From 7ad1ca4e6b0573bf0b03a4304b0f24f2dd96f27e Mon Sep 17 00:00:00 2001 From: Colin Date: Fri, 10 Jan 2025 00:24:34 +0000 Subject: [PATCH] gnome-keyring: restrict dbus --- hosts/common/programs/gnome-keyring/default.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hosts/common/programs/gnome-keyring/default.nix b/hosts/common/programs/gnome-keyring/default.nix index 26ce46236..d3a04dc2f 100644 --- a/hosts/common/programs/gnome-keyring/default.nix +++ b/hosts/common/programs/gnome-keyring/default.nix @@ -3,16 +3,16 @@ { sane.programs.gnome-keyring = { packageUnwrapped = pkgs.rmDbusServices pkgs.gnome-keyring; - sandbox.whitelistDbus.user = true; #< TODO: reduce - sandbox.extraRuntimePaths = [ - "keyring" #< only needs keyring/control, but has to *create* that. - # "keyring/control" - ]; sandbox.capabilities = [ # ipc_lock: used to `mlock` the secrets so they don't get swapped out. # this is optional, and user namespacing (bwrap) likely doesn't propagate it anyway "ipc_lock" ]; + sandbox.extraRuntimePaths = [ + "keyring" #< only needs keyring/control, but has to *create* that. + # "keyring/control" + ]; + sandbox.whitelistDbus.user.own = [ "org.freedesktop.secrets" "org.gnome.keyring" ]; persist.byStore.private = [ # N.B.: gnome-keyring-daemon used to remove symlinks and replace them with empty directories, but as of 2024-09-05 that seems no longer the case.