programs: introduce and use "autodetectCliPaths" nix config
This commit is contained in:
parent
b29b8bdec7
commit
4d7414c941
|
@ -10,12 +10,12 @@
|
|||
};
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.extraConfig = [
|
||||
"--sane-sandbox-autodetect"
|
||||
];
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.extraHomePaths = [
|
||||
# support media imports via file->open dir to some common media directories
|
||||
fs."tmp" = {};
|
||||
fs."Music" = {};
|
||||
"tmp"
|
||||
"Music"
|
||||
];
|
||||
|
||||
# disable first-run splash screen
|
||||
fs.".config/audacity/audacity.cfg".file.text = ''
|
||||
|
|
|
@ -2,9 +2,7 @@
|
|||
{
|
||||
sane.programs.evince = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.extraConfig = [
|
||||
"--sane-sandbox-autodetect"
|
||||
];
|
||||
sandbox.autodetectCliPaths = true;
|
||||
mime.associations."application/pdf" = "org.gnome.Evince.desktop";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -34,9 +34,7 @@ in
|
|||
{
|
||||
sane.programs.go2tv = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.extraConfig = [
|
||||
"--sane-sandbox-autodetect"
|
||||
];
|
||||
sandbox.autodetectCliPaths = true;
|
||||
# for GUI invocation, allow the common media directories
|
||||
sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
|
|
|
@ -7,9 +7,7 @@
|
|||
# packageUnwrapped = pkgs.libreoffice-still;
|
||||
packageUnwrapped = pkgs.libreoffice-fresh;
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.extraConfig = [
|
||||
"--sane-sandbox-autodetect"
|
||||
];
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.extraHomePaths = [
|
||||
# allow a spot to save files.
|
||||
# with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox,
|
||||
|
|
|
@ -63,9 +63,7 @@ in
|
|||
});
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.extraConfig = [
|
||||
"--sane-sandbox-autodetect"
|
||||
];
|
||||
sandbox.autodetectCliPaths = true;
|
||||
|
||||
persist.byStore.plaintext = [ ".local/state/mpv/watch_later" ];
|
||||
fs.".config/mpv/input.conf".symlink.text = let
|
||||
|
|
|
@ -11,9 +11,7 @@ in
|
|||
{
|
||||
sane.programs.vlc = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.extraConfig = [
|
||||
"--sane-sandbox-autodetect"
|
||||
];
|
||||
sandbox.autodetectCliPaths = true;
|
||||
persist.byStore.private = [
|
||||
# vlc remembers play position in ~/.config/vlc/vlc-qt-interface.conf
|
||||
# filenames are stored in plaintext (unlike mpv, which i think hashes them)
|
||||
|
|
|
@ -252,6 +252,13 @@ let
|
|||
"wrappedDerivation" is mostly good for prototyping.
|
||||
'';
|
||||
};
|
||||
sandbox.autodetectCliPaths = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
if a CLI argument looks like a PATH, should we add it to the sandbox?
|
||||
'';
|
||||
};
|
||||
sandbox.binMap = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {};
|
||||
|
|
|
@ -15,7 +15,7 @@ let
|
|||
runHook postFixup
|
||||
'';
|
||||
in
|
||||
{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false }:
|
||||
{ pkgName, package, method, wrapperType, vpn ? null, allowedHomePaths ? [], allowedRootPaths ? [], autodetectCliPaths ? [], binMap ? {}, capabilities ? [], extraConfig ? [], embedProfile ? false }:
|
||||
let
|
||||
sane-sandboxed' = sane-sandboxed.meta.mainProgram; #< load by bin name to reduce rebuilds
|
||||
|
||||
|
@ -45,6 +45,7 @@ let
|
|||
] ++ allowPaths allowedRootPaths
|
||||
++ allowHomePaths allowedHomePaths
|
||||
++ capabilityFlags
|
||||
++ lib.optionals autodetectCliPaths [ "--sane-sandbox-autodetect" ]
|
||||
++ lib.optionals (vpn != null) vpnItems
|
||||
++ extraConfig;
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user