diff --git a/modules/programs/default.nix b/modules/programs/default.nix index 75c68f5a..bd85e180 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -283,14 +283,16 @@ let sandbox.net = mkOption { type = types.coercedTo types.str - (s: if s == "clearnet" then "all" else s) + (s: if s == "clearnet" || s == "localhost" then "all" else s) (types.enum [ null "all" "vpn" ]); default = null; description = '' how this app should have its network traffic routed. - "all": unsandboxed network. - "clearnet": traffic is routed only over clearnet. - currently, just an alias for "all" + currently, just an alias for "all". + - "localhost": only needs access to other services running on this host. + currently, just an alias for "all". - "vpn": to route all traffic over the default VPN. - null: to maximally isolate from the network. ''; @@ -400,6 +402,14 @@ let note that this does NOT permit access to compositor admin tooling like `swaymsg`. ''; }; + sandbox.whitelistX = mkOption { + type = types.bool; + default = false; + description = '' + allow the sandbox to communicate with the X server. + typically, this is actually the Xwayland server and you should also enable `whitelistWayland`. + ''; + }; sandbox.extraPaths = mkOption { type = types.listOf types.str; @@ -477,6 +487,8 @@ let # this gets the symlink into the sandbox, but not the actual secret. fs = lib.mapAttrs (_homePath: _secretSrc: {}) config.secrets; + sandbox.net = lib.mkIf config.sandbox.whitelistX "localhost"; + sandbox.extraPaths = lib.mkIf config.sandbox.whitelistDri [ # /dev/dri/renderD128: requested by wayland-egl (e.g. KOreader, animatch, geary) # - but everything seems to gracefully fallback to *something* (MESA software rendering?)