modules/programs: sandboxing: add a "whitelistX" option
This commit is contained in:
parent
8ac4869f10
commit
5f1036118f
|
@ -283,14 +283,16 @@ let
|
|||
sandbox.net = mkOption {
|
||||
type = types.coercedTo
|
||||
types.str
|
||||
(s: if s == "clearnet" then "all" else s)
|
||||
(s: if s == "clearnet" || s == "localhost" then "all" else s)
|
||||
(types.enum [ null "all" "vpn" ]);
|
||||
default = null;
|
||||
description = ''
|
||||
how this app should have its network traffic routed.
|
||||
- "all": unsandboxed network.
|
||||
- "clearnet": traffic is routed only over clearnet.
|
||||
currently, just an alias for "all"
|
||||
currently, just an alias for "all".
|
||||
- "localhost": only needs access to other services running on this host.
|
||||
currently, just an alias for "all".
|
||||
- "vpn": to route all traffic over the default VPN.
|
||||
- null: to maximally isolate from the network.
|
||||
'';
|
||||
|
@ -400,6 +402,14 @@ let
|
|||
note that this does NOT permit access to compositor admin tooling like `swaymsg`.
|
||||
'';
|
||||
};
|
||||
sandbox.whitelistX = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
allow the sandbox to communicate with the X server.
|
||||
typically, this is actually the Xwayland server and you should also enable `whitelistWayland`.
|
||||
'';
|
||||
};
|
||||
|
||||
sandbox.extraPaths = mkOption {
|
||||
type = types.listOf types.str;
|
||||
|
@ -477,6 +487,8 @@ let
|
|||
# this gets the symlink into the sandbox, but not the actual secret.
|
||||
fs = lib.mapAttrs (_homePath: _secretSrc: {}) config.secrets;
|
||||
|
||||
sandbox.net = lib.mkIf config.sandbox.whitelistX "localhost";
|
||||
|
||||
sandbox.extraPaths = lib.mkIf config.sandbox.whitelistDri [
|
||||
# /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary)
|
||||
# - but everything seems to gracefully fallback to *something* (MESA software rendering?)
|
||||
|
|
Loading…
Reference in New Issue
Block a user