assorted programs: specify sandbox.autodetectCliPaths variant more precisely than just true
This commit is contained in:
parent
c59236509b
commit
8042ea76e6
|
@ -305,7 +305,7 @@ in
|
|||
];
|
||||
|
||||
dtc.sandbox.method = "bwrap";
|
||||
dtc.sandbox.autodetectCliPaths = true; # TODO:sandbox: untested
|
||||
dtc.sandbox.autodetectCliPaths = "existingFile"; # TODO:sandbox: untested
|
||||
|
||||
duplicity = {};
|
||||
|
||||
|
@ -344,7 +344,7 @@ in
|
|||
# landlock is OK, only `whitelistPwd` doesn't make the intermediate symlinks traversable, so it breaks on e.g. ~/Videos/servo/Shows/foo
|
||||
# eza.sandbox.method = "landlock";
|
||||
eza.sandbox.method = "bwrap";
|
||||
eza.sandbox.autodetectCliPaths = true;
|
||||
eza.sandbox.autodetectCliPaths = "existing";
|
||||
eza.sandbox.whitelistPwd = true;
|
||||
eza.sandbox.extraHomePaths = [
|
||||
# so that e.g. `eza -l ~` can show which symlink exist
|
||||
|
@ -356,7 +356,7 @@ in
|
|||
fatresize.sandbox.autodetectCliPaths = "parent"; # /dev/sda1 -> needs /dev/sda
|
||||
|
||||
fd.sandbox.method = "landlock";
|
||||
fd.sandbox.autodetectCliPaths = true;
|
||||
fd.sandbox.autodetectCliPaths = "existing";
|
||||
fd.sandbox.whitelistPwd = true;
|
||||
fd.sandbox.extraHomePaths = [
|
||||
# let it follow symlinks to non-sensitive data
|
||||
|
@ -369,10 +369,10 @@ in
|
|||
ffmpeg.sandbox.autodetectCliPaths = "existingFileOrParent"; # it outputs uncreated files -> parent dir needs mounting
|
||||
|
||||
file.sandbox.method = "bwrap";
|
||||
file.sandbox.autodetectCliPaths = true;
|
||||
file.sandbox.autodetectCliPaths = "existing"; #< file OR directory, yes
|
||||
|
||||
findutils.sandbox.method = "bwrap";
|
||||
findutils.sandbox.autodetectCliPaths = true;
|
||||
findutils.sandbox.autodetectCliPaths = "existing";
|
||||
findutils.sandbox.whitelistPwd = true;
|
||||
findutils.sandbox.extraHomePaths = [
|
||||
# let it follow symlinks to non-sensitive data
|
||||
|
@ -407,7 +407,7 @@ in
|
|||
|
||||
gawk.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
gawk.sandbox.wrapperType = "inplace"; # /share/gawk libraries refer to /libexec
|
||||
gawk.sandbox.autodetectCliPaths = true;
|
||||
gawk.sandbox.autodetectCliPaths = "existingFile";
|
||||
|
||||
gdb.sandbox.enable = false; # gdb doesn't sandbox well. i don't know how you could.
|
||||
# gdb.sandbox.method = "landlock"; # permission denied when trying to attach, even as root
|
||||
|
@ -503,7 +503,7 @@ in
|
|||
"gnome.hitori".sandbox.whitelistWayland = true;
|
||||
|
||||
gnugrep.sandbox.method = "bwrap";
|
||||
gnugrep.sandbox.autodetectCliPaths = true;
|
||||
gnugrep.sandbox.autodetectCliPaths = "existing";
|
||||
gnugrep.sandbox.whitelistPwd = true;
|
||||
gnugrep.sandbox.extraHomePaths = [
|
||||
# let it follow symlinks to non-sensitive data
|
||||
|
@ -536,7 +536,7 @@ in
|
|||
|
||||
# hdparm: has to be run as sudo. e.g. `sudo hdparm -i /dev/sda`
|
||||
hdparm.sandbox.method = "bwrap";
|
||||
hdparm.sandbox.autodetectCliPaths = true;
|
||||
hdparm.sandbox.autodetectCliPaths = "existingFile";
|
||||
|
||||
host.sandbox.method = "landlock";
|
||||
host.sandbox.net = "all"; #< technically, only needs to contact localhost's DNS server
|
||||
|
@ -809,7 +809,7 @@ in
|
|||
|
||||
sequoia.sandbox.method = "bwrap"; # TODO:sandbox: untested
|
||||
sequoia.sandbox.whitelistPwd = true;
|
||||
sequoia.sandbox.autodetectCliPaths = true;
|
||||
sequoia.sandbox.autodetectCliPaths = "existingFileOrParent"; # supports `-o <file-to-create>`
|
||||
|
||||
shattered-pixel-dungeon.buildCost = 1;
|
||||
shattered-pixel-dungeon.persist.byStore.plaintext = [ ".local/share/.shatteredpixel/shattered-pixel-dungeon" ];
|
||||
|
@ -906,7 +906,7 @@ in
|
|||
tokodon.persist.byStore.private = [ ".cache/KDE/tokodon" ];
|
||||
|
||||
tree.sandbox.method = "landlock";
|
||||
tree.sandbox.autodetectCliPaths = true;
|
||||
tree.sandbox.autodetectCliPaths = "existing";
|
||||
tree.sandbox.whitelistPwd = true;
|
||||
|
||||
tumiki-fighters.buildCost = 1;
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.autodetectCliPaths = "existingFile";
|
||||
sandbox.extraHomePaths = [
|
||||
# support media imports via file->open dir to some common media directories
|
||||
"tmp"
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
buildCost = 1;
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.autodetectCliPaths = "existingFile";
|
||||
sandbox.whitelistWayland = true;
|
||||
|
||||
mime.associations."application/pdf" = "org.gnome.Evince.desktop";
|
||||
|
|
|
@ -50,7 +50,7 @@ in
|
|||
sane.programs.go2tv = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.autodetectCliPaths = "existingFile";
|
||||
# for GUI invocation, allow the common media directories
|
||||
sandbox.extraHomePaths = [
|
||||
"Music"
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
packageUnwrapped = pkgs.libreoffice-fresh;
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.whitelistWayland = true;
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.autodetectCliPaths = "existingFile";
|
||||
sandbox.extraHomePaths = [
|
||||
# allow a spot to save files.
|
||||
# with bwrap sandboxing, saving to e.g. ~/ succeeds but the data is inaccessible outside the sandbox,
|
||||
|
|
|
@ -203,7 +203,7 @@ in
|
|||
];
|
||||
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.autodetectCliPaths = "existing";
|
||||
sandbox.net = "all";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; #< mpris
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
{
|
||||
sane.programs.ripgrep = {
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.autodetectCliPaths = "existing";
|
||||
sandbox.whitelistPwd = true;
|
||||
sandbox.extraHomePaths = [
|
||||
# let it follow symlinks to non-sensitive data
|
||||
|
|
|
@ -16,7 +16,7 @@ in
|
|||
};
|
||||
sandbox.method = "bwrap";
|
||||
sandbox.net = "clearnet";
|
||||
sandbox.autodetectCliPaths = true;
|
||||
sandbox.autodetectCliPaths = "existing";
|
||||
sandbox.whitelistAudio = true;
|
||||
sandbox.whitelistDbus = [ "user" ]; # mpris
|
||||
sandbox.whitelistWayland = true;
|
||||
|
|
Loading…
Reference in New Issue
Block a user