diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix index c308f4d90..3c476a5cd 100644 --- a/hosts/common/programs/assorted.nix +++ b/hosts/common/programs/assorted.nix @@ -423,12 +423,10 @@ in bash-language-server.sandbox.whitelistPwd = true; blanket.buildCost = 1; - blanket.sandbox.method = "bwrap"; blanket.sandbox.whitelistAudio = true; # blanket.sandbox.whitelistDbus = [ "user" ]; # TODO: untested blanket.sandbox.whitelistWayland = true; - blueberry.sandbox.method = "bwrap"; blueberry.sandbox.wrapperType = "inplace"; #< it places binaries in /lib and then /etc/xdg/autostart files refer to the /lib paths, and fail to be patched blueberry.sandbox.whitelistWayland = true; blueberry.sandbox.extraPaths = [ @@ -438,7 +436,6 @@ in "/sys/devices" ]; - bridge-utils.sandbox.method = "bwrap"; #< bwrap, landlock: both work bridge-utils.sandbox.net = "all"; btrfs-progs.sandbox.autodetectCliPaths = "existing"; # e.g. `btrfs filesystem df /my/fs` @@ -456,7 +453,6 @@ in clang = {}; - clang-tools.sandbox.method = "bwrap"; clang-tools.sandbox.whitelistPwd = true; clightning-sane.sandbox.extraPaths = [ @@ -478,12 +474,10 @@ in cryptsetup.sandbox.tryKeepUsers = true; cryptsetup.sandbox.keepIpc = true; - ddrescue.sandbox.method = "bunpen"; ddrescue.sandbox.autodetectCliPaths = "existingOrParent"; ddrescue.sandbox.tryKeepUsers = true; delfin.buildCost = 1; - delfin.sandbox.method = "bwrap"; delfin.sandbox.whitelistAudio = true; delfin.sandbox.whitelistDbus = [ "user" ]; # else `mpris` plugin crashes the player delfin.sandbox.whitelistDri = true; @@ -513,7 +507,6 @@ in "tmp" ]; - dtc.sandbox.method = "bwrap"; dtc.sandbox.autodetectCliPaths = "existingFile"; # TODO:sandbox: untested duplicity = {}; @@ -525,7 +518,6 @@ in ]; electrum.buildCost = 1; - electrum.sandbox.method = "bwrap"; # TODO:sandbox: untested electrum.sandbox.net = "all"; # TODO: probably want to make this run behind a VPN, always electrum.sandbox.whitelistWayland = true; electrum.persist.byStore.ephemeral = [ ".electrum" ]; #< TODO: use XDG dirs! @@ -600,7 +592,6 @@ in forkstat.sandbox.tryKeepUsers = true; forkstat.sandbox.net = "all"; #< it errors without this, wish i knew why - fuzzel.sandbox.method = "bwrap"; fuzzel.sandbox.whitelistWayland = true; fuzzel.persist.byStore.private = [ # this is a file of recent selections @@ -831,7 +822,6 @@ in lsof.sandbox.net = "all"; lsof.sandbox.extraPaths = [ "/" ]; - ltex-ls.sandbox.method = "bwrap"; ltex-ls.sandbox.whitelistPwd = true; lua = {}; @@ -843,7 +833,6 @@ in marksman.sandbox.whitelistPwd = true; - mercurial.sandbox.method = "bwrap"; mercurial.sandbox.net = "clearnet"; mercurial.sandbox.whitelistPwd = true; @@ -861,7 +850,6 @@ in monero-gui.buildCost = 1; # XXX: is it really safe to persist this? it doesn't have info that could de-anonymize if captured? monero-gui.persist.byStore.plaintext = [ ".bitmonero" ]; - monero-gui.sandbox.method = "bwrap"; monero-gui.sandbox.net = "all"; monero-gui.sandbox.extraHomePaths = [ "records/finance/cryptocurrencies/monero" @@ -885,7 +873,6 @@ in networkmanagerapplet.sandbox.whitelistWayland = true; networkmanagerapplet.sandbox.whitelistDbus = [ "system" ]; - nil.sandbox.method = "bwrap"; nil.sandbox.whitelistPwd = true; nil.sandbox.keepPids = true; @@ -893,7 +880,6 @@ in nixfmt-rfc-style.sandbox.autodetectCliPaths = "existingDirOrParent"; #< it formats via rename - nixpkgs-review.sandbox.method = "bwrap"; nixpkgs-review.sandbox.wrapperType = "inplace"; #< shell completions use full paths nixpkgs-review.sandbox.net = "clearnet"; nixpkgs-review.sandbox.whitelistPwd = true; @@ -1085,7 +1071,6 @@ in strace.sandbox.enable = false; #< needs to `exec` its args, and therefore support *anything* - subversion.sandbox.method = "bwrap"; subversion.sandbox.net = "clearnet"; subversion.sandbox.whitelistPwd = true; sudo.sandbox.enable = false; @@ -1132,7 +1117,6 @@ in "/sys/bus/usb" ]; - vala-language-server.sandbox.method = "bwrap"; vala-language-server.sandbox.whitelistPwd = true; vala-language-server.suggestedPrograms = [ # might someday support cmake, too: diff --git a/hosts/common/programs/bemenu.nix b/hosts/common/programs/bemenu.nix index 2292e55d7..6b72fc554 100644 --- a/hosts/common/programs/bemenu.nix +++ b/hosts/common/programs/bemenu.nix @@ -87,7 +87,6 @@ let in { sane.programs.bemenu = { - sandbox.method = "bwrap"; # landlock works, but requires *all* of $XDG_RUNTIME_DIR to be granted. sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ ".cache/fontconfig" #< else it complains, and is *way* slower diff --git a/hosts/common/programs/bitcoin-cli.nix b/hosts/common/programs/bitcoin-cli.nix index 69c67f726..f710fe628 100644 --- a/hosts/common/programs/bitcoin-cli.nix +++ b/hosts/common/programs/bitcoin-cli.nix @@ -2,7 +2,6 @@ { sane.programs.bitcoin-cli = { packageUnwrapped = pkgs.linkBinIntoOwnPackage pkgs.bitcoind "bitcoin-cli"; - sandbox.method = "bwrap"; sandbox.autodetectCliPaths = "existing"; #< for `bitcoin-cli -datadir=/var/lib/...` sandbox.extraHomePaths = [ ".bitcoin/bitcoin.conf" diff --git a/hosts/common/programs/cozy.nix b/hosts/common/programs/cozy.nix index 7ff5519b0..717857688 100644 --- a/hosts/common/programs/cozy.nix +++ b/hosts/common/programs/cozy.nix @@ -15,7 +15,6 @@ buildCost = 1; - sandbox.method = "bwrap"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/evince.nix b/hosts/common/programs/evince.nix index f2a2f51f9..264e96e43 100644 --- a/hosts/common/programs/evince.nix +++ b/hosts/common/programs/evince.nix @@ -3,7 +3,6 @@ sane.programs.evince = { buildCost = 1; - sandbox.method = "bwrap"; sandbox.autodetectCliPaths = "existingFile"; sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/flare-signal.nix b/hosts/common/programs/flare-signal.nix index 447c75622..595578722 100644 --- a/hosts/common/programs/flare-signal.nix +++ b/hosts/common/programs/flare-signal.nix @@ -79,7 +79,6 @@ ]; #VVV flare complains if its data directory is a symlink, so put it in a subdirectory behind my persistence symlink. env.FLARE_DATA_PATH = "$HOME/.local/share/flare/data"; - # sandbox.method = "bwrap"; # sandbox.net = "clearnet"; # sandbox.whitelistWayland = true; # sandbox.whitelistDbus = [ diff --git a/hosts/common/programs/gdb.nix b/hosts/common/programs/gdb.nix index 50e736993..243c231d4 100644 --- a/hosts/common/programs/gdb.nix +++ b/hosts/common/programs/gdb.nix @@ -2,7 +2,6 @@ { sane.programs.gdb = { sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could. - # sandbox.method = "landlock"; # permission denied when trying to attach, even as root sandbox.autodetectCliPaths = true; fs.".config/gdb/gdbinit".symlink.text = '' # enable commands like `py-bt`, `py-list`, etc. diff --git a/hosts/common/programs/geoclue2.nix b/hosts/common/programs/geoclue2.nix index fc2d7d975..3e9f3cd52 100644 --- a/hosts/common/programs/geoclue2.nix +++ b/hosts/common/programs/geoclue2.nix @@ -47,7 +47,6 @@ in package = lib.mkForce null; # experimental sandboxing (2024/07/05) - # sandbox.method = "bwrap"; # sandbox.whitelistDbus = [ # "system" # ]; diff --git a/hosts/common/programs/iio-sensor-proxy.nix b/hosts/common/programs/iio-sensor-proxy.nix index c9a36ff82..39641b6f9 100644 --- a/hosts/common/programs/iio-sensor-proxy.nix +++ b/hosts/common/programs/iio-sensor-proxy.nix @@ -41,7 +41,6 @@ in }); enableFor.system = lib.mkIf (builtins.any (en: en) (builtins.attrValues cfg.enableFor.user)) true; #< for dbus/polkit policies - sandbox.method = "bwrap"; sandbox.whitelistDbus = [ "system" ]; sandbox.extraPaths = [ "/run/udev/data" diff --git a/hosts/common/programs/koreader/default.nix b/hosts/common/programs/koreader/default.nix index 32aa4c90c..0f1d1dbb5 100644 --- a/hosts/common/programs/koreader/default.nix +++ b/hosts/common/programs/koreader/default.nix @@ -45,7 +45,6 @@ let in { sane.programs.koreader = { packageUnwrapped = pkgs.koreader-from-src; - sandbox.method = "bwrap"; sandbox.net = "clearnet"; sandbox.whitelistDbus = [ "user" ]; # for opening the web browser via portal sandbox.whitelistDri = true; # reduces startup time and subjective page flip time diff --git a/hosts/common/programs/lemoa.nix b/hosts/common/programs/lemoa.nix index 3086fe49e..948a5806b 100644 --- a/hosts/common/programs/lemoa.nix +++ b/hosts/common/programs/lemoa.nix @@ -2,7 +2,6 @@ { sane.programs.lemoa = { buildCost = 1; - sandbox.method = "bwrap"; sandbox.net = "clearnet"; sandbox.whitelistDbus = [ "user" ]; # for clicking links sandbox.whitelistDri = true; diff --git a/hosts/common/programs/lgtrombetta-compass.nix b/hosts/common/programs/lgtrombetta-compass.nix index b70e88bb2..6a271a4a3 100644 --- a/hosts/common/programs/lgtrombetta-compass.nix +++ b/hosts/common/programs/lgtrombetta-compass.nix @@ -17,7 +17,6 @@ ]; fs.".config/compass.conf".symlink.target = "compass/compass.conf"; - sandbox.method = "bwrap"; sandbox.extraPaths = [ "/sys/bus/iio/devices" "/sys/devices" diff --git a/hosts/common/programs/megapixels.nix b/hosts/common/programs/megapixels.nix index 7584334bf..05ed7c727 100644 --- a/hosts/common/programs/megapixels.nix +++ b/hosts/common/programs/megapixels.nix @@ -26,7 +26,6 @@ # further, it doesn't use either portals or xdg-open to launch the image viewer. # bwrap (loupe image viewer) doesn't like to run inside landlock # "bwrap: failed to make / slave: Operation not permitted" - sandbox.method = "bwrap"; # supports landlock or bwrap sandbox.whitelistDri = true; sandbox.whitelistWayland = true; sandbox.whitelistDbus = [ "user" ]; #< so that it can in theory open the image viewer using fdo portal... but it doesn't :| diff --git a/hosts/common/programs/mmcli.nix b/hosts/common/programs/mmcli.nix index e1cbe7f96..f17a9d1a9 100644 --- a/hosts/common/programs/mmcli.nix +++ b/hosts/common/programs/mmcli.nix @@ -23,7 +23,6 @@ }; }); - sandbox.method = "bwrap"; sandbox.whitelistDbus = [ "system" ]; diff --git a/hosts/common/programs/notejot.nix b/hosts/common/programs/notejot.nix index 23ff1c4b2..8f878bb8f 100644 --- a/hosts/common/programs/notejot.nix +++ b/hosts/common/programs/notejot.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.notejot = { - sandbox.method = "bwrap"; sandbox.whitelistWayland = true; sandbox.whitelistDri = true; #< otherwise intolerably slow on moby sandbox.extraHomePaths = [ ".config/dconf" ]; #< for legacy notes (moby), loaded via dconf diff --git a/hosts/common/programs/ntfy-sh.nix b/hosts/common/programs/ntfy-sh.nix index e8b323dfc..207ea4a62 100644 --- a/hosts/common/programs/ntfy-sh.nix +++ b/hosts/common/programs/ntfy-sh.nix @@ -20,7 +20,6 @@ in }; }; - sandbox.method = "bwrap"; sandbox.net = "clearnet"; secrets.".config/ntfy-sh/topic" = ../../../secrets/common/ntfy-sh-topic.bin; diff --git a/hosts/common/programs/open-in-mpv.nix b/hosts/common/programs/open-in-mpv.nix index c6107a0e5..e03b6cc1f 100644 --- a/hosts/common/programs/open-in-mpv.nix +++ b/hosts/common/programs/open-in-mpv.nix @@ -2,7 +2,6 @@ { pkgs, ... }: { sane.programs.open-in-mpv = { - sandbox.method = "bwrap"; sandbox.whitelistDbus = [ "user" ]; # for xdg-open/portals # taken from diff --git a/hosts/common/programs/planify.nix b/hosts/common/programs/planify.nix index 72d13614d..266034274 100644 --- a/hosts/common/programs/planify.nix +++ b/hosts/common/programs/planify.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.planify = { - sandbox.method = "bwrap"; sandbox.whitelistDbus = [ "user" ]; # for dconf? else it can't persist any tasks/notes sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/sfeed.nix b/hosts/common/programs/sfeed.nix index a0be7fc00..e9a20390f 100644 --- a/hosts/common/programs/sfeed.nix +++ b/hosts/common/programs/sfeed.nix @@ -15,7 +15,6 @@ let ) wantedFeeds; in { sane.programs.sfeed = { - sandbox.method = "bwrap"; sandbox.net = "clearnet"; fs.".sfeed/sfeedrc".symlink.text = '' diff --git a/hosts/common/programs/splatmoji.nix b/hosts/common/programs/splatmoji.nix index 6387122fc..e84bb2cf4 100644 --- a/hosts/common/programs/splatmoji.nix +++ b/hosts/common/programs/splatmoji.nix @@ -17,7 +17,6 @@ }) ]; }); - sandbox.method = "bwrap"; sandbox.whitelistWayland = true; # it calls into a dmenu helper sandbox.extraHomePaths = [ ".cache/rofi" diff --git a/hosts/common/programs/spot.nix b/hosts/common/programs/spot.nix index a74ac5679..2ae85c34e 100644 --- a/hosts/common/programs/spot.nix +++ b/hosts/common/programs/spot.nix @@ -3,7 +3,6 @@ sane.programs.spot = { buildCost = 1; - sandbox.method = "bwrap"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris diff --git a/hosts/common/programs/spotify.nix b/hosts/common/programs/spotify.nix index 12b5d5712..9d468263e 100644 --- a/hosts/common/programs/spotify.nix +++ b/hosts/common/programs/spotify.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.spotify = { - sandbox.method = "bwrap"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; # mpris diff --git a/hosts/common/programs/steam.nix b/hosts/common/programs/steam.nix index 017c2db2b..68306d867 100644 --- a/hosts/common/programs/steam.nix +++ b/hosts/common/programs/steam.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.steam = { - sandbox.method = "bwrap"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDbus = [ "user" ]; #< to open https:// links in portal diff --git a/hosts/common/programs/switchboard.nix b/hosts/common/programs/switchboard.nix index 51b8b76c0..fd0809986 100644 --- a/hosts/common/programs/switchboard.nix +++ b/hosts/common/programs/switchboard.nix @@ -27,7 +27,6 @@ ]; xorg = pkgs.buildPackages.xorg; #< cross compilation fix (TODO: upstream) }; - sandbox.method = "bwrap"; sandbox.whitelistWayland = true; sandbox.whitelistDbus = [ "system" ]; #< to speak with NetworkManager sandbox.whitelistAudio = true; #< even with this, the sound plugin doesn't seem to work... diff --git a/hosts/common/programs/tangram.nix b/hosts/common/programs/tangram.nix index d4e971a73..a6f248a96 100644 --- a/hosts/common/programs/tangram.nix +++ b/hosts/common/programs/tangram.nix @@ -29,7 +29,6 @@ in buildCost = 2; - sandbox.method = "bwrap"; sandbox.net = "clearnet"; sandbox.whitelistAudio = true; sandbox.whitelistDri = true; diff --git a/hosts/common/programs/vlc.nix b/hosts/common/programs/vlc.nix index 0aa6c7e88..c5b936c7e 100644 --- a/hosts/common/programs/vlc.nix +++ b/hosts/common/programs/vlc.nix @@ -14,7 +14,6 @@ in # disable uneeded samba features to avoid an expensive samba build samba = null; }; - sandbox.method = "bwrap"; sandbox.net = "clearnet"; sandbox.autodetectCliPaths = "existing"; sandbox.whitelistAudio = true; diff --git a/hosts/common/programs/wally-cli.nix b/hosts/common/programs/wally-cli.nix index 94f853e11..bb923a7b9 100644 --- a/hosts/common/programs/wally-cli.nix +++ b/hosts/common/programs/wally-cli.nix @@ -4,7 +4,6 @@ sane.programs.wally-cli = { # sandboxing causes it to not discover devices post-launch. # so you have to start wally AFTER pressing the 'flash' button. - sandbox.method = "bwrap"; sandbox.extraPaths = [ "/dev/bus/usb" "/sys/bus/usb" diff --git a/hosts/common/programs/waybar/default.nix b/hosts/common/programs/waybar/default.nix index a7afa9af2..13003cf65 100644 --- a/hosts/common/programs/waybar/default.nix +++ b/hosts/common/programs/waybar/default.nix @@ -82,7 +82,6 @@ in hyprlandSupport = false; #< doesn't cross. hyprland clowns are forking deps even like `wayland-scanner`, too much maintenance. }; - sandbox.method = "bwrap"; sandbox.net = "all"; #< to show net connection status and BW sandbox.whitelistDbus = [ "user" #< for playerctl/media diff --git a/hosts/common/programs/waylock.nix b/hosts/common/programs/waylock.nix index 2982c36c4..d21484def 100644 --- a/hosts/common/programs/waylock.nix +++ b/hosts/common/programs/waylock.nix @@ -6,7 +6,6 @@ let in { sane.programs.waylock = { - sandbox.method = "bwrap"; sandbox.extraPaths = [ # N.B.: we need to be able to follow /etc/shadow to wherever it's symlinked. # waylock seems (?) to offload password checking to pam's `unix_chkpwd`, diff --git a/hosts/common/programs/xarchiver.nix b/hosts/common/programs/xarchiver.nix index f5e37953a..fa4c79b0c 100644 --- a/hosts/common/programs/xarchiver.nix +++ b/hosts/common/programs/xarchiver.nix @@ -7,7 +7,6 @@ }; buildCost = 1; - sandbox.method = "bwrap"; sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ "archive" diff --git a/hosts/common/programs/xdg-desktop-portal-gtk.nix b/hosts/common/programs/xdg-desktop-portal-gtk.nix index 017dff9db..4a8328f86 100644 --- a/hosts/common/programs/xdg-desktop-portal-gtk.nix +++ b/hosts/common/programs/xdg-desktop-portal-gtk.nix @@ -7,7 +7,6 @@ in # rmDbusServices: because we care about ordering with the rest of the desktop, and don't want something else to auto-start this. packageUnwrapped = pkgs.rmDbusServicesInPlace pkgs.xdg-desktop-portal-gtk; - sandbox.method = "bwrap"; sandbox.whitelistDbus = [ "user" ]; # speak to main xdg-desktop-portal sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/zathura.nix b/hosts/common/programs/zathura.nix index f8b0b72aa..980113aae 100644 --- a/hosts/common/programs/zathura.nix +++ b/hosts/common/programs/zathura.nix @@ -2,7 +2,6 @@ { sane.programs.zathura = { buildCost = 1; - sandbox.method = "bwrap"; sandbox.wrapperType = "inplace"; #< wrapper sets ZATHURA_PLUGINS_PATH to $out/lib/... sandbox.whitelistDri = true; sandbox.whitelistWayland = true; diff --git a/hosts/common/programs/zulip.nix b/hosts/common/programs/zulip.nix index b4ae49d5b..18a3cea21 100644 --- a/hosts/common/programs/zulip.nix +++ b/hosts/common/programs/zulip.nix @@ -1,7 +1,6 @@ { ... }: { sane.programs.zulip = { - sandbox.method = "bwrap"; sandbox.net = "clearnet"; sandbox.whitelistDbus = [ "user" ]; # notifications (i hope!) sandbox.whitelistWayland = true;