbox.extraHomePaths = [
"Pictures/albums"
@ -580,7 +537,6 @@ in
inkscape.sandbox.autodetectCliPaths = true;
iotop.sandbox.method = "landlock";
iotop.sandbox.wrapperType = "wrappedDerivation";
iotop.sandbox.extraPaths = [
"/proc"
];
@ -588,38 +544,31 @@ in
# provides `ip`, `routel`, others
iproute2.sandbox.method = "landlock";
iproute2.sandbox.wrapperType = "wrappedDerivation";
iproute2.sandbox.net = "all";
iproute2.sandbox.capabilities = [ "net_admin" ];
iptables.sandbox.method = "landlock";
iptables.sandbox.wrapperType = "wrappedDerivation";
iptables.sandbox.net = "all";
iptables.sandbox.capabilities = [ "net_admin" ];
# iputils provides `ping` (and arping, clockdiff, tracepath)
iputils.sandbox.method = "landlock";
iputils.sandbox.wrapperType = "wrappedDerivation";
iputils.sandbox.net = "all";
iputils.sandbox.capabilities = [ "net_raw" ];
iw.sandbox.method = "landlock";
iw.sandbox.wrapperType = "wrappedDerivation";
iw.sandbox.net = "all";
iw.sandbox.capabilities = [ "net_admin" ];
jq.sandbox.method = "bwrap";
jq.sandbox.wrapperType = "wrappedDerivation";
jq.sandbox.autodetectCliPaths = "existingFile";
killall.sandbox.method = "landlock";
killall.sandbox.wrapperType = "wrappedDerivation";
killall.sandbox.extraPaths = [
"/proc"
];
krita.sandbox.method = "bwrap";
krita.sandbox.wrapperType = "wrappedDerivation";
krita.sandbox.whitelistWayland = true;
krita.sandbox.autodetectCliPaths = "existing";
krita.sandbox.extraHomePaths = [
@ -637,11 +586,9 @@ in
libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
libnotify.sandbox.method = "bwrap";
libnotify.sandbox.wrapperType = "wrappedDerivation";
libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send
losslesscut-bin.sandbox.method = "bwrap";
losslesscut-bin.sandbox.wrapperType = "wrappedDerivation";
losslesscut-bin.sandbox.extraHomePaths = [
"Music"
"Pictures/from" # videos from e.g. mobile phone
@ -656,13 +603,11 @@ in
losslesscut-bin.sandbox.whitelistX = true;
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
lsof.sandbox.wrapperType = "wrappedDerivation";
lua = {};
"mate.engrampa".packageUnwrapped = pkgs.rmDbusServices pkgs.mate.engrampa;
"mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested
"mate.engrampa".sandbox.wrapperType = "wrappedDerivation";
"mate.engrampa".sandbox.whitelistWayland = true;
"mate.engrampa".sandbox.autodetectCliPaths = "existingOrParent";
"mate.engrampa".sandbox.extraHomePaths = [
@ -675,7 +620,6 @@ in
];
mercurial.sandbox.method = "bwrap"; # TODO:sandbox: untested
mercurial.sandbox.wrapperType = "wrappedDerivation";
mercurial.sandbox.net = "clearnet";
mercurial.sandbox.whitelistPwd = true;
@ -683,7 +627,6 @@ in
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
monero-gui.sandbox.method = "bwrap";
monero-gui.sandbox.wrapperType = "wrappedDerivation";
monero-gui.sandbox.net = "all";
monero-gui.sandbox.extraHomePaths = [
"records/finance/cryptocurrencies/monero"
@ -692,20 +635,16 @@ in
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
nano.sandbox.method = "bwrap";
nano.sandbox.wrapperType = "wrappedDerivation";
nano.sandbox.autodetectCliPaths = "existingFileOrParent";
netcat.sandbox.method = "landlock";
netcat.sandbox.wrapperType = "wrappedDerivation";
netcat.sandbox.net = "all";
nethogs.sandbox.method = "capshonly"; # *partially* works under landlock w/ full access to /
nethogs.sandbox.wrapperType = "wrappedDerivation";
nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];
# provides `arp`, `hostname`, `route`, `ifconfig`
nettools.sandbox.method = "landlock";
nettools.sandbox.wrapperType = "wrappedDerivation";
nettools.sandbox.net = "all";
nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
nettools.sandbox.extraPaths = [
@ -713,7 +652,6 @@ in
];
networkmanagerapplet.sandbox.method = "bwrap";
networkmanagerapplet.sandbox.wrapperType = "wrappedDerivation";
networkmanagerapplet.sandbox.whitelistWayland = true;
networkmanagerapplet.sandbox.whitelistDbus = [ "system" ];
@ -726,11 +664,9 @@ in
];
nmap.sandbox.method = "bwrap";
nmap.sandbox.wrapperType = "wrappedDerivation";
nmap.sandbox.net = "all"; # clearnet and lan
nmon.sandbox.method = "landlock";
nmon.sandbox.wrapperType = "wrappedDerivation";
nmon.sandbox.extraPaths = [
"/proc"
];
@ -739,7 +675,6 @@ in
# `nvme list` only shows results when run as root.
nvme-cli.sandbox.method = "landlock";
nvme-cli.sandbox.wrapperType = "wrappedDerivation";
nvme-cli.sandbox.extraPaths = [
"/sys/devices"
"/sys/class/nvme"
@ -751,13 +686,11 @@ in
# contains only `oathtool`, which i only use for evaluating TOTP codes from CLI/stdin
oath-toolkit.sandbox.method = "bwrap";
oath-toolkit.sandbox.wrapperType = "wrappedDerivation";
# settings (electron app)
obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
parted.sandbox.method = "landlock";
parted.sandbox.wrapperType = "wrappedDerivation";
parted.sandbox.extraPaths = [
"/dev"
];
@ -766,12 +699,10 @@ in
patchelf = {};
pavucontrol.sandbox.method = "bwrap";
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
pavucontrol.sandbox.whitelistAudio = true;
pavucontrol.sandbox.whitelistWayland = true;
pciutils.sandbox.method = "landlock";
pciutils.sandbox.wrapperType = "wrappedDerivation";
pciutils.sandbox.extraPaths = [
"/sys/bus/pci"
"/sys/devices"
@ -780,7 +711,6 @@ in
"perlPackages.FileMimeInfo".sandbox.enable = false; #< TODO: sandbox `mimetype` but not `mimeopen`.
powertop.sandbox.method = "landlock";
powertop.sandbox.wrapperType = "wrappedDerivation";
powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ];
powertop.sandbox.extraPaths = [
"/proc"
@ -790,17 +720,14 @@ in
];
pstree.sandbox.method = "landlock";
pstree.sandbox.wrapperType = "wrappedDerivation";
pstree.sandbox.extraPaths = [
"/proc"
];
pulsemixer.sandbox.method = "landlock";
pulsemixer.sandbox.wrapperType = "wrappedDerivation";
pulsemixer.sandbox.whitelistAudio = true;
pwvucontrol.sandbox.method = "bwrap";
pwvucontrol.sandbox.wrapperType = "wrappedDerivation";
pwvucontrol.sandbox.whitelistAudio = true;
pwvucontrol.sandbox.whitelistWayland = true;
@ -808,7 +735,6 @@ in
requests
]);
python3-repl.sandbox.method = "bwrap";
python3-repl.sandbox.wrapperType = "wrappedDerivation";
python3-repl.sandbox.net = "clearnet";
python3-repl.sandbox.extraHomePaths = [
"/"
@ -819,7 +745,6 @@ in
qemu.slowToBuild = true;
rsync.sandbox.method = "bwrap";
rsync.sandbox.wrapperType = "wrappedDerivation";
rsync.sandbox.net = "clearnet";
rsync.sandbox.autodetectCliPaths = "existingOrParent";
@ -828,13 +753,11 @@ in
screen.sandbox.enable = false; #< tty; needs to run anything
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
sequoia.sandbox.wrapperType = "wrappedDerivation"; # slow to build
sequoia.sandbox.whitelistPwd = true;
sequoia.sandbox.autodetectCliPaths = true;
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
shattered-pixel-dungeon.sandbox.method = "bwrap";
shattered-pixel-dungeon.sandbox.wrapperType = "wrappedDerivation";
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
shattered-pixel-dungeon.sandbox.whitelistDri = true;
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
@ -851,7 +774,6 @@ in
smartmontools.sandbox.capabilities = [ "sys_rawio" ];
sops.sandbox.method = "bwrap"; # TODO:sandbox: untested
sops.sandbox.wrapperType = "wrappedDerivation";
sops.sandbox.extraHomePaths = [
".config/sops"
"dev/nixos"
@ -861,7 +783,6 @@ in
];
soundconverter.sandbox.method = "bwrap";
soundconverter.sandbox.wrapperType = "wrappedDerivation";
soundconverter.sandbox.whitelistWayland = true;
soundconverter.sandbox.extraHomePaths = [
"Music"
@ -875,19 +796,16 @@ in
soundconverter.sandbox.autodetectCliPaths = "existingOrParent";
sox.sandbox.method = "bwrap";
sox.sandbox.wrapperType = "wrappedDerivation";
sox.sandbox.autodetectCliPaths = "existingFileOrParent";
sox.sandbox.whitelistAudio = true;
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
space-cadet-pinball.sandbox.method = "bwrap";
space-cadet-pinball.sandbox.wrapperType = "wrappedDerivation";
space-cadet-pinball.sandbox.whitelistAudio = true;
space-cadet-pinball.sandbox.whitelistDri = true;
space-cadet-pinball.sandbox.whitelistWayland = true;
speedtest-cli.sandbox.method = "bwrap";
speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
speedtest-cli.sandbox.net = "all";
sqlite = {};
@ -895,7 +813,6 @@ in
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
subversion.sandbox.method = "bwrap";
subversion.sandbox.wrapperType = "wrappedDerivation";
subversion.sandbox.net = "clearnet";
subversion.sandbox.whitelistPwd = true;
sudo.sandbox.enable = false;
@ -908,7 +825,6 @@ in
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
tcpdump.sandbox.method = "landlock";
tcpdump.sandbox.wrapperType = "wrappedDerivation";
tcpdump.sandbox.net = "all";
tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
@ -918,12 +834,10 @@ in
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
tree.sandbox.method = "landlock";
tree.sandbox.wrapperType = "wrappedDerivation";
tree.sandbox.autodetectCliPaths = true;
tree.sandbox.whitelistPwd = true;
tumiki-fighters.sandbox.method = "bwrap";
tumiki-fighters.sandbox.wrapperType = "wrappedDerivation";
tumiki-fighters.sandbox.whitelistAudio = true;
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
tumiki-fighters.sandbox.whitelistWayland = true;
@ -932,34 +846,28 @@ in
util-linux.sandbox.enable = false; #< TODO: possible to sandbox if i specific a different profile for each of its ~50 binaries
unzip.sandbox.method = "bwrap";
unzip.sandbox.wrapperType = "wrappedDerivation";
unzip.sandbox.autodetectCliPaths = "existingOrParent";
unzip.sandbox.whitelistPwd = true;
usbutils.sandbox.method = "bwrap"; # breaks `usbhid-dump`, but `lsusb`, `usb-devices` work
usbutils.sandbox.wrapperType = "wrappedDerivation";
usbutils.sandbox.extraPaths = [
"/sys/devices"
"/sys/bus/usb"
];
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
visidata.sandbox.wrapperType = "wrappedDerivation";
visidata.sandbox.autodetectCliPaths = true;
# `vulkaninfo`, `vkcube`
vulkan-tools.sandbox.method = "landlock";
vulkan-tools.sandbox.wrapperType = "wrappedDerivation";
vvvvvv.sandbox.method = "bwrap";
vvvvvv.sandbox.wrapperType = "wrappedDerivation";
vvvvvv.sandbox.whitelistAudio = true;
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
vvvvvv.sandbox.whitelistWayland = true;
vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
w3m.sandbox.method = "bwrap";
w3m.sandbox.wrapperType = "wrappedDerivation";
w3m.sandbox.net = "all";
w3m.sandbox.extraHomePaths = [
# little-used feature, but you can save web pages :)
@ -967,11 +875,9 @@ in
];
wdisplays.sandbox.method = "bwrap";
wdisplays.sandbox.wrapperType = "wrappedDerivation";
wdisplays.sandbox.whitelistWayland = true;
wget.sandbox.method = "bwrap";
wget.sandbox.wrapperType = "wrappedDerivation";
wget.sandbox.net = "all";
wget.sandbox.whitelistPwd = true; # saves to pwd by default
@ -979,16 +885,13 @@ in
# `wg`, `wg-quick`
wireguard-tools.sandbox.method = "landlock";
wireguard-tools.sandbox.wrapperType = "wrappedDerivation";
wireguard-tools.sandbox.capabilities = [ "net_admin" ];
# provides `iwconfig`, `iwlist`, `iwpriv`, ...
wirelesstools.sandbox.method = "landlock";
wirelesstools.sandbox.wrapperType = "wrappedDerivation";
wirelesstools.sandbox.capabilities = [ "net_admin" ];
wl-clipboard.sandbox.method = "bwrap";
wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
wl-clipboard.sandbox.whitelistWayland = true;
wtype = {};
@ -1005,7 +908,6 @@ in
yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
yt-dlp.sandbox.method = "bwrap"; # TODO:sandbox: untested
yt-dlp.sandbox.wrapperType = "wrappedDerivation";
yt-dlp.sandbox.net = "all";
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default

1
hosts/common/programs/audacity.nix
View File

@ -10,7 +10,6 @@
};
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistAudio = true;
sandbox.whitelistWayland = true;
sandbox.autodetectCliPaths = true;

1
hosts/common/programs/bemenu.nix
View File

@ -88,7 +88,6 @@ in
{
sane.programs.bemenu = {
sandbox.method = "bwrap"; # landlock works, but requires *all* of /run/user/$ID to be granted.
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true;
sandbox.extraHomePaths = [
".cache/fontconfig" #< else it complains, and is *way* slower

1
hosts/common/programs/cozy.nix
View File

@ -3,7 +3,6 @@
{
sane.programs.cozy = {
sandbox.method = "bwrap"; # landlock gives: _multiprocessing.SemLock: Permission Denied
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # mpris
sandbox.whitelistWayland = true;

1
hosts/common/programs/dconf.nix
View File

@ -10,7 +10,6 @@ in
{
sane.programs.dconf = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
persist.byStore.private = [
".config/dconf"
];

1
hosts/common/programs/dino.nix
View File

@ -46,7 +46,6 @@ in
};
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # notifications

1
hosts/common/programs/element-desktop.nix
View File

@ -17,7 +17,6 @@
];
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # notifications

1
hosts/common/programs/feedbackd.nix
View File

@ -25,7 +25,6 @@ in
};
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ];
sandbox.whitelistAudio = true;

1
hosts/common/programs/fontconfig.nix
View File

@ -30,7 +30,6 @@ in
{
sane.programs.fontconfig = {
sandbox.method = "bwrap"; # TODO:sandbox: untested
sandbox.wrapperType = "wrappedDerivation";
sandbox.autodetectCliPaths = "existingOrParent"; #< this might be overkill; or, how many programs reference fontconfig internally?
persist.byStore.plaintext = [

1
hosts/common/programs/fractal.nix
View File

@ -28,7 +28,6 @@ in
# packageUnwrapped = pkgs.fractal-next;
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # notifications

1
hosts/common/programs/frozen-bubble.nix
View File

@ -3,7 +3,6 @@
{
sane.programs.frozen-bubble = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet"; # net play
sandbox.whitelistAudio = true;
sandbox.whitelistWayland = true;

1
hosts/common/programs/g4music.nix
View File

@ -9,7 +9,6 @@
{
sane.programs.g4music = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # mpris
sandbox.whitelistWayland = true;

1
hosts/common/programs/gdbus.nix
View File

@ -4,7 +4,6 @@
packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.glib "bin/gdbus";
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ]; #< XXX: maybe future users will also want system access
};
}

1
hosts/common/programs/geary.nix
View File

@ -20,7 +20,6 @@ in
};
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistDbus = [ "user" ]; # notifications
sandbox.whitelistWayland = true;

1
hosts/common/programs/git.nix
View File

@ -19,7 +19,6 @@ in
'';
});
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistPwd = true;
sandbox.autodetectCliPaths = true; # necessary for git-upload-pack

1
hosts/common/programs/gnome-keyring/default.nix
View File

@ -6,7 +6,6 @@ in
sane.programs.gnome-keyring = {
packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-keyring;
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ];
sandbox.extraRuntimePaths = [
"keyring/control"

1
hosts/common/programs/gnome-maps.nix
View File

@ -3,7 +3,6 @@
sane.programs."gnome.gnome-maps" = {
packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-maps;
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDri = true; # for perf
sandbox.whitelistDbus = [
"system" # system is required for non-portal location services

1
hosts/common/programs/go2tv.nix
View File

@ -34,7 +34,6 @@ in
{
sane.programs.go2tv = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.autodetectCliPaths = true;
# for GUI invocation, allow the common media directories

1
hosts/common/programs/gpodder.nix
View File

@ -23,7 +23,6 @@ in {
});
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ]; # it won't launch without it, dunno exactly why.
sandbox.whitelistWayland = true;
sandbox.net = "clearnet";

1
hosts/common/programs/grimshot.nix
View File

@ -15,7 +15,6 @@
"wl-clipboard"
];
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true;
sandbox.whitelistDbus = [ "user" ];
sandbox.autodetectCliPaths = "existingFileOrParent";

1
hosts/common/programs/gtkcord4.nix
View File

@ -32,7 +32,6 @@ in
'';
});
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # notifications

1
hosts/common/programs/handbrake.nix
View File

@ -2,7 +2,6 @@
{
sane.programs.handbrake = {
sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ]; # notifications
sandbox.whitelistWayland = true;
sandbox.extraHomePaths = [

1
hosts/common/programs/kdenlive.nix
View File

@ -2,7 +2,6 @@
{
sane.programs.kdenlive = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.extraHomePaths = [
"Music"
"Pictures/from" # e.g. Videos taken from my phone

1
hosts/common/programs/komikku.nix
View File

@ -11,7 +11,6 @@
});
sandbox.method = "bwrap"; # TODO:sandbox untested
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistDbus = [ "user" ]; # needs to connect to dconf via dbus
sandbox.whitelistDri = true; #< required

1
hosts/common/programs/koreader/default.nix
View File

@ -46,7 +46,6 @@ in {
sane.programs.koreader = {
packageUnwrapped = pkgs.koreader-from-src;
sandbox.method = "bwrap"; # sandboxes fine under landlock too, except for FTP
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistDri = true; # reduces startup time and subjective page flip time
sandbox.whitelistWayland = true;

1
hosts/common/programs/lemoa.nix
View File

@ -2,7 +2,6 @@
{
sane.programs.lemoa = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistDbus = [ "user" ]; # for clicking links
sandbox.whitelistDri = true;

1
hosts/common/programs/loupe.nix
View File

@ -12,7 +12,6 @@
}));
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true;
sandbox.autodetectCliPaths = "parent";
sandbox.extraHomePaths = [

1
hosts/common/programs/megapixels.nix
View File

@ -10,7 +10,6 @@
# bwrap (loupe image viewer) doesn't like to run inside landlock
# "bwrap: failed to make / slave: Operation not permitted"
sandbox.method = "bwrap"; # supports landlock or bwrap
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDri = true;
sandbox.whitelistWayland = true;
sandbox.whitelistDbus = [ "user" ]; #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|

1
hosts/common/programs/mepo.nix
View File

@ -5,7 +5,6 @@
{
sane.programs.mepo = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "all"; # for tiles *and* for localhost comm to gpsd
sandbox.whitelistDri = true;
sandbox.whitelistWayland = true;

1
hosts/common/programs/nautilus.nix
View File

@ -11,7 +11,6 @@
}));
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ]; # for portals launching apps
sandbox.whitelistWayland = true;
sandbox.extraHomePaths = [

1
hosts/common/programs/neovim.nix
View File

@ -88,7 +88,6 @@ in
{
sane.programs.neovim = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.autodetectCliPaths = "existingOrParent";
sandbox.whitelistWayland = true; # for system clipboard integration
# sandbox.whitelistPwd = true;

1
hosts/common/programs/nicotine-plus.nix
View File

@ -11,7 +11,6 @@
});
sandbox.method = "firejail";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true;
sandbox.net = "vpn";

1
hosts/common/programs/nix-index.nix
View File

@ -3,7 +3,6 @@
# provides `nix-locate`, backed by the manually run `nix-index`
sane.programs.nix-index = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.extraPaths = [
"/nix"

1
hosts/common/programs/notejot.nix
View File

@ -2,7 +2,6 @@
{
sane.programs.notejot = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true;
suggestedPrograms = [ "dconf" ]; #< else it can't persist notes

1
hosts/common/programs/ntfy-sh.nix
View File

@ -21,7 +21,6 @@ in
};
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
secrets.".config/ntfy-sh/topic" = ../../../secrets/common/ntfy-sh-topic.bin;

1
hosts/common/programs/open-in-mpv.nix
View File

@ -3,7 +3,6 @@
{
sane.programs.open-in-mpv = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ]; # for xdg-open/portals
# taken from <https://github.com/Baldomo/open-in-mpv>

1
hosts/common/programs/planify.nix
View File

@ -2,7 +2,6 @@
{
sane.programs.planify = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ]; # for dconf? else it can't persist any tasks/notes
sandbox.whitelistWayland = true;

1
hosts/common/programs/portfolio-filemanager.nix
View File

@ -3,7 +3,6 @@
sane.programs.portfolio-filemanager = {
# this is all taken pretty directly from nautilus config
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ]; # for portals launching apps
sandbox.whitelistWayland = true;
sandbox.extraHomePaths = [

1
hosts/common/programs/ripgrep.nix
View File

@ -2,7 +2,6 @@
{
sane.programs.ripgrep = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.autodetectCliPaths = true;
sandbox.whitelistPwd = true;
sandbox.extraHomePaths = [

2
hosts/common/programs/rofi/default.nix
View File

@ -63,7 +63,6 @@ in
];
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ]; #< to launch apps via the portal
sandbox.whitelistWayland = true;
sandbox.extraHomePaths = [
@ -118,7 +117,6 @@ in
};
# if i could remove the sed, then maybe possible to not sandbox.
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true;
sandbox.extraHomePaths = [
".cache/rofi"

20
hosts/common/programs/sane-scripts.nix
View File

@ -54,7 +54,6 @@ in
"sane-scripts.bt-add".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
net = "clearnet";
# TODO: migrate `transmission_passwd` to `secrets` api
extraPaths = [ "/run/secrets/transmission_passwd" ];
@ -62,7 +61,6 @@ in
"sane-scripts.bt-rm".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
net = "clearnet";
# TODO: migrate `transmission_passwd` to `secrets` api
extraPaths = [ "/run/secrets/transmission_passwd" ];
@ -70,7 +68,6 @@ in
"sane-scripts.bt-search".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
net = "clearnet";
# TODO: migrate `jackett_apikey` to `secrets` api
extraPaths = [ "/run/secrets/jackett_apikey" ];
@ -78,7 +75,6 @@ in
"sane-scripts.bt-show".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
net = "clearnet";
# TODO: migrate `transmission_passwd` to `secrets` api
extraPaths = [ "/run/secrets/transmission_passwd" ];
@ -90,13 +86,11 @@ in
"sane-scripts.deadlines".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
extraHomePaths = [ "knowledge/planner/deadlines.tsv" ];
};
"sane-scripts.dev-cargo-loop".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
net = "clearnet";
whitelistPwd = true;
extraPaths = [
@ -110,7 +104,6 @@ in
"sane-scripts.find-dotfiles".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
extraHomePaths = [
"/"
".persist/ephemeral"
@ -120,7 +113,6 @@ in
"sane-scripts.ip-check".sandbox = {
method = "landlock";
wrapperType = "wrappedDerivation";
net = "all";
};
@ -128,7 +120,6 @@ in
"sane-scripts.private-change-passwd".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
autodetectCliPaths = "existing"; #< for the new `private` location
capabilities = [ "sys_admin" ]; # it needs to mount the new store
extraHomePaths = [
@ -140,7 +131,6 @@ in
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
# this actually has an OK side effect, that the mount isn't shared, and so we avoid contention/interleaving that would cause the ending `umount` to fail.
method = "bwrap";
wrapperType = "wrappedDerivation";
# cap_sys_admin is needed to mount stuff.
# ordinarily /run/wrappers/bin/mount would do that via setuid, but sandboxes have no_new_privs by default.
capabilities = [ "sys_admin" ];
@ -151,7 +141,6 @@ in
};
"sane-scripts.private-init".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
capabilities = [ "sys_admin" ]; # it needs to mount the new store
extraHomePaths = [
".persist/private"
@ -162,7 +151,6 @@ in
"sane-scripts.reclaim-boot-space".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
extraPaths = [ "/boot" ];
};
@ -173,7 +161,6 @@ in
"sane-scripts.reboot".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
extraPaths = [
"/run/dbus"
"/run/systemd"
@ -182,13 +169,11 @@ in
"sane-scripts.reclaim-disk-space".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
extraPaths = [ "/nix/var/nix" ];
};
"sane-scripts.secrets-unlock".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
extraHomePaths = [
".ssh/id_ed25519"
".ssh/id_ed25519.pub"
@ -214,7 +199,6 @@ in
"sane-scripts.shutdown".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
extraPaths = [
"/run/dbus"
"/run/systemd"
@ -231,7 +215,6 @@ in
"sane-scripts.tag-music".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
autodetectCliPaths = "existing";
};
@ -256,7 +239,6 @@ in
(builtins.attrNames config.sane.vpn);
"sane-scripts.vpn".sandbox = {
method = "landlock"; #< bwrap can't handle `ip link` stuff even with cap_net_admin
wrapperType = "wrappedDerivation";
net = "all";
capabilities = [ "net_admin" ];
extraHomePaths = [ ".config/sane-vpn" ];
@ -264,7 +246,6 @@ in
"sane-scripts.which".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
extraHomePaths = [
# for SXMO
".config/sxmo/hooks"
@ -273,7 +254,6 @@ in
"sane-scripts.wipe".sandbox = {
method = "bwrap";
wrapperType = "wrappedDerivation";
whitelistDbus = [ "user" ]; #< for `secret-tool` and `systemd --user stop <service>
extraHomePaths = [
# could be more specific, but at a maintenance cost.

1
hosts/common/programs/sfeed.nix
View File

@ -17,7 +17,6 @@ let
in {
sane.programs.sfeed = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
fs.".sfeed/sfeedrc".symlink.text = ''

1
hosts/common/programs/signal-desktop.nix
View File

@ -23,7 +23,6 @@ in
packageUnwrapped = pkgs.signal-desktop-from-src;
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;
sandbox.whitelistWayland = true;

1
hosts/common/programs/splatmoji.nix
View File

@ -6,7 +6,6 @@
{
sane.programs.splatmoji = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true; # it calls into a dmenu helper
sandbox.extraHomePaths = [
".cache/rofi"

1
hosts/common/programs/spot.nix
View File

@ -2,7 +2,6 @@
{
sane.programs.spot = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # mpris

1
hosts/common/programs/supertuxkart.nix
View File

@ -2,7 +2,6 @@
{
sane.programs.superTuxKart = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet"; # net play
sandbox.whitelistAudio = true;
sandbox.whitelistDri = true;

1
hosts/common/programs/swaylock.nix
View File

@ -5,7 +5,6 @@ in
{
sane.programs.swaylock = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.extraPaths = [
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
# swaylock seems (?) to offload password checking to pam's `unix_chkpwd`,

1
hosts/common/programs/swaynotificationcenter.nix
View File

@ -141,7 +141,6 @@ in
}));
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [
"user" # mpris; portal

1
hosts/common/programs/tangram.nix
View File

@ -30,7 +30,6 @@ in
slowToBuild = true; # only true for cross-compiled tangram
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;
sandbox.whitelistDri = true;

1
hosts/common/programs/tuba.nix
View File

@ -2,7 +2,6 @@
{
sane.programs.tuba = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # notifications

1
hosts/common/programs/unl0kr/default.nix
View File

@ -132,7 +132,6 @@ in
# N.B.: this sandboxing applies to `unl0kr` itself -- the on-screen-keyboard;
# NOT to the wrapper which invokes `login`.
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDri = true;
sandbox.extraPaths = [
"/dev/fb0"

1
hosts/common/programs/vlc.nix
View File

@ -15,7 +15,6 @@ in
samba = null;
};
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "clearnet";
sandbox.autodetectCliPaths = true;
sandbox.whitelistAudio = true;

1
hosts/common/programs/waybar/default.nix
View File

@ -57,7 +57,6 @@ in
};
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.net = "all"; #< to show net connection status and BW
sandbox.whitelistDbus = [
"user" #< for playerctl/media

1
hosts/common/programs/waylock.nix
View File

@ -7,7 +7,6 @@ in
{
sane.programs.waylock = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.extraPaths = [
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
# waylock seems (?) to offload password checking to pam's `unix_chkpwd`,

1
hosts/common/programs/wireplumber.nix
View File

@ -5,7 +5,6 @@ in
{
sane.programs.wireplumber = {
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [
# i think this isn't strictly necessary; it just wants to ask the portal for realtime perms
# "system"

1
hosts/common/programs/wireshark.nix
View File

@ -5,7 +5,6 @@ in
{
sane.programs.wireshark = {
sandbox.method = "landlock";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true;
sandbox.net = "all";
sandbox.capabilities = [ "net_admin" "net_raw" ];

1
hosts/common/programs/wob/default.nix
View File

@ -32,7 +32,6 @@ in
};
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true;
fs.".config/wob/wob.ini".symlink.text = ''

1
hosts/common/programs/xarchiver.nix
View File

@ -7,7 +7,6 @@
};
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistWayland = true;
sandbox.extraHomePaths = [
"archive"

1
hosts/common/programs/xdg-desktop-portal-gtk.nix
View File

@ -8,7 +8,6 @@ in
packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-gtk;
sandbox.method = "bwrap";
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
sandbox.whitelistWayland = true;
sandbox.extraHomePaths = [

1
hosts/common/programs/xdg-desktop-portal-wlr.nix
View File

@ -8,7 +8,6 @@ in
packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-wlr;
sandbox.method = "bwrap"; # TODO:sandbox: untested
sandbox.wrapperType = "wrappedDerivation";
sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
sandbox.whitelistWayland = true;

3
modules/programs/default.nix
View File

@ -316,7 +316,7 @@ let
};
sandbox.wrapperType = mkOption {
type = types.enum [ "inplace" "wrappedDerivation" ];
default = "inplace";
default = "wrappedDerivation";
description = ''
how to manipulate the `packageUnwrapped` derivation in order to achieve sandboxing.
- inplace: applies an override to `packageUnwrapped`, so that all `bin/` files are sandboxed,
@ -327,7 +327,6 @@ let
"inplace" is more reliable, but "wrappedDerivation" is more lightweight (doesn't force any rebuilds).
the biggest gap in "wrappedDerivation" is that it doesn't link anything outside `bin/`, except for
some limited (verified safe) support for `share/applications/*.desktop`
"wrappedDerivation" is mostly good for prototyping.
'';
};
sandbox.autodetectCliPaths = mkOption {