colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

dbus: place the bus in a subdirectory for better sandboxing

Browse Source
This commit is contained in:
Colin
2024-09-04 13:04:20 +00:00
parent 9f49084ccb
commit 6ff35b4366
2 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
hosts/common/programs/dbus.nix
View File

@@ -34,11 +34,11 @@ in
sandbox.method = "bunpen"; sandbox.method = "bunpen";
sandbox.extraRuntimePaths = [ sandbox.extraRuntimePaths = [
"/" #< it needs to create a file in the root. TODO: move the bus handle into a sandboxable subdirectory "dbus"
]; ];
sandbox.isolatePids = false; #< not actually sure *why* this is necessary, but it is sandbox.isolatePids = false; #< not actually sure *why* this is necessary, but it is
env.DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/bus"; env.DBUS_SESSION_BUS_ADDRESS = "unix:path=$XDG_RUNTIME_DIR/dbus/bus";
# normally systemd would create a dbus session for us, but if you configure it not to do that # normally systemd would create a dbus session for us, but if you configure it not to do that
# then we can create our own. not sure if there's a dependency ordering issue here: lots # then we can create our own. not sure if there's a dependency ordering issue here: lots
@@ -47,8 +47,12 @@ in
services.dbus = { services.dbus = {
description = "dbus user session"; description = "dbus user session";
partOf = lib.mkIf cfg.config.autostart [ "default" ]; partOf = lib.mkIf cfg.config.autostart [ "default" ];
command = "dbus-daemon --session --nofork --address=$DBUS_SESSION_BUS_ADDRESS"; command = pkgs.writeShellScript "dbus-start" ''
readiness.waitExists = [ "$XDG_RUNTIME_DIR/bus" ]; # have to create the dbus directory before launching so that it's available in the sandbox
mkdir -p "$XDG_RUNTIME_DIR/dbus"
dbus-daemon --session --nofork --address="$DBUS_SESSION_BUS_ADDRESS"
'';
readiness.waitExists = [ "$XDG_RUNTIME_DIR/dbus/bus" ];
}; };
}; };
} }

2
modules/programs/default.nix
View File

@@ -510,7 +510,7 @@ let
; ;
sandbox.extraRuntimePaths = sandbox.extraRuntimePaths =
lib.optionals config.sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok? lib.optionals config.sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok?
++ lib.optionals (builtins.elem "user" config.sandbox.whitelistDbus) [ "bus" ] ++ lib.optionals (builtins.elem "user" config.sandbox.whitelistDbus) [ "dbus" ]
++ lib.optionals config.sandbox.whitelistWayland [ "wl" ] # app can still communicate with wayland server w/o this, if it has net access ++ lib.optionals config.sandbox.whitelistWayland [ "wl" ] # app can still communicate with wayland server w/o this, if it has net access
++ lib.optionals config.sandbox.whitelistS6 [ "s6" ] # TODO: this allows re-writing the services themselves: don't allow that! ++ lib.optionals config.sandbox.whitelistS6 [ "s6" ] # TODO: this allows re-writing the services themselves: don't allow that!
; ;