programs: xwayland: sandbox it without exposing net access

2024-03-23 15:33:23 +00:00 · 2024-03-23 15:33:23 +00:00 · 5205251f6f
parent 8c48adefa5
commit 5205251f6f
5 changed files with 27 additions and 13 deletions
--- a/hosts/common/polyunfill.nix
+++ b/hosts/common/polyunfill.nix
@ -64,4 +64,9 @@
    # pkgs.udisks
    # pkgs.wpa_supplicant
  ];
+
+  # systemd by default forces shitty defaults for e.g. /tmp/.X11-unix.
+  # nixos propagates those in: <nixos/modules/system/boot/systemd/tmpfiles.nix>
+  # by overwriting this with an empty file, we can effectively remove it.
+  environment.etc."tmpfiles.d/x11.conf".text = "# (removed by Colin)";
 }
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -401,7 +401,7 @@ in
    gh.persist.byStore.private = [ ".config/gh" ];

    gimp.sandbox.method = "bwrap";
-    gimp.sandbox.net = "clearnet";  #< for Xwayland
+    gimp.sandbox.whitelistX = true;
    gimp.sandbox.whitelistWayland = true;
    gimp.sandbox.extraHomePaths = [
      "Pictures/albums"
@ -931,7 +931,7 @@ in
    xwayland.sandbox.method = "bwrap";
    xwayland.sandbox.wrapperType = "inplace";  #< consumers use it as a library (e.g. wlroots)
    xwayland.sandbox.whitelistWayland = true;  #< just assuming this is needed
-    xwayland.sandbox.net = "clearnet";  #< just assuming this is needed (X11 traffic)
+    xwayland.sandbox.whitelistX = true;
    xwayland.sandbox.whitelistDri = true;  #< would assume this gives better gfx perf

    xterm.sandbox.enable = false;  # need to be able to do everything
--- a/hosts/common/programs/element-desktop.nix
+++ b/hosts/common/programs/element-desktop.nix
@ -22,6 +22,7 @@
    sandbox.whitelistDbus = [ "user" ];  # notifications
    sandbox.whitelistDri = true;
    sandbox.whitelistWayland = true;
+    sandbox.whitelistX = true;
    sandbox.extraHomePaths = [
      "Music"
      "Pictures/albums"
--- a/hosts/common/programs/sway/default.nix
+++ b/hosts/common/programs/sway/default.nix
@ -6,7 +6,6 @@ let
  cfg = config.sane.programs.sway;
  wrapSway = configuredSway: let
    swayLauncher = pkgs.writeShellScriptBin "sway" ''
-      mkdir -p "$(dirname "$SWAYSOCK")"
      # delete DISPLAY-related vars from env before launch, else sway will try to connect to a remote display.
      # (consider: nested sway sessions, where sway actually has a reason to read these)
      exec env -u DISPLAY -u WAYLAND_DISPLAY ${configuredSway}/bin/sway 2>&1
@ -165,10 +164,10 @@ in

    sandbox.method = "bwrap";
    sandbox.wrapperType = "inplace";
-    sandbox.net = "clearnet";  #< for Xwayland (TODO: separate!)
    sandbox.whitelistAudio = true;  # it runs playerctl directly
    sandbox.whitelistDbus = [ "system" "user" ];  # to e.g. launch apps
    sandbox.whitelistDri = true;
+    sandbox.whitelistX = true;  # sway invokes xwayland itself
    sandbox.whitelistWayland = true;
    # needs to *create* the sway socket. could move the sway socket into its own directory, and whitelist just that, but doesn't buy me much.
    sandbox.extraRuntimePaths = [ "/" ];
@ -218,12 +217,18 @@ in
    env.SWAYSOCK = "$XDG_RUNTIME_DIR/sway/sway-ipc.sock";
    # TODO: ensure this is reliable? might not work across sway restarts, etc.
    env.DISPLAY = ":0";
+    # docs: <https://discourse.ubuntu.com/t/environment-variables-for-wayland-hackers/12750>
    env.WAYLAND_DISPLAY = "wayland-1";

    services.sway = {
      description = "sway: tiling wayland desktop environment";
      dependencyOf = [ "graphical-session" ];
-      command = "sway";
+      command = pkgs.writeShellScript "sway-start" ''
+        # have to create these directories before launching sway so that they're available in the sandbox
+        mkdir -p "$(dirname "$SWAYSOCK")"
+        mkdir -p /tmp/.X11-unix  # for Xwayland
+        exec sway
+      '';
      readiness.waitExists = "$SWAY_SOCK";
    };
    # link the graphical-session into the default target, so sway gets auto-started
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -479,14 +479,17 @@ let
      # this gets the symlink into the sandbox, but not the actual secret.
      fs = lib.mapAttrs (_homePath: _secretSrc: {}) config.secrets;

-      sandbox.net = lib.mkIf config.sandbox.whitelistX "localhost";
-
-      sandbox.extraPaths = lib.mkIf config.sandbox.whitelistDri [
-        # /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
-        # - but everything seems to gracefully fallback to *something* (MESA software rendering?)
-        #   - CPU usage difference between playing videos in Gtk apps (e.g. fractal) with v.s. without DRI is 10% v.s. 90%.
-        # - GPU attack surface is *large*: <https://security.stackexchange.com/questions/182501/modern-linux-gpu-driver-security>
-        "/dev/dri" "/sys/dev/char" "/sys/devices" # (lappy: "/sys/devices/pci0000:00", moby needs something different)
+      sandbox.extraPaths = lib.mkMerge [
+        (lib.mkIf config.sandbox.whitelistDri [
+          # /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
+          # - but everything seems to gracefully fallback to *something* (MESA software rendering?)
+          #   - CPU usage difference between playing videos in Gtk apps (e.g. fractal) with v.s. without DRI is 10% v.s. 90%.
+          # - GPU attack surface is *large*: <https://security.stackexchange.com/questions/182501/modern-linux-gpu-driver-security>
+          "/dev/dri" "/sys/dev/char" "/sys/devices" # (lappy: "/sys/devices/pci0000:00", moby needs something different)
+        ])
+        (lib.mkIf config.sandbox.whitelistX [
+          "/tmp/.X11-unix"
+        ])
      ];
      sandbox.extraConfig = lib.mkIf config.sandbox.usePortal [
        "--sane-sandbox-portal"