diff --git a/hosts/common/programs/animatch.nix b/hosts/common/programs/animatch.nix index c18c55b8..6afe5d76 100644 --- a/hosts/common/programs/animatch.nix +++ b/hosts/common/programs/animatch.nix @@ -31,7 +31,6 @@ }; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; persist.byStore.plaintext = [ diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix index db873f2b..82fcb85d 100644 --- a/hosts/common/programs/assorted.nix +++ b/hosts/common/programs/assorted.nix @@ -203,13 +203,11 @@ in # INDIVIDUAL PACKAGE DEFINITIONS alsaUtils.sandbox.method = "landlock"; - alsaUtils.sandbox.wrapperType = "wrappedDerivation"; alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary? backblaze-b2 = {}; blanket.sandbox.method = "bwrap"; - blanket.sandbox.wrapperType = "wrappedDerivation"; blanket.sandbox.whitelistAudio = true; # blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested blanket.sandbox.whitelistWayland = true; @@ -225,11 +223,9 @@ in ]; bridge-utils.sandbox.method = "bwrap"; #< bwrap, landlock: both work - bridge-utils.sandbox.wrapperType = "wrappedDerivation"; bridge-utils.sandbox.net = "all"; brightnessctl.sandbox.method = "landlock"; # also bwrap, but landlock is more responsive - brightnessctl.sandbox.wrapperType = "wrappedDerivation"; brightnessctl.sandbox.extraPaths = [ "/sys/class/backlight" "/sys/class/leds" @@ -238,7 +234,6 @@ in brightnessctl.sandbox.whitelistDbus = [ "system" ]; btrfs-progs.sandbox.method = "bwrap"; #< bwrap, landlock: both work - btrfs-progs.sandbox.wrapperType = "wrappedDerivation"; btrfs-progs.sandbox.autodetectCliPaths = "existing"; # e.g. `btrfs filesystem df /my/fs` "cacert.unbundled".sandbox.enable = false; @@ -249,7 +244,6 @@ in # cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName` cryptsetup.sandbox.method = "landlock"; - cryptsetup.sandbox.wrapperType = "wrappedDerivation"; cryptsetup.sandbox.extraPaths = [ "/dev/mapper" "/dev/random" @@ -263,12 +257,10 @@ in cryptsetup.sandbox.autodetectCliPaths = "existing"; ddrescue.sandbox.method = "landlock"; # TODO:sandbox: untested - ddrescue.sandbox.wrapperType = "wrappedDerivation"; ddrescue.sandbox.autodetectCliPaths = "existingOrParent"; # auth token, preferences delfin.sandbox.method = "bwrap"; - delfin.sandbox.wrapperType = "wrappedDerivation"; delfin.sandbox.whitelistAudio = true; delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player delfin.sandbox.whitelistDri = true; @@ -277,7 +269,6 @@ in delfin.persist.byStore.private = [ ".config/delfin" ]; dig.sandbox.method = "bwrap"; - dig.sandbox.wrapperType = "wrappedDerivation"; dig.sandbox.net = "all"; # creds, but also 200 MB of node modules, etc @@ -293,18 +284,15 @@ in dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested dtrx.sandbox.method = "bwrap"; - dtrx.sandbox.wrapperType = "wrappedDerivation"; dtrx.sandbox.whitelistPwd = true; dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive duplicity = {}; e2fsprogs.sandbox.method = "landlock"; - e2fsprogs.sandbox.wrapperType = "wrappedDerivation"; e2fsprogs.sandbox.autodetectCliPaths = "existing"; efibootmgr.sandbox.method = "landlock"; - efibootmgr.sandbox.wrapperType = "wrappedDerivation"; efibootmgr.sandbox.extraPaths = [ "/sys/firmware/efi" ]; @@ -312,14 +300,12 @@ in eg25-control = {}; electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested - electrum.sandbox.wrapperType = "wrappedDerivation"; electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always electrum.sandbox.whitelistWayland = true; electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs! endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ]; endless-sky.sandbox.method = "bwrap"; - endless-sky.sandbox.wrapperType = "wrappedDerivation"; endless-sky.sandbox.whitelistAudio = true; endless-sky.sandbox.whitelistDri = true; endless-sky.sandbox.whitelistWayland = true; @@ -330,14 +316,12 @@ in emote.persist.byStore.plaintext = [ ".local/share/Emote" ]; ethtool.sandbox.method = "landlock"; - ethtool.sandbox.wrapperType = "wrappedDerivation"; ethtool.sandbox.capabilities = [ "net_admin" ]; # eza `ls` replacement # landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo # eza.sandbox.method = "landlock"; eza.sandbox.method = "bwrap"; - eza.sandbox.wrapperType = "wrappedDerivation"; # slow to build eza.sandbox.autodetectCliPaths = true; eza.sandbox.whitelistPwd = true; eza.sandbox.extraHomePaths = [ @@ -347,11 +331,9 @@ in ]; fatresize.sandbox.method = "landlock"; - fatresize.sandbox.wrapperType = "wrappedDerivation"; fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda fd.sandbox.method = "landlock"; - fd.sandbox.wrapperType = "wrappedDerivation"; # slow to build fd.sandbox.autodetectCliPaths = true; fd.sandbox.whitelistPwd = true; fd.sandbox.extraHomePaths = [ @@ -361,15 +343,12 @@ in ]; ffmpeg.sandbox.method = "bwrap"; - ffmpeg.sandbox.wrapperType = "wrappedDerivation"; # slow to build ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting file.sandbox.method = "bwrap"; - file.sandbox.wrapperType = "wrappedDerivation"; file.sandbox.autodetectCliPaths = true; findutils.sandbox.method = "bwrap"; - findutils.sandbox.wrapperType = "wrappedDerivation"; findutils.sandbox.autodetectCliPaths = true; findutils.sandbox.whitelistPwd = true; findutils.sandbox.extraHomePaths = [ @@ -381,14 +360,12 @@ in fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ]; font-manager.sandbox.method = "bwrap"; - font-manager.sandbox.wrapperType = "wrappedDerivation"; font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override { # build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0 withWebkit = false; }); forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap - forkstat.sandbox.wrapperType = "wrappedDerivation"; forkstat.sandbox.extraConfig = [ "--sane-sandbox-keep-namespace" "pid" ]; @@ -401,7 +378,6 @@ in # should probably make it not be an app-launcher fuzzel.sandbox.enable = false; fuzzel.sandbox.method = "bwrap"; #< landlock nearly works, but unable to open ~/.cache - fuzzel.sandbox.wrapperType = "wrappedDerivation"; fuzzel.sandbox.whitelistWayland = true; fuzzel.persist.byStore.private = [ # this is a file of recent selections @@ -414,7 +390,6 @@ in gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could. # gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root - gdb.sandbox.wrapperType = "wrappedDerivation"; gdb.sandbox.autodetectCliPaths = true; geoclue2-with-demo-agent = {}; @@ -424,7 +399,6 @@ in gh.persist.byStore.private = [ ".config/gh" ]; gimp.sandbox.method = "bwrap"; - gimp.sandbox.wrapperType = "wrappedDerivation"; gimp.sandbox.whitelistWayland = true; gimp.sandbox.extraHomePaths = [ "Pictures/albums" @@ -443,39 +417,32 @@ in ]; "gnome.gnome-calculator".sandbox.method = "bwrap"; - "gnome.gnome-calculator".sandbox.wrapperType = "wrappedDerivation"; "gnome.gnome-calculator".sandbox.whitelistWayland = true; # gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events. "gnome.gnome-calendar".sandbox.method = "bwrap"; - "gnome.gnome-calendar".sandbox.wrapperType = "wrappedDerivation"; "gnome.gnome-calendar".sandbox.whitelistWayland = true; "gnome.gnome-clocks".sandbox.method = "bwrap"; - "gnome.gnome-clocks".sandbox.wrapperType = "wrappedDerivation"; "gnome.gnome-clocks".sandbox.whitelistWayland = true; "gnome.gnome-clocks".suggestedPrograms = [ "dconf" ]; # gnome-disks "gnome.gnome-disk-utility".sandbox.method = "bwrap"; - "gnome.gnome-disk-utility".sandbox.wrapperType = "wrappedDerivation"; "gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ]; "gnome.gnome-disk-utility".sandbox.whitelistWayland = true; # seahorse: dump gnome-keyring secrets. # N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now. "gnome.seahorse".sandbox.method = "bwrap"; - "gnome.seahorse".sandbox.wrapperType = "wrappedDerivation"; "gnome.seahorse".sandbox.whitelistDbus = [ "user" ]; "gnome.seahorse".sandbox.whitelistWayland = true; gnome-2048.sandbox.method = "bwrap"; - gnome-2048.sandbox.wrapperType = "wrappedDerivation"; gnome-2048.sandbox.whitelistWayland = true; gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ]; gnome-frog.sandbox.method = "bwrap"; - gnome-frog.sandbox.wrapperType = "wrappedDerivation"; gnome-frog.sandbox.whitelistWayland = true; gnome-frog.sandbox.whitelistDbus = [ "user" ]; gnome-frog.sandbox.extraPaths = [ @@ -502,11 +469,9 @@ in # 2. no two shaded tiles can be direct N/S/E/W neighbors # - win once (1) and (2) are satisfied "gnome.hitori".sandbox.method = "bwrap"; - "gnome.hitori".sandbox.wrapperType = "wrappedDerivation"; "gnome.hitori".sandbox.whitelistWayland = true; gnugrep.sandbox.method = "bwrap"; - gnugrep.sandbox.wrapperType = "wrappedDerivation"; gnugrep.sandbox.autodetectCliPaths = true; gnugrep.sandbox.whitelistPwd = true; gnugrep.sandbox.extraHomePaths = [ @@ -519,7 +484,6 @@ in gpsd = {}; gptfdisk.sandbox.method = "landlock"; - gptfdisk.sandbox.wrapperType = "wrappedDerivation"; gptfdisk.sandbox.extraPaths = [ "/dev" ]; @@ -528,7 +492,6 @@ in grim = {}; hase.sandbox.method = "bwrap"; - hase.sandbox.wrapperType = "wrappedDerivation"; hase.sandbox.net = "clearnet"; hase.sandbox.whitelistAudio = true; hase.sandbox.whitelistDri = true; @@ -536,15 +499,12 @@ in # hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda` hdparm.sandbox.method = "bwrap"; - hdparm.sandbox.wrapperType = "wrappedDerivation"; hdparm.sandbox.autodetectCliPaths = true; host.sandbox.method = "landlock"; - host.sandbox.wrapperType = "wrappedDerivation"; host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server htop.sandbox.method = "landlock"; - htop.sandbox.wrapperType = "wrappedDerivation"; htop.sandbox.extraPaths = [ "/proc" "/sys/devices" @@ -555,16 +515,13 @@ in ]; iftop.sandbox.method = "landlock"; - iftop.sandbox.wrapperType = "wrappedDerivation"; iftop.sandbox.capabilities = [ "net_raw" ]; # inetutils: ping, ifconfig, hostname, traceroute, whois, .... # N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally). inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least. - inetutils.sandbox.wrapperType = "wrappedDerivation"; inkscape.sandbox.method = "bwrap"; - inkscape.sandbox.wrapperType = "wrappedDerivation"; inkscape.sandbox.whitelistWayland = true; inkscape.sandbox.extraHomePaths = [ "Pictures/albums" @@ -580,7 +537,6 @@ in inkscape.sandbox.autodetectCliPaths = true; iotop.sandbox.method = "landlock"; - iotop.sandbox.wrapperType = "wrappedDerivation"; iotop.sandbox.extraPaths = [ "/proc" ]; @@ -588,38 +544,31 @@ in # provides `ip`, `routel`, others iproute2.sandbox.method = "landlock"; - iproute2.sandbox.wrapperType = "wrappedDerivation"; iproute2.sandbox.net = "all"; iproute2.sandbox.capabilities = [ "net_admin" ]; iptables.sandbox.method = "landlock"; - iptables.sandbox.wrapperType = "wrappedDerivation"; iptables.sandbox.net = "all"; iptables.sandbox.capabilities = [ "net_admin" ]; # iputils provides `ping` (and arping, clockdiff, tracepath) iputils.sandbox.method = "landlock"; - iputils.sandbox.wrapperType = "wrappedDerivation"; iputils.sandbox.net = "all"; iputils.sandbox.capabilities = [ "net_raw" ]; iw.sandbox.method = "landlock"; - iw.sandbox.wrapperType = "wrappedDerivation"; iw.sandbox.net = "all"; iw.sandbox.capabilities = [ "net_admin" ]; jq.sandbox.method = "bwrap"; - jq.sandbox.wrapperType = "wrappedDerivation"; jq.sandbox.autodetectCliPaths = "existingFile"; killall.sandbox.method = "landlock"; - killall.sandbox.wrapperType = "wrappedDerivation"; killall.sandbox.extraPaths = [ "/proc" ]; krita.sandbox.method = "bwrap"; - krita.sandbox.wrapperType = "wrappedDerivation"; krita.sandbox.whitelistWayland = true; krita.sandbox.autodetectCliPaths = "existing"; krita.sandbox.extraHomePaths = [ @@ -637,11 +586,9 @@ in libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only) libnotify.sandbox.method = "bwrap"; - libnotify.sandbox.wrapperType = "wrappedDerivation"; libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send losslesscut-bin.sandbox.method = "bwrap"; - losslesscut-bin.sandbox.wrapperType = "wrappedDerivation"; losslesscut-bin.sandbox.extraHomePaths = [ "Music" "Pictures/from" # videos from e.g. mobile phone @@ -656,13 +603,11 @@ in losslesscut-bin.sandbox.whitelistX = true; lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to / - lsof.sandbox.wrapperType = "wrappedDerivation"; lua = {}; "mate.engrampa".packageUnwrapped = pkgs.rmDbusServices pkgs.mate.engrampa; "mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested - "mate.engrampa".sandbox.wrapperType = "wrappedDerivation"; "mate.engrampa".sandbox.whitelistWayland = true; "mate.engrampa".sandbox.autodetectCliPaths = "existingOrParent"; "mate.engrampa".sandbox.extraHomePaths = [ @@ -675,7 +620,6 @@ in ]; mercurial.sandbox.method = "bwrap"; # TODO:sandbox: untested - mercurial.sandbox.wrapperType = "wrappedDerivation"; mercurial.sandbox.net = "clearnet"; mercurial.sandbox.whitelistPwd = true; @@ -683,7 +627,6 @@ in # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured? monero-gui.persist.byStore.plaintext = [ ".bitmonero" ]; monero-gui.sandbox.method = "bwrap"; - monero-gui.sandbox.wrapperType = "wrappedDerivation"; monero-gui.sandbox.net = "all"; monero-gui.sandbox.extraHomePaths = [ "records/finance/cryptocurrencies/monero" @@ -692,20 +635,16 @@ in mumble.persist.byStore.private = [ ".local/share/Mumble" ]; nano.sandbox.method = "bwrap"; - nano.sandbox.wrapperType = "wrappedDerivation"; nano.sandbox.autodetectCliPaths = "existingFileOrParent"; netcat.sandbox.method = "landlock"; - netcat.sandbox.wrapperType = "wrappedDerivation"; netcat.sandbox.net = "all"; nethogs.sandbox.method = "capshonly"; # *partially* works under landlock w/ full access to / - nethogs.sandbox.wrapperType = "wrappedDerivation"; nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ]; # provides `arp`, `hostname`, `route`, `ifconfig` nettools.sandbox.method = "landlock"; - nettools.sandbox.wrapperType = "wrappedDerivation"; nettools.sandbox.net = "all"; nettools.sandbox.capabilities = [ "net_admin" "net_raw" ]; nettools.sandbox.extraPaths = [ @@ -713,7 +652,6 @@ in ]; networkmanagerapplet.sandbox.method = "bwrap"; - networkmanagerapplet.sandbox.wrapperType = "wrappedDerivation"; networkmanagerapplet.sandbox.whitelistWayland = true; networkmanagerapplet.sandbox.whitelistDbus = [ "system" ]; @@ -726,11 +664,9 @@ in ]; nmap.sandbox.method = "bwrap"; - nmap.sandbox.wrapperType = "wrappedDerivation"; nmap.sandbox.net = "all"; # clearnet and lan nmon.sandbox.method = "landlock"; - nmon.sandbox.wrapperType = "wrappedDerivation"; nmon.sandbox.extraPaths = [ "/proc" ]; @@ -739,7 +675,6 @@ in # `nvme list` only shows results when run as root. nvme-cli.sandbox.method = "landlock"; - nvme-cli.sandbox.wrapperType = "wrappedDerivation"; nvme-cli.sandbox.extraPaths = [ "/sys/devices" "/sys/class/nvme" @@ -751,13 +686,11 @@ in # contains only `oathtool`, which i only use for evaluating TOTP codes from CLI/stdin oath-toolkit.sandbox.method = "bwrap"; - oath-toolkit.sandbox.wrapperType = "wrappedDerivation"; # settings (electron app) obsidian.persist.byStore.plaintext = [ ".config/obsidian" ]; parted.sandbox.method = "landlock"; - parted.sandbox.wrapperType = "wrappedDerivation"; parted.sandbox.extraPaths = [ "/dev" ]; @@ -766,12 +699,10 @@ in patchelf = {}; pavucontrol.sandbox.method = "bwrap"; - pavucontrol.sandbox.wrapperType = "wrappedDerivation"; pavucontrol.sandbox.whitelistAudio = true; pavucontrol.sandbox.whitelistWayland = true; pciutils.sandbox.method = "landlock"; - pciutils.sandbox.wrapperType = "wrappedDerivation"; pciutils.sandbox.extraPaths = [ "/sys/bus/pci" "/sys/devices" @@ -780,7 +711,6 @@ in "perlPackages.FileMimeInfo".sandbox.enable = false; #< TODO: sandbox `mimetype` but not `mimeopen`. powertop.sandbox.method = "landlock"; - powertop.sandbox.wrapperType = "wrappedDerivation"; powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ]; powertop.sandbox.extraPaths = [ "/proc" @@ -790,17 +720,14 @@ in ]; pstree.sandbox.method = "landlock"; - pstree.sandbox.wrapperType = "wrappedDerivation"; pstree.sandbox.extraPaths = [ "/proc" ]; pulsemixer.sandbox.method = "landlock"; - pulsemixer.sandbox.wrapperType = "wrappedDerivation"; pulsemixer.sandbox.whitelistAudio = true; pwvucontrol.sandbox.method = "bwrap"; - pwvucontrol.sandbox.wrapperType = "wrappedDerivation"; pwvucontrol.sandbox.whitelistAudio = true; pwvucontrol.sandbox.whitelistWayland = true; @@ -808,7 +735,6 @@ in requests ]); python3-repl.sandbox.method = "bwrap"; - python3-repl.sandbox.wrapperType = "wrappedDerivation"; python3-repl.sandbox.net = "clearnet"; python3-repl.sandbox.extraHomePaths = [ "/" @@ -819,7 +745,6 @@ in qemu.slowToBuild = true; rsync.sandbox.method = "bwrap"; - rsync.sandbox.wrapperType = "wrappedDerivation"; rsync.sandbox.net = "clearnet"; rsync.sandbox.autodetectCliPaths = "existingOrParent"; @@ -828,13 +753,11 @@ in screen.sandbox.enable = false; #< tty; needs to run anything sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested - sequoia.sandbox.wrapperType = "wrappedDerivation"; # slow to build sequoia.sandbox.whitelistPwd = true; sequoia.sandbox.autodetectCliPaths = true; shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ]; shattered-pixel-dungeon.sandbox.method = "bwrap"; - shattered-pixel-dungeon.sandbox.wrapperType = "wrappedDerivation"; shattered-pixel-dungeon.sandbox.whitelistAudio = true; shattered-pixel-dungeon.sandbox.whitelistDri = true; shattered-pixel-dungeon.sandbox.whitelistWayland = true; @@ -851,7 +774,6 @@ in smartmontools.sandbox.capabilities = [ "sys_rawio" ]; sops.sandbox.method = "bwrap"; # TODO:sandbox: untested - sops.sandbox.wrapperType = "wrappedDerivation"; sops.sandbox.extraHomePaths = [ ".config/sops" "dev/nixos" @@ -861,7 +783,6 @@ in ]; soundconverter.sandbox.method = "bwrap"; - soundconverter.sandbox.wrapperType = "wrappedDerivation"; soundconverter.sandbox.whitelistWayland = true; soundconverter.sandbox.extraHomePaths = [ "Music" @@ -875,19 +796,16 @@ in soundconverter.sandbox.autodetectCliPaths = "existingOrParent"; sox.sandbox.method = "bwrap"; - sox.sandbox.wrapperType = "wrappedDerivation"; sox.sandbox.autodetectCliPaths = "existingFileOrParent"; sox.sandbox.whitelistAudio = true; space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ]; space-cadet-pinball.sandbox.method = "bwrap"; - space-cadet-pinball.sandbox.wrapperType = "wrappedDerivation"; space-cadet-pinball.sandbox.whitelistAudio = true; space-cadet-pinball.sandbox.whitelistDri = true; space-cadet-pinball.sandbox.whitelistWayland = true; speedtest-cli.sandbox.method = "bwrap"; - speedtest-cli.sandbox.wrapperType = "wrappedDerivation"; speedtest-cli.sandbox.net = "all"; sqlite = {}; @@ -895,7 +813,6 @@ in strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything* subversion.sandbox.method = "bwrap"; - subversion.sandbox.wrapperType = "wrappedDerivation"; subversion.sandbox.net = "clearnet"; subversion.sandbox.whitelistPwd = true; sudo.sandbox.enable = false; @@ -908,7 +825,6 @@ in superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ]; tcpdump.sandbox.method = "landlock"; - tcpdump.sandbox.wrapperType = "wrappedDerivation"; tcpdump.sandbox.net = "all"; tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent"; tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ]; @@ -918,12 +834,10 @@ in tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ]; tree.sandbox.method = "landlock"; - tree.sandbox.wrapperType = "wrappedDerivation"; tree.sandbox.autodetectCliPaths = true; tree.sandbox.whitelistPwd = true; tumiki-fighters.sandbox.method = "bwrap"; - tumiki-fighters.sandbox.wrapperType = "wrappedDerivation"; tumiki-fighters.sandbox.whitelistAudio = true; tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf tumiki-fighters.sandbox.whitelistWayland = true; @@ -932,34 +846,28 @@ in util-linux.sandbox.enable = false; #< TODO: possible to sandbox if i specific a different profile for each of its ~50 binaries unzip.sandbox.method = "bwrap"; - unzip.sandbox.wrapperType = "wrappedDerivation"; unzip.sandbox.autodetectCliPaths = "existingOrParent"; unzip.sandbox.whitelistPwd = true; usbutils.sandbox.method = "bwrap"; # breaks `usbhid-dump`, but `lsusb`, `usb-devices` work - usbutils.sandbox.wrapperType = "wrappedDerivation"; usbutils.sandbox.extraPaths = [ "/sys/devices" "/sys/bus/usb" ]; visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested - visidata.sandbox.wrapperType = "wrappedDerivation"; visidata.sandbox.autodetectCliPaths = true; # `vulkaninfo`, `vkcube` vulkan-tools.sandbox.method = "landlock"; - vulkan-tools.sandbox.wrapperType = "wrappedDerivation"; vvvvvv.sandbox.method = "bwrap"; - vvvvvv.sandbox.wrapperType = "wrappedDerivation"; vvvvvv.sandbox.whitelistAudio = true; vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU vvvvvv.sandbox.whitelistWayland = true; vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ]; w3m.sandbox.method = "bwrap"; - w3m.sandbox.wrapperType = "wrappedDerivation"; w3m.sandbox.net = "all"; w3m.sandbox.extraHomePaths = [ # little-used feature, but you can save web pages :) @@ -967,11 +875,9 @@ in ]; wdisplays.sandbox.method = "bwrap"; - wdisplays.sandbox.wrapperType = "wrappedDerivation"; wdisplays.sandbox.whitelistWayland = true; wget.sandbox.method = "bwrap"; - wget.sandbox.wrapperType = "wrappedDerivation"; wget.sandbox.net = "all"; wget.sandbox.whitelistPwd = true; # saves to pwd by default @@ -979,16 +885,13 @@ in # `wg`, `wg-quick` wireguard-tools.sandbox.method = "landlock"; - wireguard-tools.sandbox.wrapperType = "wrappedDerivation"; wireguard-tools.sandbox.capabilities = [ "net_admin" ]; # provides `iwconfig`, `iwlist`, `iwpriv`, ... wirelesstools.sandbox.method = "landlock"; - wirelesstools.sandbox.wrapperType = "wrappedDerivation"; wirelesstools.sandbox.capabilities = [ "net_admin" ]; wl-clipboard.sandbox.method = "bwrap"; - wl-clipboard.sandbox.wrapperType = "wrappedDerivation"; wl-clipboard.sandbox.whitelistWayland = true; wtype = {}; @@ -1005,7 +908,6 @@ in yarn.persist.byStore.plaintext = [ ".cache/yarn" ]; yt-dlp.sandbox.method = "bwrap"; # TODO:sandbox: untested - yt-dlp.sandbox.wrapperType = "wrappedDerivation"; yt-dlp.sandbox.net = "all"; yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default diff --git a/hosts/common/programs/audacity.nix b/hosts/common/programs/audacity.nix index 25c1f185..e6e27265 100644 --- a/hosts/common/programs/audacity.nix +++ b/hosts/common/programs/audacity.nix @@ -10,7 +10,6 @@ }; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistAudio = true; sandbox.whitelistWayland = true; sandbox.autodetectCliPaths = true; diff --git a/hosts/common/programs/bemenu.nix b/hosts/common/programs/bemenu.nix index 86111a75..0f1672c1 100644 --- a/hosts/common/programs/bemenu.nix +++ b/hosts/common/programs/bemenu.nix @@ -88,7 +88,6 @@ in { sane.programs.bemenu = { sandbox.method = "bwrap"; # landlock works, but requires *all* of /run/user/$ID to be granted. - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ ".cache/fontconfig" #< else it complains, and is *way* slower diff --git a/hosts/common/programs/cozy.nix b/hosts/common/programs/cozy.nix index 443afd55..8ebd6aea 100644 --- a/hosts/common/programs/cozy.nix +++ b/hosts/common/programs/cozy.nix @@ -3,7 +3,6 @@ { sane.programs.cozy = { sandbox.method = "bwrap"; # landlock gives: _multiprocessing.SemLock: Permission Denied - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/dconf.nix b/hosts/common/programs/dconf.nix index 34e2616d..bf9b1645 100644 --- a/hosts/common/programs/dconf.nix +++ b/hosts/common/programs/dconf.nix @@ -10,7 +10,6 @@ in { sane.programs.dconf = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; persist.byStore.private = [ ".config/dconf" ]; diff --git a/hosts/common/programs/dino.nix b/hosts/common/programs/dino.nix index 9d8b2527..d25fd34d 100644 --- a/hosts/common/programs/dino.nix +++ b/hosts/common/programs/dino.nix @@ -46,7 +46,6 @@ in }; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/element-desktop.nix b/hosts/common/programs/element-desktop.nix index 31665688..f569b6e4 100644 --- a/hosts/common/programs/element-desktop.nix +++ b/hosts/common/programs/element-desktop.nix @@ -17,7 +17,6 @@ ]; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/feedbackd.nix b/hosts/common/programs/feedbackd.nix index 66a04770..c188401e 100644 --- a/hosts/common/programs/feedbackd.nix +++ b/hosts/common/programs/feedbackd.nix @@ -25,7 +25,6 @@ in }; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; sandbox.whitelistAudio = true; diff --git a/hosts/common/programs/fontconfig.nix b/hosts/common/programs/fontconfig.nix index 0f22a9e0..d3438e1a 100644 --- a/hosts/common/programs/fontconfig.nix +++ b/hosts/common/programs/fontconfig.nix @@ -30,7 +30,6 @@ in { sane.programs.fontconfig = { sandbox.method = "bwrap"; # TODO:sandbox: untested - sandbox.wrapperType = "wrappedDerivation"; sandbox.autodetectCliPaths = "existingOrParent"; #< this might be overkill; or, how many programs reference fontconfig internally? persist.byStore.plaintext = [ diff --git a/hosts/common/programs/fractal.nix b/hosts/common/programs/fractal.nix index 81a73560..7c8d5ac3 100644 --- a/hosts/common/programs/fractal.nix +++ b/hosts/common/programs/fractal.nix @@ -28,7 +28,6 @@ in # packageUnwrapped = pkgs.fractal-next; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/frozen-bubble.nix b/hosts/common/programs/frozen-bubble.nix index 382c1fb9..5593fcb5 100644 --- a/hosts/common/programs/frozen-bubble.nix +++ b/hosts/common/programs/frozen-bubble.nix @@ -3,7 +3,6 @@ { sane.programs.frozen-bubble = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; # net play sandbox.whitelistAudio = true; sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/g4music.nix b/hosts/common/programs/g4music.nix index 1ad30364..95f4d3f8 100644 --- a/hosts/common/programs/g4music.nix +++ b/hosts/common/programs/g4music.nix @@ -9,7 +9,6 @@ { sane.programs.g4music = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/gdbus.nix b/hosts/common/programs/gdbus.nix index 58a56a71..5b6567a9 100644 --- a/hosts/common/programs/gdbus.nix +++ b/hosts/common/programs/gdbus.nix @@ -4,7 +4,6 @@ packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.glib "bin/gdbus"; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; #< XXX: maybe future users will also want system access }; } diff --git a/hosts/common/programs/geary.nix b/hosts/common/programs/geary.nix index 2692498a..e4a9b19b 100644 --- a/hosts/common/programs/geary.nix +++ b/hosts/common/programs/geary.nix @@ -20,7 +20,6 @@ in }; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistDbus = [ "user" ]; # notifications sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/git.nix b/hosts/common/programs/git.nix index b15b9b58..dff541ba 100644 --- a/hosts/common/programs/git.nix +++ b/hosts/common/programs/git.nix @@ -19,7 +19,6 @@ in ''; }); sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistPwd = true; sandbox.autodetectCliPaths = true; # necessary for git-upload-pack diff --git a/hosts/common/programs/gnome-keyring/default.nix b/hosts/common/programs/gnome-keyring/default.nix index 789657e8..7e44652b 100644 --- a/hosts/common/programs/gnome-keyring/default.nix +++ b/hosts/common/programs/gnome-keyring/default.nix @@ -6,7 +6,6 @@ in sane.programs.gnome-keyring = { packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-keyring; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; sandbox.extraRuntimePaths = [ "keyring/control" diff --git a/hosts/common/programs/gnome-maps.nix b/hosts/common/programs/gnome-maps.nix index 0dd35c8d..9849835a 100644 --- a/hosts/common/programs/gnome-maps.nix +++ b/hosts/common/programs/gnome-maps.nix @@ -3,7 +3,6 @@ sane.programs."gnome.gnome-maps" = { packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-maps; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDri = true; # for perf sandbox.whitelistDbus = [ "system" # system is required for non-portal location services diff --git a/hosts/common/programs/go2tv.nix b/hosts/common/programs/go2tv.nix index 370424c2..3eda4330 100644 --- a/hosts/common/programs/go2tv.nix +++ b/hosts/common/programs/go2tv.nix @@ -34,7 +34,6 @@ in { sane.programs.go2tv = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.autodetectCliPaths = true; # for GUI invocation, allow the common media directories diff --git a/hosts/common/programs/gpodder.nix b/hosts/common/programs/gpodder.nix index 71c49904..e4331f7a 100644 --- a/hosts/common/programs/gpodder.nix +++ b/hosts/common/programs/gpodder.nix @@ -23,7 +23,6 @@ in { }); sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; # it won't launch without it, dunno exactly why. sandbox.whitelistWayland = true; sandbox.net = "clearnet"; diff --git a/hosts/common/programs/grimshot.nix b/hosts/common/programs/grimshot.nix index 9d53fd61..ea26f990 100644 --- a/hosts/common/programs/grimshot.nix +++ b/hosts/common/programs/grimshot.nix @@ -15,7 +15,6 @@ "wl-clipboard" ]; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; sandbox.whitelistDbus = [ "user" ]; sandbox.autodetectCliPaths = "existingFileOrParent"; diff --git a/hosts/common/programs/gtkcord4.nix b/hosts/common/programs/gtkcord4.nix index 4f54104e..b965f84e 100644 --- a/hosts/common/programs/gtkcord4.nix +++ b/hosts/common/programs/gtkcord4.nix @@ -32,7 +32,6 @@ in ''; }); sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/handbrake.nix b/hosts/common/programs/handbrake.nix index 9cdd10cb..27387f9e 100644 --- a/hosts/common/programs/handbrake.nix +++ b/hosts/common/programs/handbrake.nix @@ -2,7 +2,6 @@ { sane.programs.handbrake = { sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; # notifications sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/kdenlive.nix b/hosts/common/programs/kdenlive.nix index b66ed0e0..a38cfba6 100644 --- a/hosts/common/programs/kdenlive.nix +++ b/hosts/common/programs/kdenlive.nix @@ -2,7 +2,6 @@ { sane.programs.kdenlive = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.extraHomePaths = [ "Music" "Pictures/from" # e.g. Videos taken from my phone diff --git a/hosts/common/programs/komikku.nix b/hosts/common/programs/komikku.nix index 834f9228..b375d16b 100644 --- a/hosts/common/programs/komikku.nix +++ b/hosts/common/programs/komikku.nix @@ -11,7 +11,6 @@ }); sandbox.method = "bwrap"; # TODO:sandbox untested - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistDbus = [ "user" ]; # needs to connect to dconf via dbus sandbox.whitelistDri = true; #< required diff --git a/hosts/common/programs/koreader/default.nix b/hosts/common/programs/koreader/default.nix index a589ae04..38e0ec2c 100644 --- a/hosts/common/programs/koreader/default.nix +++ b/hosts/common/programs/koreader/default.nix @@ -46,7 +46,6 @@ in { sane.programs.koreader = { packageUnwrapped = pkgs.koreader-from-src; sandbox.method = "bwrap"; # sandboxes fine under landlock too, except for FTP - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistDri = true; # reduces startup time and subjective page flip time sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/lemoa.nix b/hosts/common/programs/lemoa.nix index 8874f265..a02e5354 100644 --- a/hosts/common/programs/lemoa.nix +++ b/hosts/common/programs/lemoa.nix @@ -2,7 +2,6 @@ { sane.programs.lemoa = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistDbus = [ "user" ]; # for clicking links sandbox.whitelistDri = true; diff --git a/hosts/common/programs/loupe.nix b/hosts/common/programs/loupe.nix index 0b8e838e..172e5c3e 100644 --- a/hosts/common/programs/loupe.nix +++ b/hosts/common/programs/loupe.nix @@ -12,7 +12,6 @@ })); sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; sandbox.autodetectCliPaths = "parent"; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/megapixels.nix b/hosts/common/programs/megapixels.nix index 018cf21d..a76cabd6 100644 --- a/hosts/common/programs/megapixels.nix +++ b/hosts/common/programs/megapixels.nix @@ -10,7 +10,6 @@ # bwrap (loupe image viewer) doesn't like to run inside landlock # "bwrap: failed to make / slave: Operation not permitted" sandbox.method = "bwrap"; # supports landlock or bwrap - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDri = true; sandbox.whitelistWayland = true; sandbox.whitelistDbus = [ "user" ]; #< so that it can in theory open the image viewer using fdo portal... but it doesn't :| diff --git a/hosts/common/programs/mepo.nix b/hosts/common/programs/mepo.nix index 2b868e52..2d548f74 100644 --- a/hosts/common/programs/mepo.nix +++ b/hosts/common/programs/mepo.nix @@ -5,7 +5,6 @@ { sane.programs.mepo = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "all"; # for tiles *and* for localhost comm to gpsd sandbox.whitelistDri = true; sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/nautilus.nix b/hosts/common/programs/nautilus.nix index 5df47116..60a81d42 100644 --- a/hosts/common/programs/nautilus.nix +++ b/hosts/common/programs/nautilus.nix @@ -11,7 +11,6 @@ })); sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; # for portals launching apps sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/neovim.nix b/hosts/common/programs/neovim.nix index b26ead6f..d3182f54 100644 --- a/hosts/common/programs/neovim.nix +++ b/hosts/common/programs/neovim.nix @@ -88,7 +88,6 @@ in { sane.programs.neovim = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.autodetectCliPaths = "existingOrParent"; sandbox.whitelistWayland = true; # for system clipboard integration # sandbox.whitelistPwd = true; diff --git a/hosts/common/programs/nicotine-plus.nix b/hosts/common/programs/nicotine-plus.nix index 870ac486..e6d97dbb 100644 --- a/hosts/common/programs/nicotine-plus.nix +++ b/hosts/common/programs/nicotine-plus.nix @@ -11,7 +11,6 @@ }); sandbox.method = "firejail"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; sandbox.net = "vpn"; diff --git a/hosts/common/programs/nix-index.nix b/hosts/common/programs/nix-index.nix index 19a3e8ec..01e9c762 100644 --- a/hosts/common/programs/nix-index.nix +++ b/hosts/common/programs/nix-index.nix @@ -3,7 +3,6 @@ # provides `nix-locate`, backed by the manually run `nix-index` sane.programs.nix-index = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.extraPaths = [ "/nix" diff --git a/hosts/common/programs/notejot.nix b/hosts/common/programs/notejot.nix index 597daa8f..af5ec739 100644 --- a/hosts/common/programs/notejot.nix +++ b/hosts/common/programs/notejot.nix @@ -2,7 +2,6 @@ { sane.programs.notejot = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; suggestedPrograms = [ "dconf" ]; #< else it can't persist notes diff --git a/hosts/common/programs/ntfy-sh.nix b/hosts/common/programs/ntfy-sh.nix index 2a44a40f..aefa015d 100644 --- a/hosts/common/programs/ntfy-sh.nix +++ b/hosts/common/programs/ntfy-sh.nix @@ -21,7 +21,6 @@ in }; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; secrets.".config/ntfy-sh/topic" = ../../../secrets/common/ntfy-sh-topic.bin; diff --git a/hosts/common/programs/open-in-mpv.nix b/hosts/common/programs/open-in-mpv.nix index 2e01f59b..c6107a0e 100644 --- a/hosts/common/programs/open-in-mpv.nix +++ b/hosts/common/programs/open-in-mpv.nix @@ -3,7 +3,6 @@ { sane.programs.open-in-mpv = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; # for xdg-open/portals # taken from diff --git a/hosts/common/programs/planify.nix b/hosts/common/programs/planify.nix index de77b5eb..433cb393 100644 --- a/hosts/common/programs/planify.nix +++ b/hosts/common/programs/planify.nix @@ -2,7 +2,6 @@ { sane.programs.planify = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; # for dconf? else it can't persist any tasks/notes sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/portfolio-filemanager.nix b/hosts/common/programs/portfolio-filemanager.nix index 944de370..b6ef0a32 100644 --- a/hosts/common/programs/portfolio-filemanager.nix +++ b/hosts/common/programs/portfolio-filemanager.nix @@ -3,7 +3,6 @@ sane.programs.portfolio-filemanager = { # this is all taken pretty directly from nautilus config sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; # for portals launching apps sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/ripgrep.nix b/hosts/common/programs/ripgrep.nix index fd00ca3c..3b65d305 100644 --- a/hosts/common/programs/ripgrep.nix +++ b/hosts/common/programs/ripgrep.nix @@ -2,7 +2,6 @@ { sane.programs.ripgrep = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.autodetectCliPaths = true; sandbox.whitelistPwd = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/rofi/default.nix b/hosts/common/programs/rofi/default.nix index 99d9e96b..4d2e840e 100644 --- a/hosts/common/programs/rofi/default.nix +++ b/hosts/common/programs/rofi/default.nix @@ -63,7 +63,6 @@ in ]; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; #< to launch apps via the portal sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ @@ -118,7 +117,6 @@ in }; # if i could remove the sed, then maybe possible to not sandbox. sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ ".cache/rofi" diff --git a/hosts/common/programs/sane-scripts.nix b/hosts/common/programs/sane-scripts.nix index 9b2bcfd0..8c51666e 100644 --- a/hosts/common/programs/sane-scripts.nix +++ b/hosts/common/programs/sane-scripts.nix @@ -54,7 +54,6 @@ in "sane-scripts.bt-add".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; net = "clearnet"; # TODO: migrate `transmission_passwd` to `secrets` api extraPaths = [ "/run/secrets/transmission_passwd" ]; @@ -62,7 +61,6 @@ in "sane-scripts.bt-rm".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; net = "clearnet"; # TODO: migrate `transmission_passwd` to `secrets` api extraPaths = [ "/run/secrets/transmission_passwd" ]; @@ -70,7 +68,6 @@ in "sane-scripts.bt-search".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; net = "clearnet"; # TODO: migrate `jackett_apikey` to `secrets` api extraPaths = [ "/run/secrets/jackett_apikey" ]; @@ -78,7 +75,6 @@ in "sane-scripts.bt-show".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; net = "clearnet"; # TODO: migrate `transmission_passwd` to `secrets` api extraPaths = [ "/run/secrets/transmission_passwd" ]; @@ -90,13 +86,11 @@ in "sane-scripts.deadlines".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; extraHomePaths = [ "knowledge/planner/deadlines.tsv" ]; }; "sane-scripts.dev-cargo-loop".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; net = "clearnet"; whitelistPwd = true; extraPaths = [ @@ -110,7 +104,6 @@ in "sane-scripts.find-dotfiles".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; extraHomePaths = [ "/" ".persist/ephemeral" @@ -120,7 +113,6 @@ in "sane-scripts.ip-check".sandbox = { method = "landlock"; - wrapperType = "wrappedDerivation"; net = "all"; }; @@ -128,7 +120,6 @@ in "sane-scripts.private-change-passwd".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; autodetectCliPaths = "existing"; #< for the new `private` location capabilities = [ "sys_admin" ]; # it needs to mount the new store extraHomePaths = [ @@ -140,7 +131,6 @@ in # instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command. # this actually has an OK side effect, that the mount isn't shared, and so we avoid contention/interleaving that would cause the ending `umount` to fail. method = "bwrap"; - wrapperType = "wrappedDerivation"; # cap_sys_admin is needed to mount stuff. # ordinarily /run/wrappers/bin/mount would do that via setuid, but sandboxes have no_new_privs by default. capabilities = [ "sys_admin" ]; @@ -151,7 +141,6 @@ in }; "sane-scripts.private-init".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; capabilities = [ "sys_admin" ]; # it needs to mount the new store extraHomePaths = [ ".persist/private" @@ -162,7 +151,6 @@ in "sane-scripts.reclaim-boot-space".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; extraPaths = [ "/boot" ]; }; @@ -173,7 +161,6 @@ in "sane-scripts.reboot".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; extraPaths = [ "/run/dbus" "/run/systemd" @@ -182,13 +169,11 @@ in "sane-scripts.reclaim-disk-space".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; extraPaths = [ "/nix/var/nix" ]; }; "sane-scripts.secrets-unlock".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; extraHomePaths = [ ".ssh/id_ed25519" ".ssh/id_ed25519.pub" @@ -214,7 +199,6 @@ in "sane-scripts.shutdown".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; extraPaths = [ "/run/dbus" "/run/systemd" @@ -231,7 +215,6 @@ in "sane-scripts.tag-music".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; autodetectCliPaths = "existing"; }; @@ -256,7 +239,6 @@ in (builtins.attrNames config.sane.vpn); "sane-scripts.vpn".sandbox = { method = "landlock"; #< bwrap can't handle `ip link` stuff even with cap_net_admin - wrapperType = "wrappedDerivation"; net = "all"; capabilities = [ "net_admin" ]; extraHomePaths = [ ".config/sane-vpn" ]; @@ -264,7 +246,6 @@ in "sane-scripts.which".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; extraHomePaths = [ # for SXMO ".config/sxmo/hooks" @@ -273,7 +254,6 @@ in "sane-scripts.wipe".sandbox = { method = "bwrap"; - wrapperType = "wrappedDerivation"; whitelistDbus = [ "user" ]; #< for `secret-tool` and `systemd --user stop extraHomePaths = [ # could be more specific, but at a maintenance cost. diff --git a/hosts/common/programs/sfeed.nix b/hosts/common/programs/sfeed.nix index ab8165c0..1157e331 100644 --- a/hosts/common/programs/sfeed.nix +++ b/hosts/common/programs/sfeed.nix @@ -17,7 +17,6 @@ let in { sane.programs.sfeed = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; fs.".sfeed/sfeedrc".symlink.text = '' diff --git a/hosts/common/programs/signal-desktop.nix b/hosts/common/programs/signal-desktop.nix index 3d7152d6..bd7c3a21 100644 --- a/hosts/common/programs/signal-desktop.nix +++ b/hosts/common/programs/signal-desktop.nix @@ -23,7 +23,6 @@ in packageUnwrapped = pkgs.signal-desktop-from-src; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/splatmoji.nix b/hosts/common/programs/splatmoji.nix index 8ac5e068..e6d1de40 100644 --- a/hosts/common/programs/splatmoji.nix +++ b/hosts/common/programs/splatmoji.nix @@ -6,7 +6,6 @@ { sane.programs.splatmoji = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; # it calls into a dmenu helper sandbox.extraHomePaths = [ ".cache/rofi" diff --git a/hosts/common/programs/spot.nix b/hosts/common/programs/spot.nix index 1d2863cf..67deb725 100644 --- a/hosts/common/programs/spot.nix +++ b/hosts/common/programs/spot.nix @@ -2,7 +2,6 @@ { sane.programs.spot = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris diff --git a/hosts/common/programs/supertuxkart.nix b/hosts/common/programs/supertuxkart.nix index 35552948..d97610c1 100644 --- a/hosts/common/programs/supertuxkart.nix +++ b/hosts/common/programs/supertuxkart.nix @@ -2,7 +2,6 @@ { sane.programs.superTuxKart = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; # net play sandbox.whitelistAudio = true; sandbox.whitelistDri = true; diff --git a/hosts/common/programs/swaylock.nix b/hosts/common/programs/swaylock.nix index 2fb73c03..d2cfa8b4 100644 --- a/hosts/common/programs/swaylock.nix +++ b/hosts/common/programs/swaylock.nix @@ -5,7 +5,6 @@ in { sane.programs.swaylock = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.extraPaths = [ # N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked. # swaylock seems (?) to offload password checking to pam's `unix_chkpwd`, diff --git a/hosts/common/programs/swaynotificationcenter.nix b/hosts/common/programs/swaynotificationcenter.nix index 104523c8..5087577a 100644 --- a/hosts/common/programs/swaynotificationcenter.nix +++ b/hosts/common/programs/swaynotificationcenter.nix @@ -141,7 +141,6 @@ in })); sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" # mpris; portal diff --git a/hosts/common/programs/tangram.nix b/hosts/common/programs/tangram.nix index f72845ed..97c7bc60 100644 --- a/hosts/common/programs/tangram.nix +++ b/hosts/common/programs/tangram.nix @@ -30,7 +30,6 @@ in slowToBuild = true; # only true for cross-compiled tangram sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDri = true; diff --git a/hosts/common/programs/tuba.nix b/hosts/common/programs/tuba.nix index fba58d83..07d274c1 100644 --- a/hosts/common/programs/tuba.nix +++ b/hosts/common/programs/tuba.nix @@ -2,7 +2,6 @@ { sane.programs.tuba = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # notifications diff --git a/hosts/common/programs/unl0kr/default.nix b/hosts/common/programs/unl0kr/default.nix index be2230c2..16e0eacb 100644 --- a/hosts/common/programs/unl0kr/default.nix +++ b/hosts/common/programs/unl0kr/default.nix @@ -132,7 +132,6 @@ in # N.B.: this sandboxing applies to `unl0kr` itself -- the on-screen-keyboard; # NOT to the wrapper which invokes `login`. sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDri = true; sandbox.extraPaths = [ "/dev/fb0" diff --git a/hosts/common/programs/vlc.nix b/hosts/common/programs/vlc.nix index a00452be..2eaf98d6 100644 --- a/hosts/common/programs/vlc.nix +++ b/hosts/common/programs/vlc.nix @@ -15,7 +15,6 @@ in samba = null; }; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "clearnet"; sandbox.autodetectCliPaths = true; sandbox.whitelistAudio = true; diff --git a/hosts/common/programs/waybar/default.nix b/hosts/common/programs/waybar/default.nix index 8175b275..0929a6bd 100644 --- a/hosts/common/programs/waybar/default.nix +++ b/hosts/common/programs/waybar/default.nix @@ -57,7 +57,6 @@ in }; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.net = "all"; #< to show net connection status and BW sandbox.whitelistDbus = [ "user" #< for playerctl/media diff --git a/hosts/common/programs/waylock.nix b/hosts/common/programs/waylock.nix index 200da3c7..2982c36c 100644 --- a/hosts/common/programs/waylock.nix +++ b/hosts/common/programs/waylock.nix @@ -7,7 +7,6 @@ in { sane.programs.waylock = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.extraPaths = [ # N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked. # waylock seems (?) to offload password checking to pam's `unix_chkpwd`, diff --git a/hosts/common/programs/wireplumber.nix b/hosts/common/programs/wireplumber.nix index f9d6e1c2..25761a6a 100644 --- a/hosts/common/programs/wireplumber.nix +++ b/hosts/common/programs/wireplumber.nix @@ -5,7 +5,6 @@ in { sane.programs.wireplumber = { sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ # i think this isn't strictly necessary; it just wants to ask the portal for realtime perms # "system" diff --git a/hosts/common/programs/wireshark.nix b/hosts/common/programs/wireshark.nix index 79f4704e..a403947f 100644 --- a/hosts/common/programs/wireshark.nix +++ b/hosts/common/programs/wireshark.nix @@ -5,7 +5,6 @@ in { sane.programs.wireshark = { sandbox.method = "landlock"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; sandbox.net = "all"; sandbox.capabilities = [ "net_admin" "net_raw" ]; diff --git a/hosts/common/programs/wob/default.nix b/hosts/common/programs/wob/default.nix index 338c5a93..48c379eb 100644 --- a/hosts/common/programs/wob/default.nix +++ b/hosts/common/programs/wob/default.nix @@ -32,7 +32,6 @@ in }; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; fs.".config/wob/wob.ini".symlink.text = '' diff --git a/hosts/common/programs/xarchiver.nix b/hosts/common/programs/xarchiver.nix index 3148c057..4c64c630 100644 --- a/hosts/common/programs/xarchiver.nix +++ b/hosts/common/programs/xarchiver.nix @@ -7,7 +7,6 @@ }; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ "archive" diff --git a/hosts/common/programs/xdg-desktop-portal-gtk.nix b/hosts/common/programs/xdg-desktop-portal-gtk.nix index 2bc5d676..c84a7e7b 100644 --- a/hosts/common/programs/xdg-desktop-portal-gtk.nix +++ b/hosts/common/programs/xdg-desktop-portal-gtk.nix @@ -8,7 +8,6 @@ in packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-gtk; sandbox.method = "bwrap"; - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/xdg-desktop-portal-wlr.nix b/hosts/common/programs/xdg-desktop-portal-wlr.nix index 087c8bc5..2f9a4523 100644 --- a/hosts/common/programs/xdg-desktop-portal-wlr.nix +++ b/hosts/common/programs/xdg-desktop-portal-wlr.nix @@ -8,7 +8,6 @@ in packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-wlr; sandbox.method = "bwrap"; # TODO:sandbox: untested - sandbox.wrapperType = "wrappedDerivation"; sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal sandbox.whitelistWayland = true; diff --git a/modules/programs/default.nix b/modules/programs/default.nix index b0e03ebc..3293e5fe 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -316,7 +316,7 @@ let }; sandbox.wrapperType = mkOption { type = types.enum [ "inplace" "wrappedDerivation" ]; - default = "inplace"; + default = "wrappedDerivation"; description = '' how to manipulate the `packageUnwrapped` derivation in order to achieve sandboxing. - inplace: applies an override to `packageUnwrapped`, so that all `bin/` files are sandboxed, @@ -327,7 +327,6 @@ let "inplace" is more reliable, but "wrappedDerivation" is more lightweight (doesn't force any rebuilds). the biggest gap in "wrappedDerivation" is that it doesn't link anything outside `bin/`, except for some limited (verified safe) support for `share/applications/*.desktop` - "wrappedDerivation" is mostly good for prototyping. ''; }; sandbox.autodetectCliPaths = mkOption {