colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

gnome-keyring: restrict dbus

Browse Source
This commit is contained in:
Colin
2025-01-10 00:24:34 +00:00
parent 07525a7000
commit 7ad1ca4e6b
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
hosts/common/programs/gnome-keyring/default.nix
View File

@@ -3,16 +3,16 @@
{ {
sane.programs.gnome-keyring = { sane.programs.gnome-keyring = {
packageUnwrapped = pkgs.rmDbusServices pkgs.gnome-keyring; packageUnwrapped = pkgs.rmDbusServices pkgs.gnome-keyring;
sandbox.whitelistDbus.user = true; #< TODO: reduce
sandbox.extraRuntimePaths = [
"keyring" #< only needs keyring/control, but has to *create* that.
# "keyring/control"
];
sandbox.capabilities = [ sandbox.capabilities = [
# ipc_lock: used to `mlock` the secrets so they don't get swapped out. # ipc_lock: used to `mlock` the secrets so they don't get swapped out.
# this is optional, and user namespacing (bwrap) likely doesn't propagate it anyway # this is optional, and user namespacing (bwrap) likely doesn't propagate it anyway
"ipc_lock" "ipc_lock"
]; ];
sandbox.extraRuntimePaths = [
"keyring" #< only needs keyring/control, but has to *create* that.
# "keyring/control"
];
sandbox.whitelistDbus.user.own = [ "org.freedesktop.secrets" "org.gnome.keyring" ];
persist.byStore.private = [ persist.byStore.private = [
# N.B.: gnome-keyring-daemon used to remove symlinks and replace them with empty directories, but as of 2024-09-05 that seems no longer the case. # N.B.: gnome-keyring-daemon used to remove symlinks and replace them with empty directories, but as of 2024-09-05 that seems no longer the case.