assorted programs: specify sandbox.autodetectCliPaths variant more precisely than just true
This commit is contained in:
@@ -305,7 +305,7 @@ in
|
|||||||
];
|
];
|
||||||
|
|
||||||
dtc.sandbox.method = "bwrap";
|
dtc.sandbox.method = "bwrap";
|
||||||
dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested
|
dtc.sandbox.autodetectCliPaths = "existingFile"; # TODO:sandbox: untested
|
||||||
|
|
||||||
duplicity = {};
|
duplicity = {};
|
||||||
|
|
||||||
@@ -344,7 +344,7 @@ in
|
|||||||
# landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
|
# landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
|
||||||
# eza.sandbox.method = "landlock";
|
# eza.sandbox.method = "landlock";
|
||||||
eza.sandbox.method = "bwrap";
|
eza.sandbox.method = "bwrap";
|
||||||
eza.sandbox.autodetectCliPaths = true;
|
eza.sandbox.autodetectCliPaths = "existing";
|
||||||
eza.sandbox.whitelistPwd = true;
|
eza.sandbox.whitelistPwd = true;
|
||||||
eza.sandbox.extraHomePaths = [
|
eza.sandbox.extraHomePaths = [
|
||||||
# so that e.g. `eza -l ~` can show which symlink exist
|
# so that e.g. `eza -l ~` can show which symlink exist
|
||||||
@@ -356,7 +356,7 @@ in
|
|||||||
fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda
|
fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda
|
||||||
|
|
||||||
fd.sandbox.method = "landlock";
|
fd.sandbox.method = "landlock";
|
||||||
fd.sandbox.autodetectCliPaths = true;
|
fd.sandbox.autodetectCliPaths = "existing";
|
||||||
fd.sandbox.whitelistPwd = true;
|
fd.sandbox.whitelistPwd = true;
|
||||||
fd.sandbox.extraHomePaths = [
|
fd.sandbox.extraHomePaths = [
|
||||||
# let it follow symlinks to non-sensitive data
|
# let it follow symlinks to non-sensitive data
|
||||||
@@ -369,10 +369,10 @@ in
|
|||||||
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
||||||
|
|
||||||
file.sandbox.method = "bwrap";
|
file.sandbox.method = "bwrap";
|
||||||
file.sandbox.autodetectCliPaths = true;
|
file.sandbox.autodetectCliPaths = "existing"; #< file OR directory, yes
|
||||||
|
|
||||||
findutils.sandbox.method = "bwrap";
|
findutils.sandbox.method = "bwrap";
|
||||||
findutils.sandbox.autodetectCliPaths = true;
|
findutils.sandbox.autodetectCliPaths = "existing";
|
||||||
findutils.sandbox.whitelistPwd = true;
|
findutils.sandbox.whitelistPwd = true;
|
||||||
findutils.sandbox.extraHomePaths = [
|
findutils.sandbox.extraHomePaths = [
|
||||||
# let it follow symlinks to non-sensitive data
|
# let it follow symlinks to non-sensitive data
|
||||||
@@ -407,7 +407,7 @@ in
|
|||||||
|
|
||||||
gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
gawk.sandbox.wrapperType = "inplace"; # /share/gawk libraries refer to /libexec
|
gawk.sandbox.wrapperType = "inplace"; # /share/gawk libraries refer to /libexec
|
||||||
gawk.sandbox.autodetectCliPaths = true;
|
gawk.sandbox.autodetectCliPaths = "existingFile";
|
||||||
|
|
||||||
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
|
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
|
||||||
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
|
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
|
||||||
@@ -503,7 +503,7 @@ in
|
|||||||
"gnome.hitori".sandbox.whitelistWayland = true;
|
"gnome.hitori".sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
gnugrep.sandbox.method = "bwrap";
|
gnugrep.sandbox.method = "bwrap";
|
||||||
gnugrep.sandbox.autodetectCliPaths = true;
|
gnugrep.sandbox.autodetectCliPaths = "existing";
|
||||||
gnugrep.sandbox.whitelistPwd = true;
|
gnugrep.sandbox.whitelistPwd = true;
|
||||||
gnugrep.sandbox.extraHomePaths = [
|
gnugrep.sandbox.extraHomePaths = [
|
||||||
# let it follow symlinks to non-sensitive data
|
# let it follow symlinks to non-sensitive data
|
||||||
@@ -536,7 +536,7 @@ in
|
|||||||
|
|
||||||
# hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
|
# hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
|
||||||
hdparm.sandbox.method = "bwrap";
|
hdparm.sandbox.method = "bwrap";
|
||||||
hdparm.sandbox.autodetectCliPaths = true;
|
hdparm.sandbox.autodetectCliPaths = "existingFile";
|
||||||
|
|
||||||
host.sandbox.method = "landlock";
|
host.sandbox.method = "landlock";
|
||||||
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
|
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
|
||||||
@@ -809,7 +809,7 @@ in
|
|||||||
|
|
||||||
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||||
sequoia.sandbox.whitelistPwd = true;
|
sequoia.sandbox.whitelistPwd = true;
|
||||||
sequoia.sandbox.autodetectCliPaths = true;
|
sequoia.sandbox.autodetectCliPaths = "existingFileOrParent"; # supports `-o <file-to-create>`
|
||||||
|
|
||||||
shattered-pixel-dungeon.buildCost = 1;
|
shattered-pixel-dungeon.buildCost = 1;
|
||||||
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
||||||
@@ -906,7 +906,7 @@ in
|
|||||||
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
||||||
|
|
||||||
tree.sandbox.method = "landlock";
|
tree.sandbox.method = "landlock";
|
||||||
tree.sandbox.autodetectCliPaths = true;
|
tree.sandbox.autodetectCliPaths = "existing";
|
||||||
tree.sandbox.whitelistPwd = true;
|
tree.sandbox.whitelistPwd = true;
|
||||||
|
|
||||||
tumiki-fighters.buildCost = 1;
|
tumiki-fighters.buildCost = 1;
|
||||||
|
@@ -19,7 +19,7 @@
|
|||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = "existingFile";
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
# support media imports via file->open dir to some common media directories
|
# support media imports via file->open dir to some common media directories
|
||||||
"tmp"
|
"tmp"
|
||||||
|
@@ -4,7 +4,7 @@
|
|||||||
buildCost = 1;
|
buildCost = 1;
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = "existingFile";
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
|
||||||
mime.associations."application/pdf" = "org.gnome.Evince.desktop";
|
mime.associations."application/pdf" = "org.gnome.Evince.desktop";
|
||||||
|
@@ -50,7 +50,7 @@ in
|
|||||||
sane.programs.go2tv = {
|
sane.programs.go2tv = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = "existingFile";
|
||||||
# for GUI invocation, allow the common media directories
|
# for GUI invocation, allow the common media directories
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
"Music"
|
"Music"
|
||||||
|
@@ -8,7 +8,7 @@
|
|||||||
packageUnwrapped = pkgs.libreoffice-fresh;
|
packageUnwrapped = pkgs.libreoffice-fresh;
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = "existingFile";
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
# allow a spot to save files.
|
# allow a spot to save files.
|
||||||
# with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox,
|
# with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox,
|
||||||
|
@@ -203,7 +203,7 @@ in
|
|||||||
];
|
];
|
||||||
|
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = "existing";
|
||||||
sandbox.net = "all";
|
sandbox.net = "all";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; #< mpris
|
sandbox.whitelistDbus = [ "user" ]; #< mpris
|
||||||
|
@@ -2,7 +2,7 @@
|
|||||||
{
|
{
|
||||||
sane.programs.ripgrep = {
|
sane.programs.ripgrep = {
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = "existing";
|
||||||
sandbox.whitelistPwd = true;
|
sandbox.whitelistPwd = true;
|
||||||
sandbox.extraHomePaths = [
|
sandbox.extraHomePaths = [
|
||||||
# let it follow symlinks to non-sensitive data
|
# let it follow symlinks to non-sensitive data
|
||||||
|
@@ -16,7 +16,7 @@ in
|
|||||||
};
|
};
|
||||||
sandbox.method = "bwrap";
|
sandbox.method = "bwrap";
|
||||||
sandbox.net = "clearnet";
|
sandbox.net = "clearnet";
|
||||||
sandbox.autodetectCliPaths = true;
|
sandbox.autodetectCliPaths = "existing";
|
||||||
sandbox.whitelistAudio = true;
|
sandbox.whitelistAudio = true;
|
||||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||||
sandbox.whitelistWayland = true;
|
sandbox.whitelistWayland = true;
|
||||||
|
Reference in New Issue
Block a user