colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

assorted programs: specify sandbox.autodetectCliPaths variant more precisely than just true

Browse Source
This commit is contained in:
Colin 2024-05-28 07:14:27 +00:00
parent c59236509b
commit 8042ea76e6
8 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
hosts/common/programs/assorted.nix
View File

@ -305,7 +305,7 @@ in
];
dtc.sandbox.method = "bwrap";
dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested
dtc.sandbox.autodetectCliPaths = "existingFile"; # TODO:sandbox: untested
duplicity = {};
@ -344,7 +344,7 @@ in
# landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
# eza.sandbox.method = "landlock";
eza.sandbox.method = "bwrap";
eza.sandbox.autodetectCliPaths = true;
eza.sandbox.autodetectCliPaths = "existing";
eza.sandbox.whitelistPwd = true;
eza.sandbox.extraHomePaths = [
# so that e.g. `eza -l ~` can show which symlink exist
@ -356,7 +356,7 @@ in
fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda
fd.sandbox.method = "landlock";
fd.sandbox.autodetectCliPaths = true;
fd.sandbox.autodetectCliPaths = "existing";
fd.sandbox.whitelistPwd = true;
fd.sandbox.extraHomePaths = [
# let it follow symlinks to non-sensitive data
@ -369,10 +369,10 @@ in
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
file.sandbox.method = "bwrap";
file.sandbox.autodetectCliPaths = true;
file.sandbox.autodetectCliPaths = "existing"; #< file OR directory, yes
findutils.sandbox.method = "bwrap";
findutils.sandbox.autodetectCliPaths = true;
findutils.sandbox.autodetectCliPaths = "existing";
findutils.sandbox.whitelistPwd = true;
findutils.sandbox.extraHomePaths = [
# let it follow symlinks to non-sensitive data
@ -407,7 +407,7 @@ in
gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested
gawk.sandbox.wrapperType = "inplace"; # /share/gawk libraries refer to /libexec
gawk.sandbox.autodetectCliPaths = true;
gawk.sandbox.autodetectCliPaths = "existingFile";
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
@ -503,7 +503,7 @@ in
"gnome.hitori".sandbox.whitelistWayland = true;
gnugrep.sandbox.method = "bwrap";
gnugrep.sandbox.autodetectCliPaths = true;
gnugrep.sandbox.autodetectCliPaths = "existing";
gnugrep.sandbox.whitelistPwd = true;
gnugrep.sandbox.extraHomePaths = [
# let it follow symlinks to non-sensitive data
@ -536,7 +536,7 @@ in
# hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
hdparm.sandbox.method = "bwrap";
hdparm.sandbox.autodetectCliPaths = true;
hdparm.sandbox.autodetectCliPaths = "existingFile";
host.sandbox.method = "landlock";
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
@ -809,7 +809,7 @@ in
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
sequoia.sandbox.whitelistPwd = true;
sequoia.sandbox.autodetectCliPaths = true;
sequoia.sandbox.autodetectCliPaths = "existingFileOrParent"; # supports `-o <file-to-create>`
shattered-pixel-dungeon.buildCost = 1;
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
@ -906,7 +906,7 @@ in
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
tree.sandbox.method = "landlock";
tree.sandbox.autodetectCliPaths = true;
tree.sandbox.autodetectCliPaths = "existing";
tree.sandbox.whitelistPwd = true;
tumiki-fighters.buildCost = 1;

2
hosts/common/programs/audacity.nix
View File

@ -19,7 +19,7 @@
sandbox.method = "bwrap";
sandbox.whitelistAudio = true;
sandbox.whitelistWayland = true;
sandbox.autodetectCliPaths = true;
sandbox.autodetectCliPaths = "existingFile";
sandbox.extraHomePaths = [
# support media imports via file->open dir to some common media directories
"tmp"

2
hosts/common/programs/evince.nix
View File

@ -4,7 +4,7 @@
buildCost = 1;
sandbox.method = "bwrap";
sandbox.autodetectCliPaths = true;
sandbox.autodetectCliPaths = "existingFile";
sandbox.whitelistWayland = true;
mime.associations."application/pdf" = "org.gnome.Evince.desktop";

2
hosts/common/programs/go2tv.nix
View File

@ -50,7 +50,7 @@ in
sane.programs.go2tv = {
sandbox.method = "bwrap";
sandbox.net = "clearnet";
sandbox.autodetectCliPaths = true;
sandbox.autodetectCliPaths = "existingFile";
# for GUI invocation, allow the common media directories
sandbox.extraHomePaths = [
"Music"

2
hosts/common/programs/libreoffice.nix
View File

@ -8,7 +8,7 @@
packageUnwrapped = pkgs.libreoffice-fresh;
sandbox.method = "bwrap";
sandbox.whitelistWayland = true;
sandbox.autodetectCliPaths = true;
sandbox.autodetectCliPaths = "existingFile";
sandbox.extraHomePaths = [
# allow a spot to save files.
# with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox,

2
hosts/common/programs/mpv/default.nix
View File

@ -203,7 +203,7 @@ in
];
sandbox.method = "bwrap";
sandbox.autodetectCliPaths = true;
sandbox.autodetectCliPaths = "existing";
sandbox.net = "all";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; #< mpris

2
hosts/common/programs/ripgrep.nix
View File

@ -2,7 +2,7 @@
{
sane.programs.ripgrep = {
sandbox.method = "bwrap";
sandbox.autodetectCliPaths = true;
sandbox.autodetectCliPaths = "existing";
sandbox.whitelistPwd = true;
sandbox.extraHomePaths = [
# let it follow symlinks to non-sensitive data

2
hosts/common/programs/vlc.nix
View File

@ -16,7 +16,7 @@ in
};
sandbox.method = "bwrap";
sandbox.net = "clearnet";
sandbox.autodetectCliPaths = true;
sandbox.autodetectCliPaths = "existing";
sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # mpris
sandbox.whitelistWayland = true;