colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

sane-sandboxed: implement --sane-sandbox-no-portal flag

Browse Source
This commit is contained in:
Colin 2024-03-13 04:38:36 +00:00
parent 430592632c
commit 4510352c07
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
modules/programs/sane-sandboxed
View File

@ -72,7 +72,7 @@ net=
# list of IP addresses to use for DNS servers inside the sandbox (firejail only) # list of IP addresses to use for DNS servers inside the sandbox (firejail only)
dns=() dns=()
# list of `VAR=VALUE` environment variables to add to the sandboxed program's environment # list of `VAR=VALUE` environment variables to add to the sandboxed program's environment
extraEnv=() portalEnv=()
# profilesNamed: list of profile names we've successfully loaded # profilesNamed: list of profile names we've successfully loaded
profilesNamed=() profilesNamed=()
@ -106,6 +106,8 @@ usage() {
echo ' allow the sandboxed program to use the provided linux capability (both inside and outside the sandbox)' echo ' allow the sandboxed program to use the provided linux capability (both inside and outside the sandbox)'
echo ' --sane-sandbox-portal' echo ' --sane-sandbox-portal'
echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files' echo ' set environment variables so that the sandboxed program will attempt to use xdg-desktop-portal for operations like opening files'
echo ' --sane-sandbox-no-portal'
echo ' undo a previous `--sane-sandbox-portal` arg'
echo ' --sane-sandbox-dns <server>' echo ' --sane-sandbox-dns <server>'
echo ' --sane-sandbox-firejail-arg <arg>' echo ' --sane-sandbox-firejail-arg <arg>'
echo ' --sane-sandbox-bwrap-arg <arg>' echo ' --sane-sandbox-bwrap-arg <arg>'
@ -391,7 +393,11 @@ parseArgs() {
# note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves. # note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
# this switch is typically accompanied by removing all MIME associations from the app's view, then. # this switch is typically accompanied by removing all MIME associations from the app's view, then.
# GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02 # GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
extraEnv+=("GIO_USE_PORTALS=1" "GTK_USE_PORTAL=1" "NIXOS_XDG_OPEN_USE_PORTAL=1") portalEnv=("GIO_USE_PORTALS=1" "GTK_USE_PORTAL=1" "NIXOS_XDG_OPEN_USE_PORTAL=1")
;;
(--sane-sandbox-no-portal)
# override a previous --sane-sandbox-portal call
portalEnv=()
;; ;;
(--sane-sandbox-dns) (--sane-sandbox-dns)
# N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed # N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
@ -500,7 +506,7 @@ firejailGetCli() {
locate _firejail "firejail" "@firejail@/bin/firejail" locate _firejail "firejail" "@firejail@/bin/firejail"
cliArgs=( cliArgs=(
"$_firejail" "${firejailFlags[@]}" -- "$_firejail" "${firejailFlags[@]}" --
env "${extraEnv[@]}" "${cliArgs[@]}" env "${portalEnv[@]}" "${cliArgs[@]}"
) )
} }
@ -592,7 +598,7 @@ bwrapGetCli() {
"${bwrapUnshareUser[@]}" "${bwrapUnshareUts[@]}" "${bwrapUnshareUser[@]}" "${bwrapUnshareUts[@]}"
"${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}" "${bwrapVirtualizeDev[@]}" "${bwrapVirtualizeProc[@]}" "${bwrapVirtualizeTmp[@]}"
"${bwrapFlags[@]}" -- "${bwrapFlags[@]}" --
env "${extraEnv[@]}" "${cliArgs[@]}" env "${portalEnv[@]}" "${cliArgs[@]}"
) )
} }
@ -660,7 +666,7 @@ landlockGetCli() {
locate _capsh "capsh" "@libcap@/bin/capsh" locate _capsh "capsh" "@libcap@/bin/capsh"
cliArgs=(env LL_FS_RO= LL_FS_RW="$landlockPaths" cliArgs=(env LL_FS_RO= LL_FS_RW="$landlockPaths"
"$_sandboxer" "$_sandboxer"
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}" "$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${portalEnv[@]}" "${cliArgs[@]}"
) )
} }
@ -710,7 +716,7 @@ capshonlyIngestCapability() {
capshonlyGetCli() { capshonlyGetCli() {
locate _capsh "capsh" "@libcap@/bin/capsh" locate _capsh "capsh" "@libcap@/bin/capsh"
cliArgs=( cliArgs=(
"$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}" "$_capsh" "--caps=$capshCapsArg" --no-new-privs --shell="/usr/bin/env" -- "${portalEnv[@]}" "${cliArgs[@]}"
) )
} }