programs: make sandbox.wrapperType default to "wrappedDerivation" and remove everywhere i manually set that
This commit is contained in:
parent
812c0c8029
commit
40e30cf2f8
|
@ -31,7 +31,6 @@
|
|||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
persist.byStore.plaintext = [
|
||||
|
|
|
@ -203,13 +203,11 @@ in
|
|||
# INDIVIDUAL PACKAGE DEFINITIONS
|
||||
|
||||
alsaUtils.sandbox.method = "landlock";
|
||||
alsaUtils.sandbox.wrapperType = "wrappedDerivation";
|
||||
alsaUtils.sandbox.whitelistAudio = true; #< not strictly necessary?
|
||||
|
||||
backblaze-b2 = {};
|
||||
|
||||
blanket.sandbox.method = "bwrap";
|
||||
blanket.sandbox.wrapperType = "wrappedDerivation";
|
||||
blanket.sandbox.whitelistAudio = true;
|
||||
# blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested
|
||||
blanket.sandbox.whitelistWayland = true;
|
||||
|
@ -225,11 +223,9 @@ in
|
|||
];
|
||||
|
||||
bridge-utils.sandbox.method = "bwrap"; #< bwrap, landlock: both work
|
||||
bridge-utils.sandbox.wrapperType = "wrappedDerivation";
|
||||
bridge-utils.sandbox.net = "all";
|
||||
|
||||
brightnessctl.sandbox.method = "landlock"; # also bwrap, but landlock is more responsive
|
||||
brightnessctl.sandbox.wrapperType = "wrappedDerivation";
|
||||
brightnessctl.sandbox.extraPaths = [
|
||||
"/sys/class/backlight"
|
||||
"/sys/class/leds"
|
||||
|
@ -238,7 +234,6 @@ in
|
|||
brightnessctl.sandbox.whitelistDbus = [ "system" ];
|
||||
|
||||
btrfs-progs.sandbox.method = "bwrap"; #< bwrap, landlock: both work
|
||||
btrfs-progs.sandbox.wrapperType = "wrappedDerivation";
|
||||
btrfs-progs.sandbox.autodetectCliPaths = "existing"; # e.g. `btrfs filesystem df /my/fs`
|
||||
|
||||
"cacert.unbundled".sandbox.enable = false;
|
||||
|
@ -249,7 +244,6 @@ in
|
|||
|
||||
# cryptsetup: typical use is `cryptsetup open /dev/loopxyz mappedName`, and creates `/dev/mapper/mappedName`
|
||||
cryptsetup.sandbox.method = "landlock";
|
||||
cryptsetup.sandbox.wrapperType = "wrappedDerivation";
|
||||
cryptsetup.sandbox.extraPaths = [
|
||||
"/dev/mapper"
|
||||
"/dev/random"
|
||||
|
@ -263,12 +257,10 @@ in
|
|||
cryptsetup.sandbox.autodetectCliPaths = "existing";
|
||||
|
||||
ddrescue.sandbox.method = "landlock"; # TODO:sandbox: untested
|
||||
ddrescue.sandbox.wrapperType = "wrappedDerivation";
|
||||
ddrescue.sandbox.autodetectCliPaths = "existingOrParent";
|
||||
|
||||
# auth token, preferences
|
||||
delfin.sandbox.method = "bwrap";
|
||||
delfin.sandbox.wrapperType = "wrappedDerivation";
|
||||
delfin.sandbox.whitelistAudio = true;
|
||||
delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player
|
||||
delfin.sandbox.whitelistDri = true;
|
||||
|
@ -277,7 +269,6 @@ in
|
|||
delfin.persist.byStore.private = [ ".config/delfin" ];
|
||||
|
||||
dig.sandbox.method = "bwrap";
|
||||
dig.sandbox.wrapperType = "wrappedDerivation";
|
||||
dig.sandbox.net = "all";
|
||||
|
||||
# creds, but also 200 MB of node modules, etc
|
||||
|
@ -293,18 +284,15 @@ in
|
|||
dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested
|
||||
|
||||
dtrx.sandbox.method = "bwrap";
|
||||
dtrx.sandbox.wrapperType = "wrappedDerivation";
|
||||
dtrx.sandbox.whitelistPwd = true;
|
||||
dtrx.sandbox.autodetectCliPaths = "existing"; #< for the archive
|
||||
|
||||
duplicity = {};
|
||||
|
||||
e2fsprogs.sandbox.method = "landlock";
|
||||
e2fsprogs.sandbox.wrapperType = "wrappedDerivation";
|
||||
e2fsprogs.sandbox.autodetectCliPaths = "existing";
|
||||
|
||||
efibootmgr.sandbox.method = "landlock";
|
||||
efibootmgr.sandbox.wrapperType = "wrappedDerivation";
|
||||
efibootmgr.sandbox.extraPaths = [
|
||||
"/sys/firmware/efi"
|
||||
];
|
||||
|
@ -312,14 +300,12 @@ in
|
|||
eg25-control = {};
|
||||
|
||||
electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
electrum.sandbox.wrapperType = "wrappedDerivation";
|
||||
electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always
|
||||
electrum.sandbox.whitelistWayland = true;
|
||||
electrum.persist.byStore.cryptClearOnBoot = [ ".electrum" ]; #< TODO: use XDG dirs!
|
||||
|
||||
endless-sky.persist.byStore.plaintext = [ ".local/share/endless-sky" ];
|
||||
endless-sky.sandbox.method = "bwrap";
|
||||
endless-sky.sandbox.wrapperType = "wrappedDerivation";
|
||||
endless-sky.sandbox.whitelistAudio = true;
|
||||
endless-sky.sandbox.whitelistDri = true;
|
||||
endless-sky.sandbox.whitelistWayland = true;
|
||||
|
@ -330,14 +316,12 @@ in
|
|||
emote.persist.byStore.plaintext = [ ".local/share/Emote" ];
|
||||
|
||||
ethtool.sandbox.method = "landlock";
|
||||
ethtool.sandbox.wrapperType = "wrappedDerivation";
|
||||
ethtool.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
# eza `ls` replacement
|
||||
# landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
|
||||
# eza.sandbox.method = "landlock";
|
||||
eza.sandbox.method = "bwrap";
|
||||
eza.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
||||
eza.sandbox.autodetectCliPaths = true;
|
||||
eza.sandbox.whitelistPwd = true;
|
||||
eza.sandbox.extraHomePaths = [
|
||||
|
@ -347,11 +331,9 @@ in
|
|||
];
|
||||
|
||||
fatresize.sandbox.method = "landlock";
|
||||
fatresize.sandbox.wrapperType = "wrappedDerivation";
|
||||
fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda
|
||||
|
||||
fd.sandbox.method = "landlock";
|
||||
fd.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
||||
fd.sandbox.autodetectCliPaths = true;
|
||||
fd.sandbox.whitelistPwd = true;
|
||||
fd.sandbox.extraHomePaths = [
|
||||
|
@ -361,15 +343,12 @@ in
|
|||
];
|
||||
|
||||
ffmpeg.sandbox.method = "bwrap";
|
||||
ffmpeg.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
||||
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
||||
|
||||
file.sandbox.method = "bwrap";
|
||||
file.sandbox.wrapperType = "wrappedDerivation";
|
||||
file.sandbox.autodetectCliPaths = true;
|
||||
|
||||
findutils.sandbox.method = "bwrap";
|
||||
findutils.sandbox.wrapperType = "wrappedDerivation";
|
||||
findutils.sandbox.autodetectCliPaths = true;
|
||||
findutils.sandbox.whitelistPwd = true;
|
||||
findutils.sandbox.extraHomePaths = [
|
||||
|
@ -381,14 +360,12 @@ in
|
|||
fluffychat-moby.persist.byStore.plaintext = [ ".local/share/chat.fluffy.fluffychat" ];
|
||||
|
||||
font-manager.sandbox.method = "bwrap";
|
||||
font-manager.sandbox.wrapperType = "wrappedDerivation";
|
||||
font-manager.packageUnwrapped = pkgs.rmDbusServicesInPlace (pkgs.font-manager.override {
|
||||
# build without the "Google Fonts" integration feature, to save closure / avoid webkitgtk_4_0
|
||||
withWebkit = false;
|
||||
});
|
||||
|
||||
forkstat.sandbox.method = "landlock"; #< doesn't seem to support bwrap
|
||||
forkstat.sandbox.wrapperType = "wrappedDerivation";
|
||||
forkstat.sandbox.extraConfig = [
|
||||
"--sane-sandbox-keep-namespace" "pid"
|
||||
];
|
||||
|
@ -401,7 +378,6 @@ in
|
|||
# should probably make it not be an app-launcher
|
||||
fuzzel.sandbox.enable = false;
|
||||
fuzzel.sandbox.method = "bwrap"; #< landlock nearly works, but unable to open ~/.cache
|
||||
fuzzel.sandbox.wrapperType = "wrappedDerivation";
|
||||
fuzzel.sandbox.whitelistWayland = true;
|
||||
fuzzel.persist.byStore.private = [
|
||||
# this is a file of recent selections
|
||||
|
@ -414,7 +390,6 @@ in
|
|||
|
||||
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
|
||||
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
|
||||
gdb.sandbox.wrapperType = "wrappedDerivation";
|
||||
gdb.sandbox.autodetectCliPaths = true;
|
||||
|
||||
geoclue2-with-demo-agent = {};
|
||||
|
@ -424,7 +399,6 @@ in
|
|||
gh.persist.byStore.private = [ ".config/gh" ];
|
||||
|
||||
gimp.sandbox.method = "bwrap";
|
||||
gimp.sandbox.wrapperType = "wrappedDerivation";
|
||||
gimp.sandbox.whitelistWayland = true;
|
||||
gimp.sandbox.extraHomePaths = [
|
||||
"Pictures/albums"
|
||||
|
@ -443,39 +417,32 @@ in
|
|||
];
|
||||
|
||||
"gnome.gnome-calculator".sandbox.method = "bwrap";
|
||||
"gnome.gnome-calculator".sandbox.wrapperType = "wrappedDerivation";
|
||||
"gnome.gnome-calculator".sandbox.whitelistWayland = true;
|
||||
|
||||
# gnome-calendar surely has data to persist, but i use it strictly to do date math, not track events.
|
||||
"gnome.gnome-calendar".sandbox.method = "bwrap";
|
||||
"gnome.gnome-calendar".sandbox.wrapperType = "wrappedDerivation";
|
||||
"gnome.gnome-calendar".sandbox.whitelistWayland = true;
|
||||
|
||||
"gnome.gnome-clocks".sandbox.method = "bwrap";
|
||||
"gnome.gnome-clocks".sandbox.wrapperType = "wrappedDerivation";
|
||||
"gnome.gnome-clocks".sandbox.whitelistWayland = true;
|
||||
"gnome.gnome-clocks".suggestedPrograms = [ "dconf" ];
|
||||
|
||||
# gnome-disks
|
||||
"gnome.gnome-disk-utility".sandbox.method = "bwrap";
|
||||
"gnome.gnome-disk-utility".sandbox.wrapperType = "wrappedDerivation";
|
||||
"gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
|
||||
"gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
|
||||
|
||||
# seahorse: dump gnome-keyring secrets.
|
||||
# N.B.: it can also manage ~/.ssh keys, but i explicitly don't add those to the sandbox for now.
|
||||
"gnome.seahorse".sandbox.method = "bwrap";
|
||||
"gnome.seahorse".sandbox.wrapperType = "wrappedDerivation";
|
||||
"gnome.seahorse".sandbox.whitelistDbus = [ "user" ];
|
||||
"gnome.seahorse".sandbox.whitelistWayland = true;
|
||||
|
||||
gnome-2048.sandbox.method = "bwrap";
|
||||
gnome-2048.sandbox.wrapperType = "wrappedDerivation";
|
||||
gnome-2048.sandbox.whitelistWayland = true;
|
||||
gnome-2048.persist.byStore.plaintext = [ ".local/share/gnome-2048/scores" ];
|
||||
|
||||
gnome-frog.sandbox.method = "bwrap";
|
||||
gnome-frog.sandbox.wrapperType = "wrappedDerivation";
|
||||
gnome-frog.sandbox.whitelistWayland = true;
|
||||
gnome-frog.sandbox.whitelistDbus = [ "user" ];
|
||||
gnome-frog.sandbox.extraPaths = [
|
||||
|
@ -502,11 +469,9 @@ in
|
|||
# 2. no two shaded tiles can be direct N/S/E/W neighbors
|
||||
# - win once (1) and (2) are satisfied
|
||||
"gnome.hitori".sandbox.method = "bwrap";
|
||||
"gnome.hitori".sandbox.wrapperType = "wrappedDerivation";
|
||||
"gnome.hitori".sandbox.whitelistWayland = true;
|
||||
|
||||
gnugrep.sandbox.method = "bwrap";
|
||||
gnugrep.sandbox.wrapperType = "wrappedDerivation";
|
||||
gnugrep.sandbox.autodetectCliPaths = true;
|
||||
gnugrep.sandbox.whitelistPwd = true;
|
||||
gnugrep.sandbox.extraHomePaths = [
|
||||
|
@ -519,7 +484,6 @@ in
|
|||
gpsd = {};
|
||||
|
||||
gptfdisk.sandbox.method = "landlock";
|
||||
gptfdisk.sandbox.wrapperType = "wrappedDerivation";
|
||||
gptfdisk.sandbox.extraPaths = [
|
||||
"/dev"
|
||||
];
|
||||
|
@ -528,7 +492,6 @@ in
|
|||
grim = {};
|
||||
|
||||
hase.sandbox.method = "bwrap";
|
||||
hase.sandbox.wrapperType = "wrappedDerivation";
|
||||
hase.sandbox.net = "clearnet";
|
||||
hase.sandbox.whitelistAudio = true;
|
||||
hase.sandbox.whitelistDri = true;
|
||||
|
@ -536,15 +499,12 @@ in
|
|||
|
||||
# hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
|
||||
hdparm.sandbox.method = "bwrap";
|
||||
hdparm.sandbox.wrapperType = "wrappedDerivation";
|
||||
hdparm.sandbox.autodetectCliPaths = true;
|
||||
|
||||
host.sandbox.method = "landlock";
|
||||
host.sandbox.wrapperType = "wrappedDerivation";
|
||||
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
|
||||
|
||||
htop.sandbox.method = "landlock";
|
||||
htop.sandbox.wrapperType = "wrappedDerivation";
|
||||
htop.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
"/sys/devices"
|
||||
|
@ -555,16 +515,13 @@ in
|
|||
];
|
||||
|
||||
iftop.sandbox.method = "landlock";
|
||||
iftop.sandbox.wrapperType = "wrappedDerivation";
|
||||
iftop.sandbox.capabilities = [ "net_raw" ];
|
||||
|
||||
# inetutils: ping, ifconfig, hostname, traceroute, whois, ....
|
||||
# N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
|
||||
inetutils.sandbox.method = "landlock"; # want to keep the same netns, at least.
|
||||
inetutils.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
||||
inkscape.sandbox.method = "bwrap";
|
||||
inkscape.sandbox.wrapperType = "wrappedDerivation";
|
||||
inkscape.sandbox.whitelistWayland = true;
|
||||
inkscape.sandbox.extraHomePaths = [
|
||||
"Pictures/albums"
|
||||
|
@ -580,7 +537,6 @@ in
|
|||
inkscape.sandbox.autodetectCliPaths = true;
|
||||
|
||||
iotop.sandbox.method = "landlock";
|
||||
iotop.sandbox.wrapperType = "wrappedDerivation";
|
||||
iotop.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
];
|
||||
|
@ -588,38 +544,31 @@ in
|
|||
|
||||
# provides `ip`, `routel`, others
|
||||
iproute2.sandbox.method = "landlock";
|
||||
iproute2.sandbox.wrapperType = "wrappedDerivation";
|
||||
iproute2.sandbox.net = "all";
|
||||
iproute2.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
iptables.sandbox.method = "landlock";
|
||||
iptables.sandbox.wrapperType = "wrappedDerivation";
|
||||
iptables.sandbox.net = "all";
|
||||
iptables.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
# iputils provides `ping` (and arping, clockdiff, tracepath)
|
||||
iputils.sandbox.method = "landlock";
|
||||
iputils.sandbox.wrapperType = "wrappedDerivation";
|
||||
iputils.sandbox.net = "all";
|
||||
iputils.sandbox.capabilities = [ "net_raw" ];
|
||||
|
||||
iw.sandbox.method = "landlock";
|
||||
iw.sandbox.wrapperType = "wrappedDerivation";
|
||||
iw.sandbox.net = "all";
|
||||
iw.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
jq.sandbox.method = "bwrap";
|
||||
jq.sandbox.wrapperType = "wrappedDerivation";
|
||||
jq.sandbox.autodetectCliPaths = "existingFile";
|
||||
|
||||
killall.sandbox.method = "landlock";
|
||||
killall.sandbox.wrapperType = "wrappedDerivation";
|
||||
killall.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
];
|
||||
|
||||
krita.sandbox.method = "bwrap";
|
||||
krita.sandbox.wrapperType = "wrappedDerivation";
|
||||
krita.sandbox.whitelistWayland = true;
|
||||
krita.sandbox.autodetectCliPaths = "existing";
|
||||
krita.sandbox.extraHomePaths = [
|
||||
|
@ -637,11 +586,9 @@ in
|
|||
libcap_ng.sandbox.enable = false; # there's something about /proc/$pid/fd which breaks `readlink`/stat with every sandbox technique (except capsh-only)
|
||||
|
||||
libnotify.sandbox.method = "bwrap";
|
||||
libnotify.sandbox.wrapperType = "wrappedDerivation";
|
||||
libnotify.sandbox.whitelistDbus = [ "user" ]; # notify-send
|
||||
|
||||
losslesscut-bin.sandbox.method = "bwrap";
|
||||
losslesscut-bin.sandbox.wrapperType = "wrappedDerivation";
|
||||
losslesscut-bin.sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
"Pictures/from" # videos from e.g. mobile phone
|
||||
|
@ -656,13 +603,11 @@ in
|
|||
losslesscut-bin.sandbox.whitelistX = true;
|
||||
|
||||
lsof.sandbox.method = "capshonly"; # lsof doesn't sandbox under bwrap or even landlock w/ full access to /
|
||||
lsof.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
||||
lua = {};
|
||||
|
||||
"mate.engrampa".packageUnwrapped = pkgs.rmDbusServices pkgs.mate.engrampa;
|
||||
"mate.engrampa".sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
"mate.engrampa".sandbox.wrapperType = "wrappedDerivation";
|
||||
"mate.engrampa".sandbox.whitelistWayland = true;
|
||||
"mate.engrampa".sandbox.autodetectCliPaths = "existingOrParent";
|
||||
"mate.engrampa".sandbox.extraHomePaths = [
|
||||
|
@ -675,7 +620,6 @@ in
|
|||
];
|
||||
|
||||
mercurial.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
mercurial.sandbox.wrapperType = "wrappedDerivation";
|
||||
mercurial.sandbox.net = "clearnet";
|
||||
mercurial.sandbox.whitelistPwd = true;
|
||||
|
||||
|
@ -683,7 +627,6 @@ in
|
|||
# XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured?
|
||||
monero-gui.persist.byStore.plaintext = [ ".bitmonero" ];
|
||||
monero-gui.sandbox.method = "bwrap";
|
||||
monero-gui.sandbox.wrapperType = "wrappedDerivation";
|
||||
monero-gui.sandbox.net = "all";
|
||||
monero-gui.sandbox.extraHomePaths = [
|
||||
"records/finance/cryptocurrencies/monero"
|
||||
|
@ -692,20 +635,16 @@ in
|
|||
mumble.persist.byStore.private = [ ".local/share/Mumble" ];
|
||||
|
||||
nano.sandbox.method = "bwrap";
|
||||
nano.sandbox.wrapperType = "wrappedDerivation";
|
||||
nano.sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||
|
||||
netcat.sandbox.method = "landlock";
|
||||
netcat.sandbox.wrapperType = "wrappedDerivation";
|
||||
netcat.sandbox.net = "all";
|
||||
|
||||
nethogs.sandbox.method = "capshonly"; # *partially* works under landlock w/ full access to /
|
||||
nethogs.sandbox.wrapperType = "wrappedDerivation";
|
||||
nethogs.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
|
||||
# provides `arp`, `hostname`, `route`, `ifconfig`
|
||||
nettools.sandbox.method = "landlock";
|
||||
nettools.sandbox.wrapperType = "wrappedDerivation";
|
||||
nettools.sandbox.net = "all";
|
||||
nettools.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
nettools.sandbox.extraPaths = [
|
||||
|
@ -713,7 +652,6 @@ in
|
|||
];
|
||||
|
||||
networkmanagerapplet.sandbox.method = "bwrap";
|
||||
networkmanagerapplet.sandbox.wrapperType = "wrappedDerivation";
|
||||
networkmanagerapplet.sandbox.whitelistWayland = true;
|
||||
networkmanagerapplet.sandbox.whitelistDbus = [ "system" ];
|
||||
|
||||
|
@ -726,11 +664,9 @@ in
|
|||
];
|
||||
|
||||
nmap.sandbox.method = "bwrap";
|
||||
nmap.sandbox.wrapperType = "wrappedDerivation";
|
||||
nmap.sandbox.net = "all"; # clearnet and lan
|
||||
|
||||
nmon.sandbox.method = "landlock";
|
||||
nmon.sandbox.wrapperType = "wrappedDerivation";
|
||||
nmon.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
];
|
||||
|
@ -739,7 +675,6 @@ in
|
|||
|
||||
# `nvme list` only shows results when run as root.
|
||||
nvme-cli.sandbox.method = "landlock";
|
||||
nvme-cli.sandbox.wrapperType = "wrappedDerivation";
|
||||
nvme-cli.sandbox.extraPaths = [
|
||||
"/sys/devices"
|
||||
"/sys/class/nvme"
|
||||
|
@ -751,13 +686,11 @@ in
|
|||
|
||||
# contains only `oathtool`, which i only use for evaluating TOTP codes from CLI/stdin
|
||||
oath-toolkit.sandbox.method = "bwrap";
|
||||
oath-toolkit.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
||||
# settings (electron app)
|
||||
obsidian.persist.byStore.plaintext = [ ".config/obsidian" ];
|
||||
|
||||
parted.sandbox.method = "landlock";
|
||||
parted.sandbox.wrapperType = "wrappedDerivation";
|
||||
parted.sandbox.extraPaths = [
|
||||
"/dev"
|
||||
];
|
||||
|
@ -766,12 +699,10 @@ in
|
|||
patchelf = {};
|
||||
|
||||
pavucontrol.sandbox.method = "bwrap";
|
||||
pavucontrol.sandbox.wrapperType = "wrappedDerivation";
|
||||
pavucontrol.sandbox.whitelistAudio = true;
|
||||
pavucontrol.sandbox.whitelistWayland = true;
|
||||
|
||||
pciutils.sandbox.method = "landlock";
|
||||
pciutils.sandbox.wrapperType = "wrappedDerivation";
|
||||
pciutils.sandbox.extraPaths = [
|
||||
"/sys/bus/pci"
|
||||
"/sys/devices"
|
||||
|
@ -780,7 +711,6 @@ in
|
|||
"perlPackages.FileMimeInfo".sandbox.enable = false; #< TODO: sandbox `mimetype` but not `mimeopen`.
|
||||
|
||||
powertop.sandbox.method = "landlock";
|
||||
powertop.sandbox.wrapperType = "wrappedDerivation";
|
||||
powertop.sandbox.capabilities = [ "ipc_lock" "sys_admin" ];
|
||||
powertop.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
|
@ -790,17 +720,14 @@ in
|
|||
];
|
||||
|
||||
pstree.sandbox.method = "landlock";
|
||||
pstree.sandbox.wrapperType = "wrappedDerivation";
|
||||
pstree.sandbox.extraPaths = [
|
||||
"/proc"
|
||||
];
|
||||
|
||||
pulsemixer.sandbox.method = "landlock";
|
||||
pulsemixer.sandbox.wrapperType = "wrappedDerivation";
|
||||
pulsemixer.sandbox.whitelistAudio = true;
|
||||
|
||||
pwvucontrol.sandbox.method = "bwrap";
|
||||
pwvucontrol.sandbox.wrapperType = "wrappedDerivation";
|
||||
pwvucontrol.sandbox.whitelistAudio = true;
|
||||
pwvucontrol.sandbox.whitelistWayland = true;
|
||||
|
||||
|
@ -808,7 +735,6 @@ in
|
|||
requests
|
||||
]);
|
||||
python3-repl.sandbox.method = "bwrap";
|
||||
python3-repl.sandbox.wrapperType = "wrappedDerivation";
|
||||
python3-repl.sandbox.net = "clearnet";
|
||||
python3-repl.sandbox.extraHomePaths = [
|
||||
"/"
|
||||
|
@ -819,7 +745,6 @@ in
|
|||
qemu.slowToBuild = true;
|
||||
|
||||
rsync.sandbox.method = "bwrap";
|
||||
rsync.sandbox.wrapperType = "wrappedDerivation";
|
||||
rsync.sandbox.net = "clearnet";
|
||||
rsync.sandbox.autodetectCliPaths = "existingOrParent";
|
||||
|
||||
|
@ -828,13 +753,11 @@ in
|
|||
screen.sandbox.enable = false; #< tty; needs to run anything
|
||||
|
||||
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
sequoia.sandbox.wrapperType = "wrappedDerivation"; # slow to build
|
||||
sequoia.sandbox.whitelistPwd = true;
|
||||
sequoia.sandbox.autodetectCliPaths = true;
|
||||
|
||||
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
||||
shattered-pixel-dungeon.sandbox.method = "bwrap";
|
||||
shattered-pixel-dungeon.sandbox.wrapperType = "wrappedDerivation";
|
||||
shattered-pixel-dungeon.sandbox.whitelistAudio = true;
|
||||
shattered-pixel-dungeon.sandbox.whitelistDri = true;
|
||||
shattered-pixel-dungeon.sandbox.whitelistWayland = true;
|
||||
|
@ -851,7 +774,6 @@ in
|
|||
smartmontools.sandbox.capabilities = [ "sys_rawio" ];
|
||||
|
||||
sops.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
sops.sandbox.wrapperType = "wrappedDerivation";
|
||||
sops.sandbox.extraHomePaths = [
|
||||
".config/sops"
|
||||
"dev/nixos"
|
||||
|
@ -861,7 +783,6 @@ in
|
|||
];
|
||||
|
||||
soundconverter.sandbox.method = "bwrap";
|
||||
soundconverter.sandbox.wrapperType = "wrappedDerivation";
|
||||
soundconverter.sandbox.whitelistWayland = true;
|
||||
soundconverter.sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
|
@ -875,19 +796,16 @@ in
|
|||
soundconverter.sandbox.autodetectCliPaths = "existingOrParent";
|
||||
|
||||
sox.sandbox.method = "bwrap";
|
||||
sox.sandbox.wrapperType = "wrappedDerivation";
|
||||
sox.sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||
sox.sandbox.whitelistAudio = true;
|
||||
|
||||
space-cadet-pinball.persist.byStore.plaintext = [ ".local/share/SpaceCadetPinball" ];
|
||||
space-cadet-pinball.sandbox.method = "bwrap";
|
||||
space-cadet-pinball.sandbox.wrapperType = "wrappedDerivation";
|
||||
space-cadet-pinball.sandbox.whitelistAudio = true;
|
||||
space-cadet-pinball.sandbox.whitelistDri = true;
|
||||
space-cadet-pinball.sandbox.whitelistWayland = true;
|
||||
|
||||
speedtest-cli.sandbox.method = "bwrap";
|
||||
speedtest-cli.sandbox.wrapperType = "wrappedDerivation";
|
||||
speedtest-cli.sandbox.net = "all";
|
||||
|
||||
sqlite = {};
|
||||
|
@ -895,7 +813,6 @@ in
|
|||
strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything*
|
||||
|
||||
subversion.sandbox.method = "bwrap";
|
||||
subversion.sandbox.wrapperType = "wrappedDerivation";
|
||||
subversion.sandbox.net = "clearnet";
|
||||
subversion.sandbox.whitelistPwd = true;
|
||||
sudo.sandbox.enable = false;
|
||||
|
@ -908,7 +825,6 @@ in
|
|||
superTux.persist.byStore.plaintext = [ ".local/share/supertux2" ];
|
||||
|
||||
tcpdump.sandbox.method = "landlock";
|
||||
tcpdump.sandbox.wrapperType = "wrappedDerivation";
|
||||
tcpdump.sandbox.net = "all";
|
||||
tcpdump.sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||
tcpdump.sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
|
@ -918,12 +834,10 @@ in
|
|||
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
||||
|
||||
tree.sandbox.method = "landlock";
|
||||
tree.sandbox.wrapperType = "wrappedDerivation";
|
||||
tree.sandbox.autodetectCliPaths = true;
|
||||
tree.sandbox.whitelistPwd = true;
|
||||
|
||||
tumiki-fighters.sandbox.method = "bwrap";
|
||||
tumiki-fighters.sandbox.wrapperType = "wrappedDerivation";
|
||||
tumiki-fighters.sandbox.whitelistAudio = true;
|
||||
tumiki-fighters.sandbox.whitelistDri = true; #< not strictly necessary, but triples CPU perf
|
||||
tumiki-fighters.sandbox.whitelistWayland = true;
|
||||
|
@ -932,34 +846,28 @@ in
|
|||
util-linux.sandbox.enable = false; #< TODO: possible to sandbox if i specific a different profile for each of its ~50 binaries
|
||||
|
||||
unzip.sandbox.method = "bwrap";
|
||||
unzip.sandbox.wrapperType = "wrappedDerivation";
|
||||
unzip.sandbox.autodetectCliPaths = "existingOrParent";
|
||||
unzip.sandbox.whitelistPwd = true;
|
||||
|
||||
usbutils.sandbox.method = "bwrap"; # breaks `usbhid-dump`, but `lsusb`, `usb-devices` work
|
||||
usbutils.sandbox.wrapperType = "wrappedDerivation";
|
||||
usbutils.sandbox.extraPaths = [
|
||||
"/sys/devices"
|
||||
"/sys/bus/usb"
|
||||
];
|
||||
|
||||
visidata.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
visidata.sandbox.wrapperType = "wrappedDerivation";
|
||||
visidata.sandbox.autodetectCliPaths = true;
|
||||
|
||||
# `vulkaninfo`, `vkcube`
|
||||
vulkan-tools.sandbox.method = "landlock";
|
||||
vulkan-tools.sandbox.wrapperType = "wrappedDerivation";
|
||||
|
||||
vvvvvv.sandbox.method = "bwrap";
|
||||
vvvvvv.sandbox.wrapperType = "wrappedDerivation";
|
||||
vvvvvv.sandbox.whitelistAudio = true;
|
||||
vvvvvv.sandbox.whitelistDri = true; #< playable without, but burns noticably more CPU
|
||||
vvvvvv.sandbox.whitelistWayland = true;
|
||||
vvvvvv.persist.byStore.plaintext = [ ".local/share/VVVVVV" ];
|
||||
|
||||
w3m.sandbox.method = "bwrap";
|
||||
w3m.sandbox.wrapperType = "wrappedDerivation";
|
||||
w3m.sandbox.net = "all";
|
||||
w3m.sandbox.extraHomePaths = [
|
||||
# little-used feature, but you can save web pages :)
|
||||
|
@ -967,11 +875,9 @@ in
|
|||
];
|
||||
|
||||
wdisplays.sandbox.method = "bwrap";
|
||||
wdisplays.sandbox.wrapperType = "wrappedDerivation";
|
||||
wdisplays.sandbox.whitelistWayland = true;
|
||||
|
||||
wget.sandbox.method = "bwrap";
|
||||
wget.sandbox.wrapperType = "wrappedDerivation";
|
||||
wget.sandbox.net = "all";
|
||||
wget.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||
|
||||
|
@ -979,16 +885,13 @@ in
|
|||
|
||||
# `wg`, `wg-quick`
|
||||
wireguard-tools.sandbox.method = "landlock";
|
||||
wireguard-tools.sandbox.wrapperType = "wrappedDerivation";
|
||||
wireguard-tools.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
# provides `iwconfig`, `iwlist`, `iwpriv`, ...
|
||||
wirelesstools.sandbox.method = "landlock";
|
||||
wirelesstools.sandbox.wrapperType = "wrappedDerivation";
|
||||
wirelesstools.sandbox.capabilities = [ "net_admin" ];
|
||||
|
||||
wl-clipboard.sandbox.method = "bwrap";
|
||||
wl-clipboard.sandbox.wrapperType = "wrappedDerivation";
|
||||
wl-clipboard.sandbox.whitelistWayland = true;
|
||||
|
||||
wtype = {};
|
||||
|
@ -1005,7 +908,6 @@ in
|
|||
yarn.persist.byStore.plaintext = [ ".cache/yarn" ];
|
||||
|
||||
yt-dlp.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
yt-dlp.sandbox.wrapperType = "wrappedDerivation";
|
||||
yt-dlp.sandbox.net = "all";
|
||||
yt-dlp.sandbox.whitelistPwd = true; # saves to pwd by default
|
||||
|
||||
|
|
|
@ -10,7 +10,6 @@
|
|||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.autodetectCliPaths = true;
|
||||
|
|
|
@ -88,7 +88,6 @@ in
|
|||
{
|
||||
sane.programs.bemenu = {
|
||||
sandbox.method = "bwrap"; # landlock works, but requires *all* of /run/user/$ID to be granted.
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
".cache/fontconfig" #< else it complains, and is *way* slower
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
{
|
||||
sane.programs.cozy = {
|
||||
sandbox.method = "bwrap"; # landlock gives: _multiprocessing.SemLock: Permission Denied
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -10,7 +10,6 @@ in
|
|||
{
|
||||
sane.programs.dconf = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
persist.byStore.private = [
|
||||
".config/dconf"
|
||||
];
|
||||
|
|
|
@ -46,7 +46,6 @@ in
|
|||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
|
|
|
@ -17,7 +17,6 @@
|
|||
];
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
|
|
|
@ -25,7 +25,6 @@ in
|
|||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ];
|
||||
sandbox.whitelistAudio = true;
|
||||
|
||||
|
|
|
@ -30,7 +30,6 @@ in
|
|||
{
|
||||
sane.programs.fontconfig = {
|
||||
sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.autodetectCliPaths = "existingOrParent"; #< this might be overkill; or, how many programs reference fontconfig internally?
|
||||
|
||||
persist.byStore.plaintext = [
|
||||
|
|
|
@ -28,7 +28,6 @@ in
|
|||
# packageUnwrapped = pkgs.fractal-next;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
{
|
||||
sane.programs.frozen-bubble = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet"; # net play
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -9,7 +9,6 @@
|
|||
{
|
||||
sane.programs.g4music = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -4,7 +4,6 @@
|
|||
packageUnwrapped = pkgs.linkIntoOwnPackage pkgs.glib "bin/gdbus";
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; #< XXX: maybe future users will also want system access
|
||||
};
|
||||
}
|
||||
|
|
|
@ -20,7 +20,6 @@ in
|
|||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -19,7 +19,6 @@ in
|
|||
'';
|
||||
});
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistPwd = true;
|
||||
sandbox.autodetectCliPaths = true; # necessary for git-upload-pack
|
||||
|
|
|
@ -6,7 +6,6 @@ in
|
|||
sane.programs.gnome-keyring = {
|
||||
packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-keyring;
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ];
|
||||
sandbox.extraRuntimePaths = [
|
||||
"keyring/control"
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
sane.programs."gnome.gnome-maps" = {
|
||||
packageUnwrapped = pkgs.rmDbusServices pkgs.gnome.gnome-maps;
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDri = true; # for perf
|
||||
sandbox.whitelistDbus = [
|
||||
"system" # system is required for non-portal location services
|
||||
|
|
|
@ -34,7 +34,6 @@ in
|
|||
{
|
||||
sane.programs.go2tv = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
# for GUI invocation, allow the common media directories
|
||||
|
|
|
@ -23,7 +23,6 @@ in {
|
|||
});
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; # it won't launch without it, dunno exactly why.
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "clearnet";
|
||||
|
|
|
@ -15,7 +15,6 @@
|
|||
"wl-clipboard"
|
||||
];
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.whitelistDbus = [ "user" ];
|
||||
sandbox.autodetectCliPaths = "existingFileOrParent";
|
||||
|
|
|
@ -32,7 +32,6 @@ in
|
|||
'';
|
||||
});
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
{
|
||||
sane.programs.handbrake = {
|
||||
sandbox.method = "landlock"; #< also supports bwrap, but landlock ensures we don't write to non-mounted tmpfs dir
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
{
|
||||
sane.programs.kdenlive = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
"Pictures/from" # e.g. Videos taken from my phone
|
||||
|
|
|
@ -11,7 +11,6 @@
|
|||
});
|
||||
|
||||
sandbox.method = "bwrap"; # TODO:sandbox untested
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDbus = [ "user" ]; # needs to connect to dconf via dbus
|
||||
sandbox.whitelistDri = true; #< required
|
||||
|
|
|
@ -46,7 +46,6 @@ in {
|
|||
sane.programs.koreader = {
|
||||
packageUnwrapped = pkgs.koreader-from-src;
|
||||
sandbox.method = "bwrap"; # sandboxes fine under landlock too, except for FTP
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDri = true; # reduces startup time and subjective page flip time
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
{
|
||||
sane.programs.lemoa = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistDbus = [ "user" ]; # for clicking links
|
||||
sandbox.whitelistDri = true;
|
||||
|
|
|
@ -12,7 +12,6 @@
|
|||
}));
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.autodetectCliPaths = "parent";
|
||||
sandbox.extraHomePaths = [
|
||||
|
|
|
@ -10,7 +10,6 @@
|
|||
# bwrap (loupe image viewer) doesn't like to run inside landlock
|
||||
# "bwrap: failed to make / slave: Operation not permitted"
|
||||
sandbox.method = "bwrap"; # supports landlock or bwrap
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; #< so that it can in theory open the image viewer using fdo portal... but it doesn't :|
|
||||
|
|
|
@ -5,7 +5,6 @@
|
|||
{
|
||||
sane.programs.mepo = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "all"; # for tiles *and* for localhost comm to gpsd
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -11,7 +11,6 @@
|
|||
}));
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; # for portals launching apps
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
|
|
|
@ -88,7 +88,6 @@ in
|
|||
{
|
||||
sane.programs.neovim = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.autodetectCliPaths = "existingOrParent";
|
||||
sandbox.whitelistWayland = true; # for system clipboard integration
|
||||
# sandbox.whitelistPwd = true;
|
||||
|
|
|
@ -11,7 +11,6 @@
|
|||
});
|
||||
|
||||
sandbox.method = "firejail";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "vpn";
|
||||
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
# provides `nix-locate`, backed by the manually run `nix-index`
|
||||
sane.programs.nix-index = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.extraPaths = [
|
||||
"/nix"
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
{
|
||||
sane.programs.notejot = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
suggestedPrograms = [ "dconf" ]; #< else it can't persist notes
|
||||
|
||||
|
|
|
@ -21,7 +21,6 @@ in
|
|||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
|
||||
secrets.".config/ntfy-sh/topic" = ../../../secrets/common/ntfy-sh-topic.bin;
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
{
|
||||
sane.programs.open-in-mpv = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; # for xdg-open/portals
|
||||
|
||||
# taken from <https://github.com/Baldomo/open-in-mpv>
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
{
|
||||
sane.programs.planify = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; # for dconf? else it can't persist any tasks/notes
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
sane.programs.portfolio-filemanager = {
|
||||
# this is all taken pretty directly from nautilus config
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; # for portals launching apps
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
{
|
||||
sane.programs.ripgrep = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.whitelistPwd = true;
|
||||
sandbox.extraHomePaths = [
|
||||
|
|
|
@ -63,7 +63,6 @@ in
|
|||
];
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; #< to launch apps via the portal
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
|
@ -118,7 +117,6 @@ in
|
|||
};
|
||||
# if i could remove the sed, then maybe possible to not sandbox.
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
".cache/rofi"
|
||||
|
|
|
@ -54,7 +54,6 @@ in
|
|||
|
||||
"sane-scripts.bt-add".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
net = "clearnet";
|
||||
# TODO: migrate `transmission_passwd` to `secrets` api
|
||||
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
||||
|
@ -62,7 +61,6 @@ in
|
|||
|
||||
"sane-scripts.bt-rm".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
net = "clearnet";
|
||||
# TODO: migrate `transmission_passwd` to `secrets` api
|
||||
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
||||
|
@ -70,7 +68,6 @@ in
|
|||
|
||||
"sane-scripts.bt-search".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
net = "clearnet";
|
||||
# TODO: migrate `jackett_apikey` to `secrets` api
|
||||
extraPaths = [ "/run/secrets/jackett_apikey" ];
|
||||
|
@ -78,7 +75,6 @@ in
|
|||
|
||||
"sane-scripts.bt-show".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
net = "clearnet";
|
||||
# TODO: migrate `transmission_passwd` to `secrets` api
|
||||
extraPaths = [ "/run/secrets/transmission_passwd" ];
|
||||
|
@ -90,13 +86,11 @@ in
|
|||
|
||||
"sane-scripts.deadlines".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraHomePaths = [ "knowledge/planner/deadlines.tsv" ];
|
||||
};
|
||||
|
||||
"sane-scripts.dev-cargo-loop".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
net = "clearnet";
|
||||
whitelistPwd = true;
|
||||
extraPaths = [
|
||||
|
@ -110,7 +104,6 @@ in
|
|||
|
||||
"sane-scripts.find-dotfiles".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraHomePaths = [
|
||||
"/"
|
||||
".persist/ephemeral"
|
||||
|
@ -120,7 +113,6 @@ in
|
|||
|
||||
"sane-scripts.ip-check".sandbox = {
|
||||
method = "landlock";
|
||||
wrapperType = "wrappedDerivation";
|
||||
net = "all";
|
||||
};
|
||||
|
||||
|
@ -128,7 +120,6 @@ in
|
|||
|
||||
"sane-scripts.private-change-passwd".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
autodetectCliPaths = "existing"; #< for the new `private` location
|
||||
capabilities = [ "sys_admin" ]; # it needs to mount the new store
|
||||
extraHomePaths = [
|
||||
|
@ -140,7 +131,6 @@ in
|
|||
# instead, we put ourselves in a mount namespace, do the mount, and drop into a shell or run a command.
|
||||
# this actually has an OK side effect, that the mount isn't shared, and so we avoid contention/interleaving that would cause the ending `umount` to fail.
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
# cap_sys_admin is needed to mount stuff.
|
||||
# ordinarily /run/wrappers/bin/mount would do that via setuid, but sandboxes have no_new_privs by default.
|
||||
capabilities = [ "sys_admin" ];
|
||||
|
@ -151,7 +141,6 @@ in
|
|||
};
|
||||
"sane-scripts.private-init".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
capabilities = [ "sys_admin" ]; # it needs to mount the new store
|
||||
extraHomePaths = [
|
||||
".persist/private"
|
||||
|
@ -162,7 +151,6 @@ in
|
|||
|
||||
"sane-scripts.reclaim-boot-space".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraPaths = [ "/boot" ];
|
||||
};
|
||||
|
||||
|
@ -173,7 +161,6 @@ in
|
|||
|
||||
"sane-scripts.reboot".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraPaths = [
|
||||
"/run/dbus"
|
||||
"/run/systemd"
|
||||
|
@ -182,13 +169,11 @@ in
|
|||
|
||||
"sane-scripts.reclaim-disk-space".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraPaths = [ "/nix/var/nix" ];
|
||||
};
|
||||
|
||||
"sane-scripts.secrets-unlock".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraHomePaths = [
|
||||
".ssh/id_ed25519"
|
||||
".ssh/id_ed25519.pub"
|
||||
|
@ -214,7 +199,6 @@ in
|
|||
|
||||
"sane-scripts.shutdown".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraPaths = [
|
||||
"/run/dbus"
|
||||
"/run/systemd"
|
||||
|
@ -231,7 +215,6 @@ in
|
|||
|
||||
"sane-scripts.tag-music".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
autodetectCliPaths = "existing";
|
||||
};
|
||||
|
||||
|
@ -256,7 +239,6 @@ in
|
|||
(builtins.attrNames config.sane.vpn);
|
||||
"sane-scripts.vpn".sandbox = {
|
||||
method = "landlock"; #< bwrap can't handle `ip link` stuff even with cap_net_admin
|
||||
wrapperType = "wrappedDerivation";
|
||||
net = "all";
|
||||
capabilities = [ "net_admin" ];
|
||||
extraHomePaths = [ ".config/sane-vpn" ];
|
||||
|
@ -264,7 +246,6 @@ in
|
|||
|
||||
"sane-scripts.which".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
extraHomePaths = [
|
||||
# for SXMO
|
||||
".config/sxmo/hooks"
|
||||
|
@ -273,7 +254,6 @@ in
|
|||
|
||||
"sane-scripts.wipe".sandbox = {
|
||||
method = "bwrap";
|
||||
wrapperType = "wrappedDerivation";
|
||||
whitelistDbus = [ "user" ]; #< for `secret-tool` and `systemd --user stop <service>
|
||||
extraHomePaths = [
|
||||
# could be more specific, but at a maintenance cost.
|
||||
|
|
|
@ -17,7 +17,6 @@ let
|
|||
in {
|
||||
sane.programs.sfeed = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
|
||||
fs.".sfeed/sfeedrc".symlink.text = ''
|
||||
|
|
|
@ -23,7 +23,6 @@ in
|
|||
|
||||
packageUnwrapped = pkgs.signal-desktop-from-src;
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
|
@ -6,7 +6,6 @@
|
|||
{
|
||||
sane.programs.splatmoji = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true; # it calls into a dmenu helper
|
||||
sandbox.extraHomePaths = [
|
||||
".cache/rofi"
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
{
|
||||
sane.programs.spot = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
{
|
||||
sane.programs.superTuxKart = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet"; # net play
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDri = true;
|
||||
|
|
|
@ -5,7 +5,6 @@ in
|
|||
{
|
||||
sane.programs.swaylock = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.extraPaths = [
|
||||
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
|
||||
# swaylock seems (?) to offload password checking to pam's `unix_chkpwd`,
|
||||
|
|
|
@ -141,7 +141,6 @@ in
|
|||
}));
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [
|
||||
"user" # mpris; portal
|
||||
|
|
|
@ -30,7 +30,6 @@ in
|
|||
slowToBuild = true; # only true for cross-compiled tangram
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDri = true;
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
{
|
||||
sane.programs.tuba = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # notifications
|
||||
|
|
|
@ -132,7 +132,6 @@ in
|
|||
# N.B.: this sandboxing applies to `unl0kr` itself -- the on-screen-keyboard;
|
||||
# NOT to the wrapper which invokes `login`.
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDri = true;
|
||||
sandbox.extraPaths = [
|
||||
"/dev/fb0"
|
||||
|
|
|
@ -15,7 +15,6 @@ in
|
|||
samba = null;
|
||||
};
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.whitelistAudio = true;
|
||||
|
|
|
@ -57,7 +57,6 @@ in
|
|||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.net = "all"; #< to show net connection status and BW
|
||||
sandbox.whitelistDbus = [
|
||||
"user" #< for playerctl/media
|
||||
|
|
|
@ -7,7 +7,6 @@ in
|
|||
{
|
||||
sane.programs.waylock = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.extraPaths = [
|
||||
# N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked.
|
||||
# waylock seems (?) to offload password checking to pam's `unix_chkpwd`,
|
||||
|
|
|
@ -5,7 +5,6 @@ in
|
|||
{
|
||||
sane.programs.wireplumber = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [
|
||||
# i think this isn't strictly necessary; it just wants to ask the portal for realtime perms
|
||||
# "system"
|
||||
|
|
|
@ -5,7 +5,6 @@ in
|
|||
{
|
||||
sane.programs.wireshark = {
|
||||
sandbox.method = "landlock";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.net = "all";
|
||||
sandbox.capabilities = [ "net_admin" "net_raw" ];
|
||||
|
|
|
@ -32,7 +32,6 @@ in
|
|||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
fs.".config/wob/wob.ini".symlink.text = ''
|
||||
|
|
|
@ -7,7 +7,6 @@
|
|||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
"archive"
|
||||
|
|
|
@ -8,7 +8,6 @@ in
|
|||
packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-gtk;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.extraHomePaths = [
|
||||
|
|
|
@ -8,7 +8,6 @@ in
|
|||
packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-wlr;
|
||||
|
||||
sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
sandbox.wrapperType = "wrappedDerivation";
|
||||
sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
|
|
|
@ -316,7 +316,7 @@ let
|
|||
};
|
||||
sandbox.wrapperType = mkOption {
|
||||
type = types.enum [ "inplace" "wrappedDerivation" ];
|
||||
default = "inplace";
|
||||
default = "wrappedDerivation";
|
||||
description = ''
|
||||
how to manipulate the `packageUnwrapped` derivation in order to achieve sandboxing.
|
||||
- inplace: applies an override to `packageUnwrapped`, so that all `bin/` files are sandboxed,
|
||||
|
@ -327,7 +327,6 @@ let
|
|||
"inplace" is more reliable, but "wrappedDerivation" is more lightweight (doesn't force any rebuilds).
|
||||
the biggest gap in "wrappedDerivation" is that it doesn't link anything outside `bin/`, except for
|
||||
some limited (verified safe) support for `share/applications/*.desktop`
|
||||
"wrappedDerivation" is mostly good for prototyping.
|
||||
'';
|
||||
};
|
||||
sandbox.autodetectCliPaths = mkOption {
|
||||
|
|
Loading…
Reference in New Issue
Block a user