assorted programs: specify sandbox.autodetectCliPaths variant more precisely than just true

This commit is contained in:
2024-05-28 07:14:27 +00:00
parent c59236509b
commit 8042ea76e6
8 changed files with 17 additions and 17 deletions

View File

@@ -305,7 +305,7 @@ in
]; ];
dtc.sandbox.method = "bwrap"; dtc.sandbox.method = "bwrap";
dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested dtc.sandbox.autodetectCliPaths = "existingFile"; # TODO:sandbox: untested
duplicity = {}; duplicity = {};
@@ -344,7 +344,7 @@ in
# landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo # landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
# eza.sandbox.method = "landlock"; # eza.sandbox.method = "landlock";
eza.sandbox.method = "bwrap"; eza.sandbox.method = "bwrap";
eza.sandbox.autodetectCliPaths = true; eza.sandbox.autodetectCliPaths = "existing";
eza.sandbox.whitelistPwd = true; eza.sandbox.whitelistPwd = true;
eza.sandbox.extraHomePaths = [ eza.sandbox.extraHomePaths = [
# so that e.g. `eza -l ~` can show which symlink exist # so that e.g. `eza -l ~` can show which symlink exist
@@ -356,7 +356,7 @@ in
fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda
fd.sandbox.method = "landlock"; fd.sandbox.method = "landlock";
fd.sandbox.autodetectCliPaths = true; fd.sandbox.autodetectCliPaths = "existing";
fd.sandbox.whitelistPwd = true; fd.sandbox.whitelistPwd = true;
fd.sandbox.extraHomePaths = [ fd.sandbox.extraHomePaths = [
# let it follow symlinks to non-sensitive data # let it follow symlinks to non-sensitive data
@@ -369,10 +369,10 @@ in
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
file.sandbox.method = "bwrap"; file.sandbox.method = "bwrap";
file.sandbox.autodetectCliPaths = true; file.sandbox.autodetectCliPaths = "existing"; #< file OR directory, yes
findutils.sandbox.method = "bwrap"; findutils.sandbox.method = "bwrap";
findutils.sandbox.autodetectCliPaths = true; findutils.sandbox.autodetectCliPaths = "existing";
findutils.sandbox.whitelistPwd = true; findutils.sandbox.whitelistPwd = true;
findutils.sandbox.extraHomePaths = [ findutils.sandbox.extraHomePaths = [
# let it follow symlinks to non-sensitive data # let it follow symlinks to non-sensitive data
@@ -407,7 +407,7 @@ in
gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested
gawk.sandbox.wrapperType = "inplace"; # /share/gawk libraries refer to /libexec gawk.sandbox.wrapperType = "inplace"; # /share/gawk libraries refer to /libexec
gawk.sandbox.autodetectCliPaths = true; gawk.sandbox.autodetectCliPaths = "existingFile";
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could. gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root # gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
@@ -503,7 +503,7 @@ in
"gnome.hitori".sandbox.whitelistWayland = true; "gnome.hitori".sandbox.whitelistWayland = true;
gnugrep.sandbox.method = "bwrap"; gnugrep.sandbox.method = "bwrap";
gnugrep.sandbox.autodetectCliPaths = true; gnugrep.sandbox.autodetectCliPaths = "existing";
gnugrep.sandbox.whitelistPwd = true; gnugrep.sandbox.whitelistPwd = true;
gnugrep.sandbox.extraHomePaths = [ gnugrep.sandbox.extraHomePaths = [
# let it follow symlinks to non-sensitive data # let it follow symlinks to non-sensitive data
@@ -536,7 +536,7 @@ in
# hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda` # hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
hdparm.sandbox.method = "bwrap"; hdparm.sandbox.method = "bwrap";
hdparm.sandbox.autodetectCliPaths = true; hdparm.sandbox.autodetectCliPaths = "existingFile";
host.sandbox.method = "landlock"; host.sandbox.method = "landlock";
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
@@ -809,7 +809,7 @@ in
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
sequoia.sandbox.whitelistPwd = true; sequoia.sandbox.whitelistPwd = true;
sequoia.sandbox.autodetectCliPaths = true; sequoia.sandbox.autodetectCliPaths = "existingFileOrParent"; # supports `-o <file-to-create>`
shattered-pixel-dungeon.buildCost = 1; shattered-pixel-dungeon.buildCost = 1;
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ]; shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
@@ -906,7 +906,7 @@ in
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ]; tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
tree.sandbox.method = "landlock"; tree.sandbox.method = "landlock";
tree.sandbox.autodetectCliPaths = true; tree.sandbox.autodetectCliPaths = "existing";
tree.sandbox.whitelistPwd = true; tree.sandbox.whitelistPwd = true;
tumiki-fighters.buildCost = 1; tumiki-fighters.buildCost = 1;

View File

@@ -19,7 +19,7 @@
sandbox.method = "bwrap"; sandbox.method = "bwrap";
sandbox.whitelistAudio = true; sandbox.whitelistAudio = true;
sandbox.whitelistWayland = true; sandbox.whitelistWayland = true;
sandbox.autodetectCliPaths = true; sandbox.autodetectCliPaths = "existingFile";
sandbox.extraHomePaths = [ sandbox.extraHomePaths = [
# support media imports via file->open dir to some common media directories # support media imports via file->open dir to some common media directories
"tmp" "tmp"

View File

@@ -4,7 +4,7 @@
buildCost = 1; buildCost = 1;
sandbox.method = "bwrap"; sandbox.method = "bwrap";
sandbox.autodetectCliPaths = true; sandbox.autodetectCliPaths = "existingFile";
sandbox.whitelistWayland = true; sandbox.whitelistWayland = true;
mime.associations."application/pdf" = "org.gnome.Evince.desktop"; mime.associations."application/pdf" = "org.gnome.Evince.desktop";

View File

@@ -50,7 +50,7 @@ in
sane.programs.go2tv = { sane.programs.go2tv = {
sandbox.method = "bwrap"; sandbox.method = "bwrap";
sandbox.net = "clearnet"; sandbox.net = "clearnet";
sandbox.autodetectCliPaths = true; sandbox.autodetectCliPaths = "existingFile";
# for GUI invocation, allow the common media directories # for GUI invocation, allow the common media directories
sandbox.extraHomePaths = [ sandbox.extraHomePaths = [
"Music" "Music"

View File

@@ -8,7 +8,7 @@
packageUnwrapped = pkgs.libreoffice-fresh; packageUnwrapped = pkgs.libreoffice-fresh;
sandbox.method = "bwrap"; sandbox.method = "bwrap";
sandbox.whitelistWayland = true; sandbox.whitelistWayland = true;
sandbox.autodetectCliPaths = true; sandbox.autodetectCliPaths = "existingFile";
sandbox.extraHomePaths = [ sandbox.extraHomePaths = [
# allow a spot to save files. # allow a spot to save files.
# with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox, # with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox,

View File

@@ -203,7 +203,7 @@ in
]; ];
sandbox.method = "bwrap"; sandbox.method = "bwrap";
sandbox.autodetectCliPaths = true; sandbox.autodetectCliPaths = "existing";
sandbox.net = "all"; sandbox.net = "all";
sandbox.whitelistAudio = true; sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; #< mpris sandbox.whitelistDbus = [ "user" ]; #< mpris

View File

@@ -2,7 +2,7 @@
{ {
sane.programs.ripgrep = { sane.programs.ripgrep = {
sandbox.method = "bwrap"; sandbox.method = "bwrap";
sandbox.autodetectCliPaths = true; sandbox.autodetectCliPaths = "existing";
sandbox.whitelistPwd = true; sandbox.whitelistPwd = true;
sandbox.extraHomePaths = [ sandbox.extraHomePaths = [
# let it follow symlinks to non-sensitive data # let it follow symlinks to non-sensitive data

View File

@@ -16,7 +16,7 @@ in
}; };
sandbox.method = "bwrap"; sandbox.method = "bwrap";
sandbox.net = "clearnet"; sandbox.net = "clearnet";
sandbox.autodetectCliPaths = true; sandbox.autodetectCliPaths = "existing";
sandbox.whitelistAudio = true; sandbox.whitelistAudio = true;
sandbox.whitelistDbus = [ "user" ]; # mpris sandbox.whitelistDbus = [ "user" ]; # mpris
sandbox.whitelistWayland = true; sandbox.whitelistWayland = true;