programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that
This commit is contained in:
parent
812c0c8029
commit
40e30cf2f8
|
@ -31,7 +31,6 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
|
|
|
@ -203,13 +203,11 @@ in
|
||||||
# INDIVIDUAL PACKAGE DEFINITIONS
|
# INDIVIDUAL PACKAGE DEFINITIONS
|
||||||
|
|
||||||
alsaUtils.sandbox.method = "landlock";
|
alsaUtils.sandbox.method = "landlock";
|
||||||
alsaUtils.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
|
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
|
||||||
|
|
||||||
backblaze-b2 = {};
|
backblaze-b2 = {};
|
||||||
|
|
||||||
blanket.sandbox.method = "bwrap";
|
blanket.sandbox.method = "bwrap";
|
||||||
blanket.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
blanket.sandbox.whitelistAudio = true;
|
blanket.sandbox.whitelistAudio = true;
|
||||||
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
||||||
blanket.sandbox.whitelistWayland = true;
|
blanket.sandbox.whitelistWayland = true;
|
||||||
|
@ -225,11 +223,9 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
bridge-utils.sandbox.method = "bwrap"; #< bwrap, landlock: both work
|
bridge-utils.sandbox.method = "bwrap"; #< bwrap, landlock: both work
|
||||||
bridge-utils.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
bridge-utils.sandbox.net = "all";
|
bridge-utils.sandbox.net = "all";
|
||||||
|
|
||||||
brightnessctl.sandbox.method = "landlock"; # also bwrap, but landlock is more responsive
|
brightnessctl.sandbox.method = "landlock"; # also bwrap, but landlock is more responsive
|
||||||
brightnessctl.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
brightnessctl.sandbox.extraPaths = [
|
brightnessctl.sandbox.extraPaths = [
|
||||||
"/sys/class/backlight"
|
"/sys/class/backlight"
|
||||||
"/sys/class/leds"
|
"/sys/class/leds"
|
||||||
|
@ -238,7 +234,6 @@ in
|
||||||
brightnessctl.sandbox.whitelistDbus = [ "system" ];
|
brightnessctl.sandbox.whitelistDbus = [ "system" ];
|
||||||
|
|
||||||
btrfs-progs.sandbox.method = "bwrap"; #< bwrap, landlock: both work
|
btrfs-progs.sandbox.method = "bwrap"; #< bwrap, landlock: both work
|
||||||
btrfs-progs.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
btrfs-progs.sandbox.autodetectCliPaths = "existing"; # e.g. `btrfs filesystem df /my/fs`
|
btrfs-progs.sandbox.autodetectCliPaths = "existing"; # e.g. `btrfs filesystem df /my/fs`
|
||||||
|
|
||||||
"cacert.unbundled".sandbox.enable = false;
|
"cacert.unbundled".sandbox.enable = false;
|
||||||
|
@ -249,7 +244,6 @@ in
|
||||||
|
|
||||||
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
|
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
|
||||||
cryptsetup.sandbox.method = "landlock";
|
cryptsetup.sandbox.method = "landlock";
|
||||||
cryptsetup.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
cryptsetup.sandbox.extraPaths = [
|
cryptsetup.sandbox.extraPaths = [
|
||||||
"/dev/mapper"
|
"/dev/mapper"
|
||||||
"/dev/random"
|
"/dev/random"
|
||||||
|
@ -263,12 +257,10 @@ in
|
||||||
cryptsetup.sandbox.autodetectCliPaths = "existing";
|
cryptsetup.sandbox.autodetectCliPaths = "existing";
|
||||||
|
|
||||||
ddrescue.sandbox.method = "landlock"; # TODO:sandbox: untested
|
ddrescue.sandbox.method = "landlock"; # TODO:sandbox: untested
|
||||||
ddrescue.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
|
ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
|
|
||||||
# auth token, preferences
|
# auth token, preferences
|
||||||
delfin.sandbox.method = "bwrap";
|
delfin.sandbox.method = "bwrap";
|
||||||
delfin.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
delfin.sandbox.whitelistAudio = true;
|
delfin.sandbox.whitelistAudio = true;
|
||||||
delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player
|
delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player
|
||||||
delfin.sandbox.whitelistDri = true;
|
delfin.sandbox.whitelistDri = true;
|
||||||
|
@ -277,7 +269,6 @@ in
|
||||||
delfin.persist.byStore.private = [ ".config/delfin" ];
|
delfin.persist.byStore.private = [ ".config/delfin" ];
|
||||||
|
|
||||||
dig.sandbox.method = "bwrap";
|
dig.sandbox.method = "bwrap";
|
||||||
dig.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
dig.sandbox.net = "all";
|
dig.sandbox.net = "all";
|
||||||
|
|
||||||
# creds, but also 200 MB of node modules, etc
|
# creds, but also 200 MB of node modules, etc
|
||||||
|
@ -293,18 +284,15 @@ in
|
||||||
dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested
|
dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested
|
||||||
|
|
||||||
dtrx.sandbox.method = "bwrap";
|
dtrx.sandbox.method = "bwrap";
|
||||||
dtrx.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
dtrx.sandbox.whitelistPwd = true;
|
dtrx.sandbox.whitelistPwd = true;
|
||||||
dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive
|
dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive
|
||||||
|
|
||||||
duplicity = {};
|
duplicity = {};
|
||||||
|
|
||||||
e2fsprogs.sandbox.method = "landlock";
|
e2fsprogs.sandbox.method = "landlock";
|
||||||
e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
e2fsprogs.sandbox.autodetectCliPaths = "existing";
|
e2fsprogs.sandbox.autodetectCliPaths = "existing";
|
||||||
|
|
||||||
efibootmgr.sandbox.method = "landlock";
|
efibootmgr.sandbox.method = "landlock";
|
||||||
efibootmgr.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
efibootmgr.sandbox.extraPaths = [
|
efibootmgr.sandbox.extraPaths = [
|
||||||
"/sys/firmware/efi"
|
"/sys/firmware/efi"
|
||||||
];
|
];
|
||||||
|
@ -312,14 +300,12 @@ in
|
||||||
eg25-control = {};
|
eg25-control = {};
|
||||||
|
|
||||||
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
electrum.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
||||||
electrum.sandbox.whitelistWayland = true;
|
electrum.sandbox.whitelistWayland = true;
|
||||||
electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs!
|
electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs!
|
||||||
|
|
||||||
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
||||||
endless-sky.sandbox.method = "bwrap";
|
endless-sky.sandbox.method = "bwrap";
|
||||||
endless-sky.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
endless-sky.sandbox.whitelistAudio = true;
|
endless-sky.sandbox.whitelistAudio = true;
|
||||||
endless-sky.sandbox.whitelistDri = true;
|
endless-sky.sandbox.whitelistDri = true;
|
||||||
endless-sky.sandbox.whitelistWayland = true;
|
endless-sky.sandbox.whitelistWayland = true;
|
||||||
|
@ -330,14 +316,12 @@ in
|
||||||
emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
|
emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
|
||||||
|
|
||||||
ethtool.sandbox.method = "landlock";
|
ethtool.sandbox.method = "landlock";
|
||||||
ethtool.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
ethtool.sandbox.capabilities = [ "net_admin" ];
|
ethtool.sandbox.capabilities = [ "net_admin" ];
|
||||||
|
|
||||||
# eza `ls` replacement
|
# eza `ls` replacement
|
||||||
# landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
|
# landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
|
||||||
# eza.sandbox.method = "landlock";
|
# eza.sandbox.method = "landlock";
|
||||||
eza.sandbox.method = "bwrap";
|
eza.sandbox.method = "bwrap";
|
||||||
eza.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
|
||||||
eza.sandbox.autodetectCliPaths = true;
|
eza.sandbox.autodetectCliPaths = true;
|
||||||
eza.sandbox.whitelistPwd = true;
|
eza.sandbox.whitelistPwd = true;
|
||||||
eza.sandbox.extraHomePaths = [
|
eza.sandbox.extraHomePaths = [
|
||||||
|
@ -347,11 +331,9 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
fatresize.sandbox.method = "landlock";
|
fatresize.sandbox.method = "landlock";
|
||||||
fatresize.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda
|
fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda
|
||||||
|
|
||||||
fd.sandbox.method = "landlock";
|
fd.sandbox.method = "landlock";
|
||||||
fd.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
|
||||||
fd.sandbox.autodetectCliPaths = true;
|
fd.sandbox.autodetectCliPaths = true;
|
||||||
fd.sandbox.whitelistPwd = true;
|
fd.sandbox.whitelistPwd = true;
|
||||||
fd.sandbox.extraHomePaths = [
|
fd.sandbox.extraHomePaths = [
|
||||||
|
@ -361,15 +343,12 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
ffmpeg.sandbox.method = "bwrap";
|
ffmpeg.sandbox.method = "bwrap";
|
||||||
ffmpeg.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
|
||||||
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
||||||
|
|
||||||
file.sandbox.method = "bwrap";
|
file.sandbox.method = "bwrap";
|
||||||
file.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
file.sandbox.autodetectCliPaths = true;
|
file.sandbox.autodetectCliPaths = true;
|
||||||
|
|
||||||
findutils.sandbox.method = "bwrap";
|
findutils.sandbox.method = "bwrap";
|
||||||
findutils.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
findutils.sandbox.autodetectCliPaths = true;
|
findutils.sandbox.autodetectCliPaths = true;
|
||||||
findutils.sandbox.whitelistPwd = true;
|
findutils.sandbox.whitelistPwd = true;
|
||||||
findutils.sandbox.extraHomePaths = [
|
findutils.sandbox.extraHomePaths = [
|
||||||
|
@ -381,14 +360,12 @@ in
|
||||||
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
|
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
|
||||||
|
|
||||||
font-manager.sandbox.method = "bwrap";
|
font-manager.sandbox.method = "bwrap";
|
||||||
font-manager.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
|
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
|
||||||
# build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
|
# build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
|
||||||
withWebkit = false;
|
withWebkit = false;
|
||||||
});
|
});
|
||||||
|
|
||||||
forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap
|
forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap
|
||||||
forkstat.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
forkstat.sandbox.extraConfig = [
|
forkstat.sandbox.extraConfig = [
|
||||||
"--sane-sandbox-keep-namespace" "pid"
|
"--sane-sandbox-keep-namespace" "pid"
|
||||||
];
|
];
|
||||||
|
@ -401,7 +378,6 @@ in
|
||||||
# should probably make it not be an app-launcher
|
# should probably make it not be an app-launcher
|
||||||
fuzzel.sandbox.enable = false;
|
fuzzel.sandbox.enable = false;
|
||||||
fuzzel.sandbox.method = "bwrap"; #< landlock nearly works, but unable to open ~/.cache
|
fuzzel.sandbox.method = "bwrap"; #< landlock nearly works, but unable to open ~/.cache
|
||||||
fuzzel.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
fuzzel.sandbox.whitelistWayland = true;
|
fuzzel.sandbox.whitelistWayland = true;
|
||||||
fuzzel.persist.byStore.private = [
|
fuzzel.persist.byStore.private = [
|
||||||
# this is a file of recent selections
|
# this is a file of recent selections
|
||||||
|
@ -414,7 +390,6 @@ in
|
||||||
|
|
||||||
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
|
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
|
||||||
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
|
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
|
||||||
gdb.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
gdb.sandbox.autodetectCliPaths = true;
|
gdb.sandbox.autodetectCliPaths = true;
|
||||||
|
|
||||||
geoclue2-with-demo-agent = {};
|
geoclue2-with-demo-agent = {};
|
||||||
|
@ -424,7 +399,6 @@ in
|
||||||
gh.persist.byStore.private = [ ".config/gh" ];
|
gh.persist.byStore.private = [ ".config/gh" ];
|
||||||
|
|
||||||
gimp.sandbox.method = "bwrap";
|
gimp.sandbox.method = "bwrap";
|
||||||
gimp.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
gimp.sandbox.whitelistWayland = true;
|
gimp.sandbox.whitelistWayland = true;
|
||||||
gimp.sandbox.extraHomePaths = [
|
gimp.sandbox.extraHomePaths = [
|
||||||
"Pictures/albums"
|
"Pictures/albums"
|
||||||
|
@ -443,39 +417,32 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
"gnome.gnome-calculator".sandbox.method = "bwrap";
|
"gnome.gnome-calculator".sandbox.method = "bwrap";
|
||||||
"gnome.gnome-calculator".sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
"gnome.gnome-calculator".sandbox.whitelistWayland = true;
|
"gnome.gnome-calculator".sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
||||||
"gnome.gnome-calendar".sandbox.method = "bwrap";
|
"gnome.gnome-calendar".sandbox.method = "bwrap";
|
||||||
"gnome.gnome-calendar".sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
"gnome.gnome-calendar".sandbox.whitelistWayland = true;
|
"gnome.gnome-calendar".sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
"gnome.gnome-clocks".sandbox.method = "bwrap";
|
"gnome.gnome-clocks".sandbox.method = "bwrap";
|
||||||
"gnome.gnome-clocks".sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
"gnome.gnome-clocks".sandbox.whitelistWayland = true;
|
"gnome.gnome-clocks".sandbox.whitelistWayland = true;
|
||||||
"gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
|
"gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
|
||||||
|
|
||||||
# gnome-disks
|
# gnome-disks
|
||||||
"gnome.gnome-disk-utility".sandbox.method = "bwrap";
|
"gnome.gnome-disk-utility".sandbox.method = "bwrap";
|
||||||
"gnome.gnome-disk-utility".sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
"gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
|
"gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
|
||||||
"gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
|
"gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
# seahorse: dump gnome-keyring secrets.
|
# seahorse: dump gnome-keyring secrets.
|
||||||
# N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
|
# N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
|
||||||
"gnome.seahorse".sandbox.method = "bwrap";
|
"gnome.seahorse".sandbox.method = "bwrap";
|
||||||
"gnome.seahorse".sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
"gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
|
"gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
|
||||||
"gnome.seahorse".sandbox.whitelistWayland = true;
|
"gnome.seahorse".sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
gnome-2048.sandbox.method = "bwrap";
|
gnome-2048.sandbox.method = "bwrap";
|
||||||
gnome-2048.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
gnome-2048.sandbox.whitelistWayland = true;
|
gnome-2048.sandbox.whitelistWayland = true;
|
||||||
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
||||||
|
|
||||||
gnome-frog.sandbox.method = "bwrap";
|
gnome-frog.sandbox.method = "bwrap";
|
||||||
gnome-frog.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
gnome-frog.sandbox.whitelistWayland = true;
|
gnome-frog.sandbox.whitelistWayland = true;
|
||||||
gnome-frog.sandbox.whitelistDbus = [ "user" ];
|
gnome-frog.sandbox.whitelistDbus = [ "user" ];
|
||||||
gnome-frog.sandbox.extraPaths = [
|
gnome-frog.sandbox.extraPaths = [
|
||||||
|
@ -502,11 +469,9 @@ in
|
||||||
# 2. no two shaded tiles can be direct N/S/E/W neighbors
|
# 2. no two shaded tiles can be direct N/S/E/W neighbors
|
||||||
# - win once (1) and (2) are satisfied
|
# - win once (1) and (2) are satisfied
|
||||||
"gnome.hitori".sandbox.method = "bwrap";
|
"gnome.hitori".sandbox.method = "bwrap";
|
||||||
"gnome.hitori".sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
"gnome.hitori".sandbox.whitelistWayland = true;
|
"gnome.hitori".sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
gnugrep.sandbox.method = "bwrap";
|
gnugrep.sandbox.method = "bwrap";
|
||||||
gnugrep.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
gnugrep.sandbox.autodetectCliPaths = true;
|
gnugrep.sandbox.autodetectCliPaths = true;
|
||||||
gnugrep.sandbox.whitelistPwd = true;
|
gnugrep.sandbox.whitelistPwd = true;
|
||||||
gnugrep.sandbox.extraHomePaths = [
|
gnugrep.sandbox.extraHomePaths = [
|
||||||
|
@ -519,7 +484,6 @@ in
|
||||||
gpsd = {};
|
gpsd = {};
|
||||||
|
|
||||||
gptfdisk.sandbox.method = "landlock";
|
gptfdisk.sandbox.method = "landlock";
|
||||||
gptfdisk.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
gptfdisk.sandbox.extraPaths = [
|
gptfdisk.sandbox.extraPaths = [
|
||||||
"/dev"
|
"/dev"
|
||||||
];
|
];
|
||||||
|
@ -528,7 +492,6 @@ in
|
||||||
grim = {};
|
grim = {};
|
||||||
|
|
||||||
hase.sandbox.method = "bwrap";
|
hase.sandbox.method = "bwrap";
|
||||||
hase.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
hase.sandbox.net = "clearnet";
|
hase.sandbox.net = "clearnet";
|
||||||
hase.sandbox.whitelistAudio = true;
|
hase.sandbox.whitelistAudio = true;
|
||||||
hase.sandbox.whitelistDri = true;
|
hase.sandbox.whitelistDri = true;
|
||||||
|
@ -536,15 +499,12 @@ in
|
||||||
|
|
||||||
# hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
|
# hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
|
||||||
hdparm.sandbox.method = "bwrap";
|
hdparm.sandbox.method = "bwrap";
|
||||||
hdparm.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
hdparm.sandbox.autodetectCliPaths = true;
|
hdparm.sandbox.autodetectCliPaths = true;
|
||||||
|
|
||||||
host.sandbox.method = "landlock";
|
host.sandbox.method = "landlock";
|
||||||
host.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
|
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
|
||||||
|
|
||||||
htop.sandbox.method = "landlock";
|
htop.sandbox.method = "landlock";
|
||||||
htop.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
htop.sandbox.extraPaths = [
|
htop.sandbox.extraPaths = [
|
||||||
"/proc"
|
"/proc"
|
||||||
"/sys/devices"
|
"/sys/devices"
|
||||||
|
@ -555,16 +515,13 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
iftop.sandbox.method = "landlock";
|
iftop.sandbox.method = "landlock";
|
||||||
iftop.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
iftop.sandbox.capabilities = [ "net_raw" ];
|
iftop.sandbox.capabilities = [ "net_raw" ];
|
||||||
|
|
||||||
# inetutils: ping, ifconfig, hostname, traceroute, whois, ....
|
# inetutils: ping, ifconfig, hostname, traceroute, whois, ....
|
||||||
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
|
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
|
||||||
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
||||||
inetutils.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
|
|
||||||
inkscape.sandbox.method = "bwrap";
|
inkscape.sandbox.method = "bwrap";
|
||||||
inkscape.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
inkscape.sandbox.whitelistWayland = true;
|
inkscape.sandbox.whitelistWayland = true;
|
||||||
inkscape.sandbox.extraHomePaths = [
|
inkscape.sandbox.extraHomePaths = [
|
||||||
"Pictures/albums"
|
"Pictures/albums"
|
||||||
|
@ -580,7 +537,6 @@ in
|
||||||
inkscape.sandbox.autodetectCliPaths = true;
|
inkscape.sandbox.autodetectCliPaths = true;
|
||||||
|
|
||||||
iotop.sandbox.method = "landlock";
|
iotop.sandbox.method = "landlock";
|
||||||
iotop.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
iotop.sandbox.extraPaths = [
|
iotop.sandbox.extraPaths = [
|
||||||
"/proc"
|
"/proc"
|
||||||
];
|
];
|
||||||
|
@ -588,38 +544,31 @@ in
|
||||||
|
|
||||||
# provides `ip`, `routel`, others
|
# provides `ip`, `routel`, others
|
||||||
iproute2.sandbox.method = "landlock";
|
iproute2.sandbox.method = "landlock";
|
||||||
iproute2.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
iproute2.sandbox.net = "all";
|
iproute2.sandbox.net = "all";
|
||||||
iproute2.sandbox.capabilities = [ "net_admin" ];
|
iproute2.sandbox.capabilities = [ "net_admin" ];
|
||||||
|
|
||||||
iptables.sandbox.method = "landlock";
|
iptables.sandbox.method = "landlock";
|
||||||
iptables.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
iptables.sandbox.net = "all";
|
iptables.sandbox.net = "all";
|
||||||
iptables.sandbox.capabilities = [ "net_admin" ];
|
iptables.sandbox.capabilities = [ "net_admin" ];
|
||||||
|
|
||||||
# iputils provides `ping` (and arping, clockdiff, tracepath)
|
# iputils provides `ping` (and arping, clockdiff, tracepath)
|
||||||
iputils.sandbox.method = "landlock";
|
iputils.sandbox.method = "landlock";
|
||||||
iputils.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
iputils.sandbox.net = "all";
|
iputils.sandbox.net = "all";
|
||||||
iputils.sandbox.capabilities = [ "net_raw" ];
|
iputils.sandbox.capabilities = [ "net_raw" ];
|
||||||
|
|
||||||
iw.sandbox.method = "landlock";
|
iw.sandbox.method = "landlock";
|
||||||
iw.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
iw.sandbox.net = "all";
|
iw.sandbox.net = "all";
|
||||||
iw.sandbox.capabilities = [ "net_admin" ];
|
iw.sandbox.capabilities = [ "net_admin" ];
|
||||||
|
|
||||||
jq.sandbox.method = "bwrap";
|
jq.sandbox.method = "bwrap";
|
||||||
jq.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
jq.sandbox.autodetectCliPaths = "existingFile";
|
jq.sandbox.autodetectCliPaths = "existingFile";
|
||||||
|
|
||||||
killall.sandbox.method = "landlock";
|
killall.sandbox.method = "landlock";
|
||||||
killall.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
killall.sandbox.extraPaths = [
|
killall.sandbox.extraPaths = [
|
||||||
"/proc"
|
"/proc"
|
||||||
];
|
];
|
||||||
|
|
||||||
krita.sandbox.method = "bwrap";
|
krita.sandbox.method = "bwrap";
|
||||||
krita.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
krita.sandbox.whitelistWayland = true;
|
krita.sandbox.whitelistWayland = true;
|
||||||
krita.sandbox.autodetectCliPaths = "existing";
|
krita.sandbox.autodetectCliPaths = "existing";
|
||||||
krita.sandbox.extraHomePaths = [
|
krita.sandbox.extraHomePaths = [
|
||||||
|
@ -637,11 +586,9 @@ in
|
||||||
libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
|
libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
|
||||||
|
|
||||||
libnotify.sandbox.method = "bwrap";
|
libnotify.sandbox.method = "bwrap";
|
||||||
libnotify.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send
|
libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send
|
||||||
|
|
||||||
losslesscut-bin.sandbox.method = "bwrap";
|
losslesscut-bin.sandbox.method = "bwrap";
|
||||||
losslesscut-bin.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
losslesscut-bin.sandbox.extraHomePaths = [
|
losslesscut-bin.sandbox.extraHomePaths = [
|
||||||
"Music"
|
"Music"
|
||||||
"Pictures/from" # videos from e.g. mobile phone
|
"Pictures/from" # videos from e.g. mobile phone
|
||||||
|
@ -656,13 +603,11 @@ in
|
||||||
losslesscut-bin.sandbox.whitelistX = true;
|
losslesscut-bin.sandbox.whitelistX = true;
|
||||||
|
|
||||||
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
|
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
|
||||||
lsof.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
|
|
||||||
lua = {};
|
lua = {};
|
||||||
|
|
||||||
"mate.engrampa".packageUnwrapped = pkgs.rmDbusServices pkgs.mate.engrampa;
|
"mate.engrampa".packageUnwrapped = pkgs.rmDbusServices pkgs.mate.engrampa;
|
||||||
"mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested
|
"mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
"mate.engrampa".sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
"mate.engrampa".sandbox.whitelistWayland = true;
|
"mate.engrampa".sandbox.whitelistWayland = true;
|
||||||
"mate.engrampa".sandbox.autodetectCliPaths = "existingOrParent";
|
"mate.engrampa".sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
"mate.engrampa".sandbox.extraHomePaths = [
|
"mate.engrampa".sandbox.extraHomePaths = [
|
||||||
|
@ -675,7 +620,6 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
mercurial.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
mercurial.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
mercurial.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
mercurial.sandbox.net = "clearnet";
|
mercurial.sandbox.net = "clearnet";
|
||||||
mercurial.sandbox.whitelistPwd = true;
|
mercurial.sandbox.whitelistPwd = true;
|
||||||
|
|
||||||
|
@ -683,7 +627,6 @@ in
|
||||||
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
|
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
|
||||||
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
|
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
|
||||||
monero-gui.sandbox.method = "bwrap";
|
monero-gui.sandbox.method = "bwrap";
|
||||||
monero-gui.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
monero-gui.sandbox.net = "all";
|
monero-gui.sandbox.net = "all";
|
||||||
monero-gui.sandbox.extraHomePaths = [
|
monero-gui.sandbox.extraHomePaths = [
|
||||||
"records/finance/cryptocurrencies/monero"
|
"records/finance/cryptocurrencies/monero"
|
||||||
|
@ -692,20 +635,16 @@ in
|
||||||
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
|
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
|
||||||
|
|
||||||
nano.sandbox.method = "bwrap";
|
nano.sandbox.method = "bwrap";
|
||||||
nano.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
nano.sandbox.autodetectCliPaths = "existingFileOrParent";
|
nano.sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||||
|
|
||||||
netcat.sandbox.method = "landlock";
|
netcat.sandbox.method = "landlock";
|
||||||
netcat.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
netcat.sandbox.net = "all";
|
netcat.sandbox.net = "all";
|
||||||
|
|
||||||
nethogs.sandbox.method = "capshonly"; # *partially* works under landlock w/ full access to /
|
nethogs.sandbox.method = "capshonly"; # *partially* works under landlock w/ full access to /
|
||||||
nethogs.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||||
|
|
||||||
# provides `arp`, `hostname`, `route`, `ifconfig`
|
# provides `arp`, `hostname`, `route`, `ifconfig`
|
||||||
nettools.sandbox.method = "landlock";
|
nettools.sandbox.method = "landlock";
|
||||||
nettools.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
nettools.sandbox.net = "all";
|
nettools.sandbox.net = "all";
|
||||||
nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||||
nettools.sandbox.extraPaths = [
|
nettools.sandbox.extraPaths = [
|
||||||
|
@ -713,7 +652,6 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
networkmanagerapplet.sandbox.method = "bwrap";
|
networkmanagerapplet.sandbox.method = "bwrap";
|
||||||
networkmanagerapplet.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
networkmanagerapplet.sandbox.whitelistWayland = true;
|
networkmanagerapplet.sandbox.whitelistWayland = true;
|
||||||
networkmanagerapplet.sandbox.whitelistDbus = [ "system" ];
|
networkmanagerapplet.sandbox.whitelistDbus = [ "system" ];
|
||||||
|
|
||||||
|
@ -726,11 +664,9 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
nmap.sandbox.method = "bwrap";
|
nmap.sandbox.method = "bwrap";
|
||||||
nmap.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
nmap.sandbox.net = "all"; # clearnet and lan
|
nmap.sandbox.net = "all"; # clearnet and lan
|
||||||
|
|
||||||
nmon.sandbox.method = "landlock";
|
nmon.sandbox.method = "landlock";
|
||||||
nmon.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
nmon.sandbox.extraPaths = [
|
nmon.sandbox.extraPaths = [
|
||||||
"/proc"
|
"/proc"
|
||||||
];
|
];
|
||||||
|
@ -739,7 +675,6 @@ in
|
||||||
|
|
||||||
# `nvme list` only shows results when run as root.
|
# `nvme list` only shows results when run as root.
|
||||||
nvme-cli.sandbox.method = "landlock";
|
nvme-cli.sandbox.method = "landlock";
|
||||||
nvme-cli.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
nvme-cli.sandbox.extraPaths = [
|
nvme-cli.sandbox.extraPaths = [
|
||||||
"/sys/devices"
|
"/sys/devices"
|
||||||
"/sys/class/nvme"
|
"/sys/class/nvme"
|
||||||
|
@ -751,13 +686,11 @@ in
|
||||||
|
|
||||||
# contains only `oathtool`, which i only use for evaluating TOTP codes from CLI/stdin
|
# contains only `oathtool`, which i only use for evaluating TOTP codes from CLI/stdin
|
||||||
oath-toolkit.sandbox.method = "bwrap";
|
oath-toolkit.sandbox.method = "bwrap";
|
||||||
oath-toolkit.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
|
|
||||||
# settings (electron app)
|
# settings (electron app)
|
||||||
obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
|
obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
|
||||||
|
|
||||||
parted.sandbox.method = "landlock";
|
parted.sandbox.method = "landlock";
|
||||||
parted.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
parted.sandbox.extraPaths = [
|
parted.sandbox.extraPaths = [
|
||||||
"/dev"
|
"/dev"
|
||||||
];
|
];
|
||||||
|
@ -766,12 +699,10 @@ in
|
||||||
patchelf = {};
|
patchelf = {};
|
||||||
|
|
||||||
pavucontrol.sandbox.method = "bwrap";
|
pavucontrol.sandbox.method = "bwrap";
|
||||||
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
pavucontrol.sandbox.whitelistAudio = true;
|
pavucontrol.sandbox.whitelistAudio = true;
|
||||||
pavucontrol.sandbox.whitelistWayland = true;
|
pavucontrol.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
pciutils.sandbox.method = "landlock";
|
pciutils.sandbox.method = "landlock";
|
||||||
pciutils.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
pciutils.sandbox.extraPaths = [
|
pciutils.sandbox.extraPaths = [
|
||||||
"/sys/bus/pci"
|
"/sys/bus/pci"
|
||||||
"/sys/devices"
|
"/sys/devices"
|
||||||
|
@ -780,7 +711,6 @@ in
|
||||||
"perlPackages.FileMimeInfo".sandbox.enable = false; #< TODO: sandbox `mimetype` but not `mimeopen`.
|
"perlPackages.FileMimeInfo".sandbox.enable = false; #< TODO: sandbox `mimetype` but not `mimeopen`.
|
||||||
|
|
||||||
powertop.sandbox.method = "landlock";
|
powertop.sandbox.method = "landlock";
|
||||||
powertop.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ];
|
powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ];
|
||||||
powertop.sandbox.extraPaths = [
|
powertop.sandbox.extraPaths = [
|
||||||
"/proc"
|
"/proc"
|
||||||
|
@ -790,17 +720,14 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
pstree.sandbox.method = "landlock";
|
pstree.sandbox.method = "landlock";
|
||||||
pstree.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
pstree.sandbox.extraPaths = [
|
pstree.sandbox.extraPaths = [
|
||||||
"/proc"
|
"/proc"
|
||||||
];
|
];
|
||||||
|
|
||||||
pulsemixer.sandbox.method = "landlock";
|
pulsemixer.sandbox.method = "landlock";
|
||||||
pulsemixer.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
pulsemixer.sandbox.whitelistAudio = true;
|
pulsemixer.sandbox.whitelistAudio = true;
|
||||||
|
|
||||||
pwvucontrol.sandbox.method = "bwrap";
|
pwvucontrol.sandbox.method = "bwrap";
|
||||||
pwvucontrol.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
pwvucontrol.sandbox.whitelistAudio = true;
|
pwvucontrol.sandbox.whitelistAudio = true;
|
||||||
pwvucontrol.sandbox.whitelistWayland = true;
|
pwvucontrol.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
@ -808,7 +735,6 @@ in
|
||||||
requests
|
requests
|
||||||
]);
|
]);
|
||||||
python3-repl.sandbox.method = "bwrap";
|
python3-repl.sandbox.method = "bwrap";
|
||||||
python3-repl.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
python3-repl.sandbox.net = "clearnet";
|
python3-repl.sandbox.net = "clearnet";
|
||||||
python3-repl.sandbox.extraHomePaths = [
|
python3-repl.sandbox.extraHomePaths = [
|
||||||
"/"
|
"/"
|
||||||
|
@ -819,7 +745,6 @@ in
|
||||||
qemu.slowToBuild = true;
|
qemu.slowToBuild = true;
|
||||||
|
|
||||||
rsync.sandbox.method = "bwrap";
|
rsync.sandbox.method = "bwrap";
|
||||||
rsync.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
rsync.sandbox.net = "clearnet";
|
rsync.sandbox.net = "clearnet";
|
||||||
rsync.sandbox.autodetectCliPaths = "existingOrParent";
|
rsync.sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
|
|
||||||
|
@ -828,13 +753,11 @@ in
|
||||||
screen.sandbox.enable = false; #< tty; needs to run anything
|
screen.sandbox.enable = false; #< tty; needs to run anything
|
||||||
|
|
||||||
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
sequoia.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
|
||||||
sequoia.sandbox.whitelistPwd = true;
|
sequoia.sandbox.whitelistPwd = true;
|
||||||
sequoia.sandbox.autodetectCliPaths = true;
|
sequoia.sandbox.autodetectCliPaths = true;
|
||||||
|
|
||||||
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
||||||
shattered-pixel-dungeon.sandbox.method = "bwrap";
|
shattered-pixel-dungeon.sandbox.method = "bwrap";
|
||||||
shattered-pixel-dungeon.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
|
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
|
||||||
shattered-pixel-dungeon.sandbox.whitelistDri = true;
|
shattered-pixel-dungeon.sandbox.whitelistDri = true;
|
||||||
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
|
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
|
||||||
|
@ -851,7 +774,6 @@ in
|
||||||
smartmontools.sandbox.capabilities = [ "sys_rawio" ];
|
smartmontools.sandbox.capabilities = [ "sys_rawio" ];
|
||||||
|
|
||||||
sops.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
sops.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
sops.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sops.sandbox.extraHomePaths = [
|
sops.sandbox.extraHomePaths = [
|
||||||
".config/sops"
|
".config/sops"
|
||||||
"dev/nixos"
|
"dev/nixos"
|
||||||
|
@ -861,7 +783,6 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
soundconverter.sandbox.method = "bwrap";
|
soundconverter.sandbox.method = "bwrap";
|
||||||
soundconverter.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
soundconverter.sandbox.whitelistWayland = true;
|
soundconverter.sandbox.whitelistWayland = true;
|
||||||
soundconverter.sandbox.extraHomePaths = [
|
soundconverter.sandbox.extraHomePaths = [
|
||||||
"Music"
|
"Music"
|
||||||
|
@ -875,19 +796,16 @@ in
|
||||||
soundconverter.sandbox.autodetectCliPaths = "existingOrParent";
|
soundconverter.sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
|
|
||||||
sox.sandbox.method = "bwrap";
|
sox.sandbox.method = "bwrap";
|
||||||
sox.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sox.sandbox.autodetectCliPaths = "existingFileOrParent";
|
sox.sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||||
sox.sandbox.whitelistAudio = true;
|
sox.sandbox.whitelistAudio = true;
|
||||||
|
|
||||||
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
||||||
space-cadet-pinball.sandbox.method = "bwrap";
|
space-cadet-pinball.sandbox.method = "bwrap";
|
||||||
space-cadet-pinball.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
space-cadet-pinball.sandbox.whitelistAudio = true;
|
space-cadet-pinball.sandbox.whitelistAudio = true;
|
||||||
space-cadet-pinball.sandbox.whitelistDri = true;
|
space-cadet-pinball.sandbox.whitelistDri = true;
|
||||||
space-cadet-pinball.sandbox.whitelistWayland = true;
|
space-cadet-pinball.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
speedtest-cli.sandbox.method = "bwrap";
|
speedtest-cli.sandbox.method = "bwrap";
|
||||||
speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
speedtest-cli.sandbox.net = "all";
|
speedtest-cli.sandbox.net = "all";
|
||||||
|
|
||||||
sqlite = {};
|
sqlite = {};
|
||||||
|
@ -895,7 +813,6 @@ in
|
||||||
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
|
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
|
||||||
|
|
||||||
subversion.sandbox.method = "bwrap";
|
subversion.sandbox.method = "bwrap";
|
||||||
subversion.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
subversion.sandbox.net = "clearnet";
|
subversion.sandbox.net = "clearnet";
|
||||||
subversion.sandbox.whitelistPwd = true;
|
subversion.sandbox.whitelistPwd = true;
|
||||||
sudo.sandbox.enable = false;
|
sudo.sandbox.enable = false;
|
||||||
|
@ -908,7 +825,6 @@ in
|
||||||
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
|
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
|
||||||
|
|
||||||
tcpdump.sandbox.method = "landlock";
|
tcpdump.sandbox.method = "landlock";
|
||||||
tcpdump.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
tcpdump.sandbox.net = "all";
|
tcpdump.sandbox.net = "all";
|
||||||
tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
|
tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||||
tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||||
|
@ -918,12 +834,10 @@ in
|
||||||
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
||||||
|
|
||||||
tree.sandbox.method = "landlock";
|
tree.sandbox.method = "landlock";
|
||||||
tree.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
tree.sandbox.autodetectCliPaths = true;
|
tree.sandbox.autodetectCliPaths = true;
|
||||||
tree.sandbox.whitelistPwd = true;
|
tree.sandbox.whitelistPwd = true;
|
||||||
|
|
||||||
tumiki-fighters.sandbox.method = "bwrap";
|
tumiki-fighters.sandbox.method = "bwrap";
|
||||||
tumiki-fighters.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
tumiki-fighters.sandbox.whitelistAudio = true;
|
tumiki-fighters.sandbox.whitelistAudio = true;
|
||||||
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
|
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
|
||||||
tumiki-fighters.sandbox.whitelistWayland = true;
|
tumiki-fighters.sandbox.whitelistWayland = true;
|
||||||
|
@ -932,34 +846,28 @@ in
|
||||||
util-linux.sandbox.enable = false; #< TODO: possible to sandbox if i specific a different profile for each of its ~50 binaries
|
util-linux.sandbox.enable = false; #< TODO: possible to sandbox if i specific a different profile for each of its ~50 binaries
|
||||||
|
|
||||||
unzip.sandbox.method = "bwrap";
|
unzip.sandbox.method = "bwrap";
|
||||||
unzip.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
unzip.sandbox.autodetectCliPaths = "existingOrParent";
|
unzip.sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
unzip.sandbox.whitelistPwd = true;
|
unzip.sandbox.whitelistPwd = true;
|
||||||
|
|
||||||
usbutils.sandbox.method = "bwrap"; # breaks `usbhid-dump`, but `lsusb`, `usb-devices` work
|
usbutils.sandbox.method = "bwrap"; # breaks `usbhid-dump`, but `lsusb`, `usb-devices` work
|
||||||
usbutils.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
usbutils.sandbox.extraPaths = [
|
usbutils.sandbox.extraPaths = [
|
||||||
"/sys/devices"
|
"/sys/devices"
|
||||||
"/sys/bus/usb"
|
"/sys/bus/usb"
|
||||||
];
|
];
|
||||||
|
|
||||||
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
visidata.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
visidata.sandbox.autodetectCliPaths = true;
|
visidata.sandbox.autodetectCliPaths = true;
|
||||||
|
|
||||||
# `vulkaninfo`, `vkcube`
|
# `vulkaninfo`, `vkcube`
|
||||||
vulkan-tools.sandbox.method = "landlock";
|
vulkan-tools.sandbox.method = "landlock";
|
||||||
vulkan-tools.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
|
|
||||||
vvvvvv.sandbox.method = "bwrap";
|
vvvvvv.sandbox.method = "bwrap";
|
||||||
vvvvvv.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
vvvvvv.sandbox.whitelistAudio = true;
|
vvvvvv.sandbox.whitelistAudio = true;
|
||||||
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
||||||
vvvvvv.sandbox.whitelistWayland = true;
|
vvvvvv.sandbox.whitelistWayland = true;
|
||||||
vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
|
vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
|
||||||
|
|
||||||
w3m.sandbox.method = "bwrap";
|
w3m.sandbox.method = "bwrap";
|
||||||
w3m.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
w3m.sandbox.net = "all";
|
w3m.sandbox.net = "all";
|
||||||
w3m.sandbox.extraHomePaths = [
|
w3m.sandbox.extraHomePaths = [
|
||||||
# little-used feature, but you can save web pages :)
|
# little-used feature, but you can save web pages :)
|
||||||
|
@ -967,11 +875,9 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
wdisplays.sandbox.method = "bwrap";
|
wdisplays.sandbox.method = "bwrap";
|
||||||
wdisplays.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
wdisplays.sandbox.whitelistWayland = true;
|
wdisplays.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
wget.sandbox.method = "bwrap";
|
wget.sandbox.method = "bwrap";
|
||||||
wget.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
wget.sandbox.net = "all";
|
wget.sandbox.net = "all";
|
||||||
wget.sandbox.whitelistPwd = true; # saves to pwd by default
|
wget.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||||
|
|
||||||
|
@ -979,16 +885,13 @@ in
|
||||||
|
|
||||||
# `wg`, `wg-quick`
|
# `wg`, `wg-quick`
|
||||||
wireguard-tools.sandbox.method = "landlock";
|
wireguard-tools.sandbox.method = "landlock";
|
||||||
wireguard-tools.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
wireguard-tools.sandbox.capabilities = [ "net_admin" ];
|
wireguard-tools.sandbox.capabilities = [ "net_admin" ];
|
||||||
|
|
||||||
# provides `iwconfig`, `iwlist`, `iwpriv`, ...
|
# provides `iwconfig`, `iwlist`, `iwpriv`, ...
|
||||||
wirelesstools.sandbox.method = "landlock";
|
wirelesstools.sandbox.method = "landlock";
|
||||||
wirelesstools.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
wirelesstools.sandbox.capabilities = [ "net_admin" ];
|
wirelesstools.sandbox.capabilities = [ "net_admin" ];
|
||||||
|
|
||||||
wl-clipboard.sandbox.method = "bwrap";
|
wl-clipboard.sandbox.method = "bwrap";
|
||||||
wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
wl-clipboard.sandbox.whitelistWayland = true;
|
wl-clipboard.sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
wtype = {};
|
wtype = {};
|
||||||
|
@ -1005,7 +908,6 @@ in
|
||||||
yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
|
yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
|
||||||
|
|
||||||
yt-dlp.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
yt-dlp.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
yt-dlp.sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
yt-dlp.sandbox.net = "all";
|
yt-dlp.sandbox.net = "all";
|
||||||
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,6 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = true;
|
||||||
|
|
|
@ -88,7 +88,6 @@ in
|
||||||
{
|
{
|
||||||
sane.programs.bemenu = {
|
sane.programs.bemenu = {
|
||||||
sandbox.method = "bwrap"; # landlock works, but requires *all* of /run/user/$ID to be granted.
|
sandbox.method = "bwrap"; # landlock works, but requires *all* of /run/user/$ID to be granted.
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
".cache/fontconfig" #< else it complains, and is *way* slower
|
".cache/fontconfig" #< else it complains, and is *way* slower
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.cozy = {
|
sane.programs.cozy = {
|
||||||
sandbox.method = "bwrap"; # landlock gives: _multiprocessing.SemLock: Permission Denied
|
sandbox.method = "bwrap"; # landlock gives: _multiprocessing.SemLock: Permission Denied
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -10,7 +10,6 @@ in
|
||||||
{
|
{
|
||||||
sane.programs.dconf = {
|
sane.programs.dconf = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
persist.byStore.private = [
|
persist.byStore.private = [
|
||||||
".config/dconf"
|
".config/dconf"
|
||||||
];
|
];
|
||||||
|
|
|
@ -46,7 +46,6 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||||
|
|
|
@ -17,7 +17,6 @@
|
||||||
];
|
];
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||||
|
|
|
@ -25,7 +25,6 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ];
|
sandbox.whitelistDbus = [ "user" ];
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,6 @@ in
|
||||||
{
|
{
|
||||||
sane.programs.fontconfig = {
|
sane.programs.fontconfig = {
|
||||||
sandbox.method = "bwrap"; # TODO:sandbox: untested
|
sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.autodetectCliPaths = "existingOrParent"; #< this might be overkill; or, how many programs reference fontconfig internally?
|
sandbox.autodetectCliPaths = "existingOrParent"; #< this might be overkill; or, how many programs reference fontconfig internally?
|
||||||
|
|
||||||
persist.byStore.plaintext = [
|
persist.byStore.plaintext = [
|
||||||
|
|
|
@ -28,7 +28,6 @@ in
|
||||||
# packageUnwrapped = pkgs.fractal-next;
|
# packageUnwrapped = pkgs.fractal-next;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.frozen-bubble = {
|
sane.programs.frozen-bubble = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet"; # net play
|
sandbox.net = "clearnet"; # net play
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -9,7 +9,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.g4music = {
|
sane.programs.g4music = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.glib "bin/gdbus";
|
packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.glib "bin/gdbus";
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; #< XXX: maybe future users will also want system access
|
sandbox.whitelistDbus = [ "user" ]; #< XXX: maybe future users will also want system access
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,7 +20,6 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -19,7 +19,6 @@ in
|
||||||
'';
|
'';
|
||||||
});
|
});
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistPwd = true;
|
sandbox.whitelistPwd = true;
|
||||||
sandbox.autodetectCliPaths = true; # necessary for git-upload-pack
|
sandbox.autodetectCliPaths = true; # necessary for git-upload-pack
|
||||||
|
|
|
@ -6,7 +6,6 @@ in
|
||||||
sane.programs.gnome-keyring = {
|
sane.programs.gnome-keyring = {
|
||||||
packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-keyring;
|
packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-keyring;
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ];
|
sandbox.whitelistDbus = [ "user" ];
|
||||||
sandbox.extraRuntimePaths = [
|
sandbox.extraRuntimePaths = [
|
||||||
"keyring/control"
|
"keyring/control"
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
sane.programs."gnome.gnome-maps" = {
|
sane.programs."gnome.gnome-maps" = {
|
||||||
packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-maps;
|
packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-maps;
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDri = true; # for perf
|
sandbox.whitelistDri = true; # for perf
|
||||||
sandbox.whitelistDbus = [
|
sandbox.whitelistDbus = [
|
||||||
"system" # system is required for non-portal location services
|
"system" # system is required for non-portal location services
|
||||||
|
|
|
@ -34,7 +34,6 @@ in
|
||||||
{
|
{
|
||||||
sane.programs.go2tv = {
|
sane.programs.go2tv = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = true;
|
||||||
# for GUI invocation, allow the common media directories
|
# for GUI invocation, allow the common media directories
|
||||||
|
|
|
@ -23,7 +23,6 @@ in {
|
||||||
});
|
});
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; # it won't launch without it, dunno exactly why.
|
sandbox.whitelistDbus = [ "user" ]; # it won't launch without it, dunno exactly why.
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
|
|
|
@ -15,7 +15,6 @@
|
||||||
"wl-clipboard"
|
"wl-clipboard"
|
||||||
];
|
];
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.whitelistDbus = [ "user" ];
|
sandbox.whitelistDbus = [ "user" ];
|
||||||
sandbox.autodetectCliPaths = "existingFileOrParent";
|
sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||||
|
|
|
@ -32,7 +32,6 @@ in
|
||||||
'';
|
'';
|
||||||
});
|
});
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.handbrake = {
|
sane.programs.handbrake = {
|
||||||
sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
|
sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.kdenlive = {
|
sane.programs.kdenlive = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
"Music"
|
"Music"
|
||||||
"Pictures/from" # e.g. Videos taken from my phone
|
"Pictures/from" # e.g. Videos taken from my phone
|
||||||
|
|
|
@ -11,7 +11,6 @@
|
||||||
});
|
});
|
||||||
|
|
||||||
sandbox.method = "bwrap"; # TODO:sandbox untested
|
sandbox.method = "bwrap"; # TODO:sandbox untested
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistDbus = [ "user" ]; # needs to connect to dconf via dbus
|
sandbox.whitelistDbus = [ "user" ]; # needs to connect to dconf via dbus
|
||||||
sandbox.whitelistDri = true; #< required
|
sandbox.whitelistDri = true; #< required
|
||||||
|
|
|
@ -46,7 +46,6 @@ in {
|
||||||
sane.programs.koreader = {
|
sane.programs.koreader = {
|
||||||
packageUnwrapped = pkgs.koreader-from-src;
|
packageUnwrapped = pkgs.koreader-from-src;
|
||||||
sandbox.method = "bwrap"; # sandboxes fine under landlock too, except for FTP
|
sandbox.method = "bwrap"; # sandboxes fine under landlock too, except for FTP
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistDri = true; # reduces startup time and subjective page flip time
|
sandbox.whitelistDri = true; # reduces startup time and subjective page flip time
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.lemoa = {
|
sane.programs.lemoa = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistDbus = [ "user" ]; # for clicking links
|
sandbox.whitelistDbus = [ "user" ]; # for clicking links
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
|
|
|
@ -12,7 +12,6 @@
|
||||||
}));
|
}));
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.autodetectCliPaths = "parent";
|
sandbox.autodetectCliPaths = "parent";
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
|
|
|
@ -10,7 +10,6 @@
|
||||||
# bwrap (loupe image viewer) doesn't like to run inside landlock
|
# bwrap (loupe image viewer) doesn't like to run inside landlock
|
||||||
# "bwrap: failed to make / slave: Operation not permitted"
|
# "bwrap: failed to make / slave: Operation not permitted"
|
||||||
sandbox.method = "bwrap"; # supports landlock or bwrap
|
sandbox.method = "bwrap"; # supports landlock or bwrap
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|
|
sandbox.whitelistDbus = [ "user" ]; #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|
|
||||||
|
|
|
@ -5,7 +5,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.mepo = {
|
sane.programs.mepo = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "all"; # for tiles *and* for localhost comm to gpsd
|
sandbox.net = "all"; # for tiles *and* for localhost comm to gpsd
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -11,7 +11,6 @@
|
||||||
}));
|
}));
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; # for portals launching apps
|
sandbox.whitelistDbus = [ "user" ]; # for portals launching apps
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
|
|
|
@ -88,7 +88,6 @@ in
|
||||||
{
|
{
|
||||||
sane.programs.neovim = {
|
sane.programs.neovim = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.autodetectCliPaths = "existingOrParent";
|
sandbox.autodetectCliPaths = "existingOrParent";
|
||||||
sandbox.whitelistWayland = true; # for system clipboard integration
|
sandbox.whitelistWayland = true; # for system clipboard integration
|
||||||
# sandbox.whitelistPwd = true;
|
# sandbox.whitelistPwd = true;
|
||||||
|
|
|
@ -11,7 +11,6 @@
|
||||||
});
|
});
|
||||||
|
|
||||||
sandbox.method = "firejail";
|
sandbox.method = "firejail";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.net = "vpn";
|
sandbox.net = "vpn";
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
# provides `nix-locate`, backed by the manually run `nix-index`
|
# provides `nix-locate`, backed by the manually run `nix-index`
|
||||||
sane.programs.nix-index = {
|
sane.programs.nix-index = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
"/nix"
|
"/nix"
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.notejot = {
|
sane.programs.notejot = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
suggestedPrograms = [ "dconf" ]; #< else it can't persist notes
|
suggestedPrograms = [ "dconf" ]; #< else it can't persist notes
|
||||||
|
|
||||||
|
|
|
@ -21,7 +21,6 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
|
|
||||||
secrets.".config/ntfy-sh/topic" = ../../../secrets/common/ntfy-sh-topic.bin;
|
secrets.".config/ntfy-sh/topic" = ../../../secrets/common/ntfy-sh-topic.bin;
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.open-in-mpv = {
|
sane.programs.open-in-mpv = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; # for xdg-open/portals
|
sandbox.whitelistDbus = [ "user" ]; # for xdg-open/portals
|
||||||
|
|
||||||
# taken from <https://github.com/Baldomo/open-in-mpv>
|
# taken from <https://github.com/Baldomo/open-in-mpv>
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.planify = {
|
sane.programs.planify = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; # for dconf? else it can't persist any tasks/notes
|
sandbox.whitelistDbus = [ "user" ]; # for dconf? else it can't persist any tasks/notes
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
sane.programs.portfolio-filemanager = {
|
sane.programs.portfolio-filemanager = {
|
||||||
# this is all taken pretty directly from nautilus config
|
# this is all taken pretty directly from nautilus config
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; # for portals launching apps
|
sandbox.whitelistDbus = [ "user" ]; # for portals launching apps
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.ripgrep = {
|
sane.programs.ripgrep = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = true;
|
||||||
sandbox.whitelistPwd = true;
|
sandbox.whitelistPwd = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
|
|
|
@ -63,7 +63,6 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; #< to launch apps via the portal
|
sandbox.whitelistDbus = [ "user" ]; #< to launch apps via the portal
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
|
@ -118,7 +117,6 @@ in
|
||||||
};
|
};
|
||||||
# if i could remove the sed, then maybe possible to not sandbox.
|
# if i could remove the sed, then maybe possible to not sandbox.
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
".cache/rofi"
|
".cache/rofi"
|
||||||
|
|
|
@ -54,7 +54,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.bt-add".sandbox = {
|
"sane-scripts.bt-add".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
net = "clearnet";
|
net = "clearnet";
|
||||||
# TODO: migrate `transmission_passwd` to `secrets` api
|
# TODO: migrate `transmission_passwd` to `secrets` api
|
||||||
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
||||||
|
@ -62,7 +61,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.bt-rm".sandbox = {
|
"sane-scripts.bt-rm".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
net = "clearnet";
|
net = "clearnet";
|
||||||
# TODO: migrate `transmission_passwd` to `secrets` api
|
# TODO: migrate `transmission_passwd` to `secrets` api
|
||||||
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
||||||
|
@ -70,7 +68,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.bt-search".sandbox = {
|
"sane-scripts.bt-search".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
net = "clearnet";
|
net = "clearnet";
|
||||||
# TODO: migrate `jackett_apikey` to `secrets` api
|
# TODO: migrate `jackett_apikey` to `secrets` api
|
||||||
extraPaths = [ "/run/secrets/jackett_apikey" ];
|
extraPaths = [ "/run/secrets/jackett_apikey" ];
|
||||||
|
@ -78,7 +75,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.bt-show".sandbox = {
|
"sane-scripts.bt-show".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
net = "clearnet";
|
net = "clearnet";
|
||||||
# TODO: migrate `transmission_passwd` to `secrets` api
|
# TODO: migrate `transmission_passwd` to `secrets` api
|
||||||
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
||||||
|
@ -90,13 +86,11 @@ in
|
||||||
|
|
||||||
"sane-scripts.deadlines".sandbox = {
|
"sane-scripts.deadlines".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
extraHomePaths = [ "knowledge/planner/deadlines.tsv" ];
|
extraHomePaths = [ "knowledge/planner/deadlines.tsv" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
"sane-scripts.dev-cargo-loop".sandbox = {
|
"sane-scripts.dev-cargo-loop".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
net = "clearnet";
|
net = "clearnet";
|
||||||
whitelistPwd = true;
|
whitelistPwd = true;
|
||||||
extraPaths = [
|
extraPaths = [
|
||||||
|
@ -110,7 +104,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.find-dotfiles".sandbox = {
|
"sane-scripts.find-dotfiles".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
extraHomePaths = [
|
extraHomePaths = [
|
||||||
"/"
|
"/"
|
||||||
".persist/ephemeral"
|
".persist/ephemeral"
|
||||||
|
@ -120,7 +113,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.ip-check".sandbox = {
|
"sane-scripts.ip-check".sandbox = {
|
||||||
method = "landlock";
|
method = "landlock";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
net = "all";
|
net = "all";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -128,7 +120,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.private-change-passwd".sandbox = {
|
"sane-scripts.private-change-passwd".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
autodetectCliPaths = "existing"; #< for the new `private` location
|
autodetectCliPaths = "existing"; #< for the new `private` location
|
||||||
capabilities = [ "sys_admin" ]; # it needs to mount the new store
|
capabilities = [ "sys_admin" ]; # it needs to mount the new store
|
||||||
extraHomePaths = [
|
extraHomePaths = [
|
||||||
|
@ -140,7 +131,6 @@ in
|
||||||
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
|
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
|
||||||
# this actually has an OK side effect, that the mount isn't shared, and so we avoid contention/interleaving that would cause the ending `umount` to fail.
|
# this actually has an OK side effect, that the mount isn't shared, and so we avoid contention/interleaving that would cause the ending `umount` to fail.
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
# cap_sys_admin is needed to mount stuff.
|
# cap_sys_admin is needed to mount stuff.
|
||||||
# ordinarily /run/wrappers/bin/mount would do that via setuid, but sandboxes have no_new_privs by default.
|
# ordinarily /run/wrappers/bin/mount would do that via setuid, but sandboxes have no_new_privs by default.
|
||||||
capabilities = [ "sys_admin" ];
|
capabilities = [ "sys_admin" ];
|
||||||
|
@ -151,7 +141,6 @@ in
|
||||||
};
|
};
|
||||||
"sane-scripts.private-init".sandbox = {
|
"sane-scripts.private-init".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
capabilities = [ "sys_admin" ]; # it needs to mount the new store
|
capabilities = [ "sys_admin" ]; # it needs to mount the new store
|
||||||
extraHomePaths = [
|
extraHomePaths = [
|
||||||
".persist/private"
|
".persist/private"
|
||||||
|
@ -162,7 +151,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.reclaim-boot-space".sandbox = {
|
"sane-scripts.reclaim-boot-space".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
extraPaths = [ "/boot" ];
|
extraPaths = [ "/boot" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -173,7 +161,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.reboot".sandbox = {
|
"sane-scripts.reboot".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
extraPaths = [
|
extraPaths = [
|
||||||
"/run/dbus"
|
"/run/dbus"
|
||||||
"/run/systemd"
|
"/run/systemd"
|
||||||
|
@ -182,13 +169,11 @@ in
|
||||||
|
|
||||||
"sane-scripts.reclaim-disk-space".sandbox = {
|
"sane-scripts.reclaim-disk-space".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
extraPaths = [ "/nix/var/nix" ];
|
extraPaths = [ "/nix/var/nix" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
"sane-scripts.secrets-unlock".sandbox = {
|
"sane-scripts.secrets-unlock".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
extraHomePaths = [
|
extraHomePaths = [
|
||||||
".ssh/id_ed25519"
|
".ssh/id_ed25519"
|
||||||
".ssh/id_ed25519.pub"
|
".ssh/id_ed25519.pub"
|
||||||
|
@ -214,7 +199,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.shutdown".sandbox = {
|
"sane-scripts.shutdown".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
extraPaths = [
|
extraPaths = [
|
||||||
"/run/dbus"
|
"/run/dbus"
|
||||||
"/run/systemd"
|
"/run/systemd"
|
||||||
|
@ -231,7 +215,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.tag-music".sandbox = {
|
"sane-scripts.tag-music".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
autodetectCliPaths = "existing";
|
autodetectCliPaths = "existing";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -256,7 +239,6 @@ in
|
||||||
(builtins.attrNames config.sane.vpn);
|
(builtins.attrNames config.sane.vpn);
|
||||||
"sane-scripts.vpn".sandbox = {
|
"sane-scripts.vpn".sandbox = {
|
||||||
method = "landlock"; #< bwrap can't handle `ip link` stuff even with cap_net_admin
|
method = "landlock"; #< bwrap can't handle `ip link` stuff even with cap_net_admin
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
net = "all";
|
net = "all";
|
||||||
capabilities = [ "net_admin" ];
|
capabilities = [ "net_admin" ];
|
||||||
extraHomePaths = [ ".config/sane-vpn" ];
|
extraHomePaths = [ ".config/sane-vpn" ];
|
||||||
|
@ -264,7 +246,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.which".sandbox = {
|
"sane-scripts.which".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
extraHomePaths = [
|
extraHomePaths = [
|
||||||
# for SXMO
|
# for SXMO
|
||||||
".config/sxmo/hooks"
|
".config/sxmo/hooks"
|
||||||
|
@ -273,7 +254,6 @@ in
|
||||||
|
|
||||||
"sane-scripts.wipe".sandbox = {
|
"sane-scripts.wipe".sandbox = {
|
||||||
method = "bwrap";
|
method = "bwrap";
|
||||||
wrapperType = "wrappedDerivation";
|
|
||||||
whitelistDbus = [ "user" ]; #< for `secret-tool` and `systemd --user stop <service>
|
whitelistDbus = [ "user" ]; #< for `secret-tool` and `systemd --user stop <service>
|
||||||
extraHomePaths = [
|
extraHomePaths = [
|
||||||
# could be more specific, but at a maintenance cost.
|
# could be more specific, but at a maintenance cost.
|
||||||
|
|
|
@ -17,7 +17,6 @@ let
|
||||||
in {
|
in {
|
||||||
sane.programs.sfeed = {
|
sane.programs.sfeed = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
|
|
||||||
fs.".sfeed/sfeedrc".symlink.text = ''
|
fs.".sfeed/sfeedrc".symlink.text = ''
|
||||||
|
|
|
@ -23,7 +23,6 @@ in
|
||||||
|
|
||||||
packageUnwrapped = pkgs.signal-desktop-from-src;
|
packageUnwrapped = pkgs.signal-desktop-from-src;
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
|
@ -6,7 +6,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.splatmoji = {
|
sane.programs.splatmoji = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true; # it calls into a dmenu helper
|
sandbox.whitelistWayland = true; # it calls into a dmenu helper
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
".cache/rofi"
|
".cache/rofi"
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.spot = {
|
sane.programs.spot = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.superTuxKart = {
|
sane.programs.superTuxKart = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet"; # net play
|
sandbox.net = "clearnet"; # net play
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
|
|
|
@ -5,7 +5,6 @@ in
|
||||||
{
|
{
|
||||||
sane.programs.swaylock = {
|
sane.programs.swaylock = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
|
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
|
||||||
# swaylock seems (?) to offload password checking to pam's `unix_chkpwd`,
|
# swaylock seems (?) to offload password checking to pam's `unix_chkpwd`,
|
||||||
|
|
|
@ -141,7 +141,6 @@ in
|
||||||
}));
|
}));
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [
|
sandbox.whitelistDbus = [
|
||||||
"user" # mpris; portal
|
"user" # mpris; portal
|
||||||
|
|
|
@ -30,7 +30,6 @@ in
|
||||||
slowToBuild = true; # only true for cross-compiled tangram
|
slowToBuild = true; # only true for cross-compiled tangram
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
|
|
|
@ -2,7 +2,6 @@
|
||||||
{
|
{
|
||||||
sane.programs.tuba = {
|
sane.programs.tuba = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||||
|
|
|
@ -132,7 +132,6 @@ in
|
||||||
# N.B.: this sandboxing applies to `unl0kr` itself -- the on-screen-keyboard;
|
# N.B.: this sandboxing applies to `unl0kr` itself -- the on-screen-keyboard;
|
||||||
# NOT to the wrapper which invokes `login`.
|
# NOT to the wrapper which invokes `login`.
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDri = true;
|
sandbox.whitelistDri = true;
|
||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
"/dev/fb0"
|
"/dev/fb0"
|
||||||
|
|
|
@ -15,7 +15,6 @@ in
|
||||||
samba = null;
|
samba = null;
|
||||||
};
|
};
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = true;
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
|
|
|
@ -57,7 +57,6 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.net = "all"; #< to show net connection status and BW
|
sandbox.net = "all"; #< to show net connection status and BW
|
||||||
sandbox.whitelistDbus = [
|
sandbox.whitelistDbus = [
|
||||||
"user" #< for playerctl/media
|
"user" #< for playerctl/media
|
||||||
|
|
|
@ -7,7 +7,6 @@ in
|
||||||
{
|
{
|
||||||
sane.programs.waylock = {
|
sane.programs.waylock = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.extraPaths = [
|
sandbox.extraPaths = [
|
||||||
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
|
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
|
||||||
# waylock seems (?) to offload password checking to pam's `unix_chkpwd`,
|
# waylock seems (?) to offload password checking to pam's `unix_chkpwd`,
|
||||||
|
|
|
@ -5,7 +5,6 @@ in
|
||||||
{
|
{
|
||||||
sane.programs.wireplumber = {
|
sane.programs.wireplumber = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [
|
sandbox.whitelistDbus = [
|
||||||
# i think this isn't strictly necessary; it just wants to ask the portal for realtime perms
|
# i think this isn't strictly necessary; it just wants to ask the portal for realtime perms
|
||||||
# "system"
|
# "system"
|
||||||
|
|
|
@ -5,7 +5,6 @@ in
|
||||||
{
|
{
|
||||||
sane.programs.wireshark = {
|
sane.programs.wireshark = {
|
||||||
sandbox.method = "landlock";
|
sandbox.method = "landlock";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.net = "all";
|
sandbox.net = "all";
|
||||||
sandbox.capabilities = [ "net_admin" "net_raw" ];
|
sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||||
|
|
|
@ -32,7 +32,6 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
fs.".config/wob/wob.ini".symlink.text = ''
|
fs.".config/wob/wob.ini".symlink.text = ''
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
"archive"
|
"archive"
|
||||||
|
|
|
@ -8,7 +8,6 @@ in
|
||||||
packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-gtk;
|
packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-gtk;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
|
sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
|
|
|
@ -8,7 +8,6 @@ in
|
||||||
packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-wlr;
|
packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-wlr;
|
||||||
|
|
||||||
sandbox.method = "bwrap"; # TODO:sandbox: untested
|
sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
sandbox.wrapperType = "wrappedDerivation";
|
|
||||||
sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
|
sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
|
|
|
@ -316,7 +316,7 @@ let
|
||||||
};
|
};
|
||||||
sandbox.wrapperType = mkOption {
|
sandbox.wrapperType = mkOption {
|
||||||
type = types.enum [ "inplace" "wrappedDerivation" ];
|
type = types.enum [ "inplace" "wrappedDerivation" ];
|
||||||
default = "inplace";
|
default = "wrappedDerivation";
|
||||||
description = ''
|
description = ''
|
||||||
how to manipulate the `packageUnwrapped` derivation in order to achieve sandboxing.
|
how to manipulate the `packageUnwrapped` derivation in order to achieve sandboxing.
|
||||||
- inplace: applies an override to `packageUnwrapped`, so that all `bin/` files are sandboxed,
|
- inplace: applies an override to `packageUnwrapped`, so that all `bin/` files are sandboxed,
|
||||||
|
@ -327,7 +327,6 @@ let
|
||||||
"inplace" is more reliable, but "wrappedDerivation" is more lightweight (doesn't force any rebuilds).
|
"inplace" is more reliable, but "wrappedDerivation" is more lightweight (doesn't force any rebuilds).
|
||||||
the biggest gap in "wrappedDerivation" is that it doesn't link anything outside `bin/`, except for
|
the biggest gap in "wrappedDerivation" is that it doesn't link anything outside `bin/`, except for
|
||||||
some limited (verified safe) support for `share/applications/*.desktop`
|
some limited (verified safe) support for `share/applications/*.desktop`
|
||||||
"wrappedDerivation" is mostly good for prototyping.
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sandbox.autodetectCliPaths = mkOption {
|
sandbox.autodetectCliPaths = mkOption {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user